See the blog post published in Benson's Blog

Aaron Koenig gave a talk on the creation and use of Bitcoin, and on a payment system designed for the voting process of the Bitfilm Festival for Digital Film. Since the year 2000, the Bitfilm Festival has been showcasing films that use digital technology in a creative and innovative way. It takes place on the Internet. However, physical screenings of the films will be held in Bangalore and in Hamburg. Each of the 59 nominated digital animations has its own Bitcoin account, and users worldwide may vote by donating Bitcoins to the films they like anonymously and without any transfer costs. The donated money will be divided among the most popular films (the films with the most votes/Bitcoins).

A strong knowledgeable speaker, Aaron brought forward his tremendous knowledge of Bitcoin, Art & Economics.

The Twitter based Q&A can be viewed on the Twitter ID's of

@pranesh_prakash

@cis_india

@bensonsamuel

The Newspaper Articles where Bitfilm & Bitcoin made their news in India were

Deccan Herald - http://bit.ly/U74YsS

The Hindu - http://goo.gl/YJYni

The Bangalore Mirror - http://bit.ly/XfDRbZ

Bitcoin Resources In India

Local Exchange - LocalBitcoins.com

India Fourms -   https://bitcointalk.org/index.php?board=89.0

http://bit.ly/ZDm4jW

Blogs - bensonsamuel.com

Unocoin.com

Services - indiabitcoin.com - Official Partners of Bitpay USA in India

Meetup Group - http://www.meetup.com/Bitcoin-Bangalore-Meetup-Group/

Video

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Each database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of establishing identity in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and creating a DNA board for overseeing the carrying out of the Act. Though it is important to carefully regulate the use of DNA for criminal purposes, and such a law is needed in India, the present working draft of the Bill is lacking important safeguards and contains overreaching provisions, which could lead to violation of individual rights. The text of the 2012 draft is still being discussed and has not been finalized.  Below are high level concerns that CIS has with the April 2012 draft Human DNA Profiling Bill.

Broad offences and instances of when DNA can be collected

The schedule of the Bill lists applicable instances for human DNA profiling and addition to the DNA database. Under this list, the Bill lays out nine Acts, for example the Indian Penal Code and the Protection of Civil Rights Act, and states that offences under these Acts are applicable instances of human DNA profiling. This allows the scope of the database to be expansive, as any individual who has committed an offence found under any of these Acts to be placed on the DNA database, and might include offences for which DNA evidence is not useful.

In the schedule under section C Civil disputes and other civil matters the Bill lists a number of civil disputes and civil matters for which DNA can be taken and entered onto the database. For example:

• (v) Issues relating to immigration or emigration
• (vi) Issues relating to establishment of individual identity
• (vii) Any other civil matter as may be specified by the regulations of the Board

In these instances no crime has been committed and there is no justification for taking the DNA of the individual without their consent. In cases of civil disputes

Recommendation: Offences for which DNA can be collected must be criminal and must be specified individually by the Bill. When DNA is used in civil cases, the consent of the individual must be taken. In civil cases a DNA profile should not be stored on the database. DNA profiling and storage on a database should not be allowed in instances like v, vi, vii listed above.

Inadequate level of authorization for sharing of information

The Bill allows for the DNA Data Bank Manager to determine when it is appropriate to communicate whether the DNA profile received is already contained in the Data Bank, and any other information contained in the Data Bank in relation to the DNA profile received.

• Section 35 (1): “…shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency, or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely (a) as to whether the DNA profile received is already contained in the Data Bank; and (b) any information, other than the DNA profile received, is contained in the Data Bank in relation to  the DNA profile received.”

Recommendation: The Data Bank Manager should not be given the power to determine appropriate instances for the communication of information. Law enforcement agencies, DNA laboratories, etc. should be required to gain prior authorization, from the DNA Board, before requesting the disclosure of information from the DNA Data Bank Manager. Upon receiving proof of authorization, the DNA databank can share the requested information.

Inaccurate understanding of infallibility of DNA

The preamble to the Bill inaccurately states:

The Dexoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any between two individuals, living or dead without any doubt.

Recommendation: The Bill should recognize that DNA evidence is not infallible. For example, false matches can occur based on the type of profiling system used, and that error can take place in the chain of custody of the DNA sample.

The “definition” of DNA profiling is too loose in the Bill. Any technology used to create DNA profiles is subject to error. The estimate of this error should be experimentally obtained, rather than being a theoretical projection.

Inadequate access controls

The Bill only restricts access to information on the DNA database that relates to a victim or to a person who has been excluded as a suspect in relevant investigations.

Section 43: Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from a) a victim of an offence which forms or formed the object of the relevant investigation, or b) a person who has been excluded as a suspect in the relevant investigation.

Recommendation: Though it is important that access is restricted in these instances, access should also be restricted for: volunteers, missing persons, and victims. Broad access to every index in the database should not be permitted when a DNA sample for a crime is being searched for a match. Ideally, a crime scene index will be created, and samples will only be compared to that specific crime scene. The access procedure should be transparent with regular information published in an annual report, minutes of oversight meetings taken, etc.

Lack of standards and process for collection of DNA samples

In three places the Bill mentions that a procedure for the collection of DNA profiles will be established, yet no process is enumerated in the actual text of the Bill.

• Section 12 (w) “The Board will have the power to… specify by regulation, the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule.

• Section 66(d) “The Central Government will have the power to make Rules pertaining to… The list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule under clause (w) of section 12.
• Schedule: In the title “List of applicable instances of Human DNA Profiling and Sources and Manner of Collection of Samples for DNA Profiling”. But the schedule does not detail the manner of collection of samples for DNA profiling.

Recommendation: According to the Criminal Procedure Code, section 53 and 54, DNA samples can only be collected by certified medical professionals. This must be reflected by the Bill. The Bill should also state that the collection of DNA must take place in a secure location and in a secure manner. When DNA is collected, consent must be taken, unless the individual is convicted of a crime for which DNA evidence is directly relevant or the court has ordered the collection. When DNA is collected, personal identification information should not be sent with samples to laboratories, and all transfers of data (from police station to lab) must be secure. Upon collection, information regarding the collection of information and potential use and misuse of DNA information must be provided to the individual.

Inadequate appeal process

The provisions in the Bill allow aggrieved individuals to bring complaints to the DNA Board. If the complaint is not addressed, the individual can take the complaint to the court. Though grievances can be taken to the Board and the court, it is not clear if the individual has the right to appeal the collection, analysis, sharing, and use of his/her DNA. The text of section 58 implies that the Board and the Central government will have the power to take action based on complaints. This power was not listed above in the sections where the powers of the board and the central government are defined, thus it is unclear what actions the Board or the Central Government would be able to take on complaint.

Section 58: No court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder save on a complaint made by the Central Government or its officer or Board or its officer or any other person authorized by them: Provided that nothing contained in this sub-section shall prevent an aggrieved person from approaching a court, if upon his application to the Central Government or the Board, no action is taken by them within a period of three months from the date of receipt of the application.

Recommendation: Individuals should be allowed to appeal a decision to collect DNA or share a DNA profile, and take any grievance directly to the court. If the Board or the Central Government will have a role in hearing complaints, etc. These must be enumerated in the provisions of the Act.

Inclusion of population testing

Though the main focus of the Bill is for the use of DNA in criminal and civil cases, the provisions of the Bill also allow for population testing and research to be done on collected samples.

Section 4: The Board shall consist of the following Members appointed from amongst persons of ability, integrity, and standing who have knowledge or experience in DNA profiling including.. (m) A population geneticist to be nominated by the President, Indian National Science Academy, Den Delhi-Member.

Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely, (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, or the purposes of identification research, protocol development or quality control provide that it does not contain any personally identifiable information and does not violate ethical norms.

Recommendation: Delete these provisions. If DNA testing is going to done for population analysis purposes, regulations for this must be provided for in a separate legislation, stored in separate database, informed consent taken from each participant, and an ethics board must be established. It is not sufficient or ethical to conduct population testing only on DNA samples from victims, offenders, suspects, and volunteers.

Provisions delegated to regulation that need to be incorporated into text of Bill

The Bill empowers the board to formulate regulations for, and the Central Government to make Rules to, a number of provisions that should be within the text of the Bill itself. By leaving these provisions to Regulations and Rules, the Bill is a skeleton which when enacted will only allow for DNA Labs to be certified and DNA databases to be established.  Aspects that need to be included as provisions include:

Section 12: The Board shall exercise and discharge the following functions for the purposes of this Act namely

• Section 12(j) – authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.
• Section 12(p) – making specific recommendations to (ii) ensure the accuracy, security, and confidentiality of DNA information, (iii) ensure the timely removal and destruction of obsolete, expunged or inaccurate DNA information (iv) take any other necessary steps required to be taken to protect privacy.
• Section 12(w) – Specifying, by regulation, the list of applicable instances of human DNA profiling and the sources a manner of collection of samples in addition to the lists contained in the Schedule.
• Section 12(u) – establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies.
• Section 12(x) – Enumerating the guidelines for storage of biological substances and their destruction.

Section 65(1) The Central Government may, by notification, make rules for carrying out the purposes of this Act

• Section 65 (c) – The officials who are authorized to receive the communication pertaining to information as to whether a person’s DNA profile is contained in the offenders’ index under sub-section (2) of section 35
• Section 65 (d) – The manner in which the DNA profile of a person from the offenders’ index shall be expunged under sub-section (2) of section 37
• Section 65 (e) – The manner in which the DNA profile of a person from the offender’s index shall be expunged under sub-section (3) of section 37
• Section 65 (h) – The manner in which access to the information in the DNA data Bank shall be restricted under section 43
• Section 65 (zg) – Authorization of other persons, if any, for collection of non-intimate forensic procedures under Part II of the Schedule.

Broad Language that needs to be specified or deleted

There are a number of places in the Bill which use broad and vague language. This is problematic as it expands the potential scope of the Bill. Instances where broad language is used includes:

Preamble:  There is, thus, need to regulate the use of human DNA Profiles through an Act passed by the Parliament only for Lawful purposes of establishing identity in a criminal or civil proceeding and for other specified purposes.

• Section 12: The Board may make regulations for (j) authorizing procedures for communications of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.
• Section 12: The Board may make regulations for (y) undertaking any other activity which in the opinion of the Board advances the purposes of this Act.
• Section 12: The Board may make regulations for (z) performing such other functions as may be assigned to it by the Central Government from time to time.
• Section 32: The indices maintained under sub-section (4) shall include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 15 of the Act and of records relating thereto, in accordance with the standards as may be specified by the regulations made by the Board.
• Section 35 (1) On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Data Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank and shall communication, for purposes of the investigation or prosecution in a criminal offence, the following information…(a) as to whether the DNA profile received is already contained in the Data Bank and (b) any information other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. (2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.
• Section 39: All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule. Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part 1 of the Schedule for other purposes as may be specified by the regulations made by the board.
• Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely (g) for any other purposes, as may be prescribed.
• Schedule, C Civil disputes and other civil matters vii) any other civil matter as may be specified y the regulations made by the Board.

Recommendation: All broad and vague language should be deleted and replaced with specific language.

Jurisdiction

• Section 1(2) It extends to the whole of India.

• Section 2(f) “Crime scene index” means an index of DNA profiles derived from forensic material found (i) at any place (whether within or outside of India) where a specified offence was, or is reasonably suspected of having been, committed.

The validity of DNA profiles found outside of India is unclear as the Act only extends to the whole of India.

Inconsistent provisions

The Bill contains provisions that are inconsistent including:

• Preamble … from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto.
• Section 32 (1) The Central Government shall, by notification establish a National DNA Data Bank and as many Regional DNA Data Banks there under for every State or a group of States, as necessary. (2) Every State Government may, by notification establish a State DNA Data Bank which shall share the information with the National DNA Data Bank. The National DNA Data Bank shall receive DNA data from State DNA Data Banks…

Recommendation: The introduction to the Bill states that only a National DNA Data Bank will be established, yet in the provisions of the Bill it states that Regional and State level DNA databanks will also be established. It should be clarified in the introduction to the Bill that state level, regional level, and a national level DNA database will be created.

Inadequate qualifications of DNA Data Bank Manager

Section 33: “The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member –Secretary of the Board. The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics.”

Recommendation: This is not sufficient qualifications. The DNA Data Bank Manager needs to have experience and expertise handling, working with, and managing DNA for forensic purposes.

Lack of restrictions on labs seeking certification

According to section 16(2), before withdrawing approval granted to a DNA laboratory...the Board will give time to the laboratory...for taking necessary steps to comply with such directions...and conditions.”
Recommendation: This section should specify that during the time period of gaining certification, the DNA laboratory is not allowed to process DNA.

Incomplete terms for use of DNA in courts

Section 45 of the Bill allows any individual undergoing a sentence of imprisonment or under sentence of death to apply to the court which convicted him for an order for DNA testing. The Bill lists seven conditions that must be met for this DNA evidence to be accepted and used in court.
Recommendation: This section speaks only to the use of DNA in courts upon request by a convicted individual. This section should lay down standards for all instances of use of DNA in courts. Included in this, the provision should clarify that when DNA is used, corroborating evidence will be required in courts, and if confirmatory samples will be taken from defendants. Individuals should also have the right to have a second sample taken and re-analyzed as a check, and individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.

Inadequate privacy protections

Besides section 38 which requires that all DNA profiles, samples, and records are kept confidential, the Bill leaves all other privacy protections to be recommended by the DNA profiling Board.

Section 12(o) The Board shall exercise and discharge the following functions…“Making recommendation for provision of privacy protection laws, regulations and practices relating to access to, or use of, store DNA samples or DNA analyses with a view to ensure that such protections are sufficient.”

Recommendation: Basic privacy protections such as access, use, and storage of DNA samples should be written into the provisions of the Bill and not left as recommendations for the Board to make.

Missing Provisions

1. Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is legally accessed or shared. Notification to the individual would be appropriate in section 36, which allows for the sharing of DNA profiles with foreign states, and section 35, which allows for the sharing of information with a court, tribunal, law enforcement agency, or DNA laboratory. As part of the notification, an individual should be given the right to appeal the decision.
2. Consent: There are no provisions which speak to consent being taken from individuals whose DNA is collected. Consent must be taken from volunteers, missing persons (or their families), victims, and suspects. DNA can be taken compulsorily from offenders after they have been convicted. If an individual refuses to provide a DNA sample, a judge can override the decisions and order that a DNA sample be taken. In all cases that DNA is collected without consent, it must be clear that DNA evidence is directly relevant to the case.
3. Right to request deletion of DNA profile from database: There are no provisions which give volunteers (children volunteers when they become adults), victims, and missing persons the right to request that their profile be deleted from the DNA database. This could be provided in section 37 which speaks to the expunction of records of acquitted convicts.
4. Right of individuals to bring a private cause of action: There are no provisions which give the individual the right to bring a privacy cause of action for the unlawful storage of private information in the national, regional, or state DNA database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database.
5. Right to review one's personal data: There are no provisions that allow an individual to review his/her information contained on the state, regional, or national database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database.
6. Independence of DNA laboratories and DNA banks from the police: There are no provisions which ensure that DNA laboratories and DNA data banks remain independent from the police. This is an important check in ensuring against the tampering of DNA evidence.
7. Established profiling standard: The Bill does not mandate the use of one single profiling standard. This is important in order to minimize false matches occurring by chance and to ensure consistency across DNA testing and profiling.
8. Destruction of DNA samples: There are no provisions mandating that original samples of DNA be deleted. DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them – allowing for sufficient time for quality assurance (six months). Furthermore, only a barcode and no identifying details should be sent to labs with samples for analysis.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Video

The above video is from the "UID, NPR, and Governance" conference held on March 2, 2013 at TERI, Bangalore.

What is the NPR?
In 2010, the Government of India initiated the NPR which entails the creation of the National Citizens Register. This register is being prepared at the local, sub-district, district, state and national level. The database will contain thirteen categories of demographic information and three categories of biometric data collected from all residents aged five and above. Collection of this information was initially supposed to take place during the House listing and Housing Census phase of Census 2011 during April 2010 to September 2010.[1]

What is the legal grounding of the NPR?
The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules 2003. It is mandatory for every usual resident in India to register in the NPR as per Section 14A of the Citizenship Act, 1955, as amended in 2004. The collection of biometrics is not accounted for in the statute or rules.

What are the objectives of the NPR?
The objectives of the NPR as stated by the Citizenship Act is for the creation of a National Citizen Register. The National Citizen Register is intended to assist in improving security by checking for illegal migration. Additional objectives that have been articulated include: providing services to the residents under government schemes and programmes, checking for identity frauds, and improving planning.[2]

What is the process of enrollment for the NPR?
NPR enrollment is being carried out through house to house canvassing. The Office of the Registrar General and Census Commissioner, India has assigned Department of Information Technology (DIT) the responsibility of collecting and digitizing demographic data in 17 states and 2 Union Territories of India.[2] Collected information will then be printed and displayed in the local area where it is scrutinized by local officers and vetted by local bodies called ´Gram Sabha/Ward Committees´.[4] This process of social audit is meant to bring in transparency, equity, and ensure accuracy.

What information will be collected under the NPR?
The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection biometrics has not been provided for in the text of the Citizenship Rules, and is instead appears to be authorized through guidelines,[5] which do not have statutory backing. Currently, two iris scans, ten fingerprints, and a photograph are being collected. According to a 2010 Committee note, only the photograph and fingerprints were initially envisioned to be collected.

What is the Resident Identity Card?
The proposed Resident Identity card is a smart card with a micro-processor chip of 6.4 Kb capacity; the demographic and biometric attributes of each individual will be personalized in this chip. The UID number will be placed on the card as well. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.[6]

What is the UID?
The Unique Identification Authority of India (UIDAI) was established in January 2009 and is part of the Planning Commission of India. UIDAI aims to provide a unique 12 digit ID number to all residents in India on a voluntary basis. The number will be known as AADHAAR. The UIDAI will own and operate a Unique Identification Number database which will contain biometric and demographic data of citizens.[7]

What is the objective of the UID?
According to the UIDAI, the UID will provide identity for individuals. The scheme has been promoted by the UIDAI as enabling a number of social benefits including improving the public distribution system, enabling financial inclusion, and improving the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS).  Despite these benefits, the UIDAI only guarantees identity, and does not guarantee rights, benefits or entitlement.[8]

What is the process for enrollment in the UID?
To enroll in the UID, individuals must go to enrollment centers with the appropriate documentation. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail.[9] The UIDAI will enroll up to 600 million residents in 16 States and territories.[10] Online registration prior to enrollment at a Center is also now being offered.

How is UID being adopted by different States?
The adoption of the UID by different states and platforms has been controversial as the UID is not a mandatory number, yet with states and services adopting the number for different governmental services, the UID is becoming mandatory by default.  Some ways in which states are using the UID include:

• Gas and vehicles: The UPA Government has required that citizens have a UID number for services such as purchasing cooking gas, issuing a RTI request, and registering vehicles.[11]
• Education: The Kerala government has required that all students must have UID number in order to be tracked through the system.[12] This mandate was questioned by the National Commission for Protection of Child Rights.
• First Information Reports (FIR’s): The high court in Bombay has ordered the state home department to direct all police stations in Maharashtra to record the Unique Identification (UID) numbers of accused individuals and witnesses filing a FIR.[13]
• Banks: The National Payment Corporation of India has collaborated UIDAI and is issuing ‘RuPay cards’ (Dhan Aadhaar cards) which will serve as ATM/micro-ATM cards. In 2011 the Bank of India had issued 250 cards.[14]
• Railway: Railways are proposing to use the UID database for bookings and validation of passengers.[15]
• Social Security: Commencing January 1, 2013, MGNREGA, the Rajiv Gandhi Awas Yojana (RGAY), the Ashraya housing scheme, Bhagyalakshmi and the social security and pension scheme have included the UID in the Mysore district

Has there been duplication of UID numbers?
According to news reports:

• The UIDAI has blacklisted an operator and a supervisor in Andhra Pradesh for issuing fake UID numbers.

• The UIDAI is looking into six complaints regarding the misuse of personal data while issuing the UID numbers to individuals.

• The UIDAI has received two received complaints regarding duplication of UID numbers.[17]

What are the differences between the UID and NPR?

• Voluntary vs. Mandatory: It is compulsory for all Indian residents to register with the NPR, while registration with the UIDAI is considered voluntary. However, the NPR will store individuals UID number with the NPR data and place it on the Resident Indian Card. In this way and others, the UID number is becoming compulsory by various means.
• Number vs. Register: UID will issue a number, while the NPR is the prelude to the National Citizens Register. Thus, it is only a Register. Though earlier the MNIC card was implemented along the coastal area, there has been no proposal to extend the MNIC to the whole country. The smart card that is proposed under the NPR has only been raised for discussion, and there has been no official decision to issue a card.
• Statute vs. Bill: The enrollment of individuals for the NPR is legally backed by the Citizenship Act, except in relation to the collection of biometrics, while the UID as proposed a bill which has not been passed for the legal backing of the scheme.
• Authentication vs. Identification: The UID number will serve as an authenticator during transactions. It can be adopted and made mandatory by any platform. The National Resident Card will signify resident status and citizenship. It is unclear what circumstances the card will be required for use in.
• UIDAI vs. RGI: The UIDAI is responsible for enrolling individuals in the UID scheme, and the RGI is responsible for enrolling individuals in the NPR scheme. It is important to note that the UIDAI is located in the Planning Commission, but its status is unclear, as the NIC had indicated that the data held is not being held by the government.
• Door to door canvassing vs. center enrollment: Individuals will have to go to an enrollment center and register for the UID, while the NPR will carry out part of the enrollment of individuals through door to door canvassing. Note: Individuals will still have to go to centers for enrolling their biometrics for the NPR scheme.
• Prior documentation vs. census material: The UID will be based off of prior forms of documentation and identification, while the NPR will be based off of census information.
• Online vs. Offline: For authentication of an individual’s UID number, the UID will require mobile connectivity, while the NPR can perform offline verification of an individual’s card.

What is the controversy between the UID and NPR?

• Effectiveness: There is controversy over which scheme would be more effective and appropriate for different purposes. For example, the Ministry of Home Affairs has argued that the NPR would be more suited for distributing subsidies than the UID, as the NPR has data linking each individual to a household.[18]
• Legality of sharing data: Both the legality of the UID and NPR collecting data and biometrics has been questioned. For example, it has been pointed out that the collection of biometric information through the NPR, is beyond the scope of subordinate legislation. Especially as this appears to be left only to guidelines.[19] Collection of any information under the UID scheme is being questioned as the Bill has not been approved by the Parliament.
• Accuracy: The UIDAI's use of multiple registrars and enrolment agencies, the reliance on  'secondary information' via existing ID documents for enrollment in the UID, and the original plan to enroll individuals via the 'introducer' system has raised by Home Minister Chidambaram in January 2012 about how accurate the data collected by the UID is is that will be collected.[20] To this extent, the UIDAI has changed the introducer system to a ‘verifier’ system. In this system, Government officials verify individuals and their documents prior to enrolling them.
• Biometrics: Though biometrics are mandatory for the UID scheme, according to information on the NPR website, if an individual has already enrolled with the UID, they will not need to provide their biometrics again for the NPR. Application of this standard has been haphazard as some individuals have been required to provide biometrics for both the UID and the NPR, and others have not been required to provide biometrics for the NPR.[21]

What court cases have been filed against the UID?
The following cases are currently filed in courts around the country:

• Supreme Court:

K S Puttaswamy, a retired judge of Karnataka High Court filed a Public Interest Litigation (PIL) in the Supreme  Court challenging the legality of UIDAI.[22]

• Chandigarh: A petition was filed in Chandigarh by Sanjeev Pandey which sought to quash executive order passed in violation of the Motor Vehicles Act, 1988, and Central Motor Vehicle Rules, 1989 by which UID cards had been made mandatory for registration of vehicles and grant of learner/regular driving license.[23]
• Karnataka: Mathew Thomas and Mr. VK Somasekhar have filed a civil suit in the Bangalore City Civil Courts (numbered 8181 of 2012) asking for the UID project to be stopped. The suit was dismissed, and they have appealed the case to the High Court (numbered 1780 and 1825 of 2013).
• Chennai: A PIL has been filed in the Madras High Court challenging the constitutional validity of the UIDAI and its issue of UID numbers.[24]
• Bombay: In January 2012 a case was filed in the Mumbai high Court. The petitioners to the case are R. Ramkumar, G. Nagarjuna, Kamayani Mahabal, Yogesh Pawar and  Vickram Crishna & Ors.

What is the relationship between UID, NPR, and National Security
The UID and the NPR have both stated improving security as an objective for the projects. To this extent, it is envisioned that the UID and the NPR could be used to track and identify individuals, and determine if they are residents of India. In the case of the NPR, a distinction will be made between residents and citizens. Yet, concerns have also been raised that these projects instead raise national security threats, given the size of the databases that will be created, the centralized nature of the databases, the sensitive nature of the information held in the databases, and the involvement of international agencies.[25]

What is the relationship between UID and Big Data?
Aspects of the UID scheme allow it to generate a large amount of data from a variety of sources. Namely, the UID scheme aims to capture 12 billion fingerprints, 1.2 billion photographs and 2.4 billion iris scans and can be adopted by any platform. This data in turn can be stored, analyzed, and used for a number of purposes by a number of stakeholders in both the government and the private sectors. This is already happening to a certain extent as in November 2012 the UID  established a Public Data Portal for the UID project. According to UIDAI officials the data portal will allow for big data analysis using crowd sourcing models.[26]

How is UID being used for BPL direct cash transfers?
Registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BPL category and to provide transparency to the distribution of cash. In this way, the UID requirement is thought to prevent the leakage of social security benefits and subsidies to non-intended beneficiaries, as cash will only be made available to the person identified by the UID as the intended recipient. One of the main prerequisites of a below poverty line (BPL) direct cash transfer in India has become the registration with the UIDAI and the acquisition of a UID number. For example:

• The "Cash for Food" programme requires that individuals applying for aid have a bank account, and a UID number. The money is transferred, electronically and automatically, to the bank account and the beneficiary should be able to withdraw it from a micro-ATM using the UID number.[27] It is important to note that micro-ATMs are not actual ATMs, but instead are handheld machines which may give information on bank balance and such, but will not dispense or maintain privacy of transaction.  Most importantly, the transaction is mediated though a banking correspondent.
• The government plans to cover the target BPL families and deposit USD 570 billion per year in the bank accounts of 100 million poor families by 2014.[28]
• Currently, only beneficiaries of thirteen government schemes and LPG connection holders have been identified as being entitled to register for a UID number.[29] Though these schemes have been identified, as of yet, adoption has happened in very few districts.

What are the concerns regarding the use of biometrics in the UID and NPR scheme?
Both the UID and the NPR rely on biometrics as a way to identify individuals.  Yet, many concerns have been raised about the use of biometrics in terms of legality, effectiveness, and accuracy of the technology.  With regards to the accuracy and effectiveness of biometrics – the following concerns have been raised:

• Biometrics are not infallible: Inaccuracies can arise from variations in individuals  attributes and inaccuracies in the technology.
• Environment matters: An individual’s biometrics can change in response to a number of factors including age, environment, stress, activity, and illness.
• Population size matters: Because biometrics have differing levels of stability – the larger the population is the higher the possibility for error is.
• Technology matters: The accuracy of a biometric match also depends on the accuracy of the technology used. Many aspects of biometric technology can change including: calibration, sensors, and algorithms.
• Spoofing: It is possible to spoof a fingerprint and fool a biometric reader.[30]

[1]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner.  http://bit.ly/IiySDh

[2]. This is according to a 2010 Cabinet note and the official website of the NPR.

[3]. Department of Information Technology: http://ditnpr.nic.in/frmStatelist.aspx - These include:  (1) Arunachal Pradesh (2) Assam (3) Bihar (4) Chhattisgarh (5) Haryana (6) Himachal Pradesh (7)Jammu & Kashmir (8) Jharkhand (9) Madhya Pradesh (10)Meghalaya (11)Mizoram (12)Punjab (13)Rajasthan (14)Sikkim (15)Tripura (16)Uttar Pradesh (17)Uttarakhand  Union Territories:-(1) Dadra & Nagar Haveli (2) Chandigarh.

[4]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://bit.ly/IiySDh

[5]. Department of Information Technology. National Population Register.  Question  22. What are the procedures to be followed for creating the NPR? The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines being issued from time to time.

[6]. The Unique Identification Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://censusindia.gov.in/2011-Common/IntroductionToNpr.html Authority of India. http://uidai.gov.in/

[7]. Unique Identification Authority of India. http://uidai.gov.in/

[8]. The point was made by R. Ramachandran. How reliable is UID? Frontline. Volume 28- Issue 24: November 19- December 02, 2011. Available at: http://bit.ly/13UMiSv

[9]. For more information see: How to get an Aadhaar. http://bit.ly/R2jBOP

[10]. Mazumdar. R. UIDAI targets 400 million enrolments by mid 2013, Aadhar hopes to give unique identity to some 1.2 bn residents. Economic Times. December 2012. Available at: http://bit.ly/ZC3Yve. Last accessed: February 28th 2013.

[11]. Malu. B. The Aadhaar Card – What are the real intentions of the UPA Government? DNA. February 18^th 2013. Available at: http://bit.ly/150BXRj. Last accessed: February 28th 2013.

[12]. Government of Kerala. General Education Department Circular No. 52957/G2?2012/G.Edn. Available at: http://bit.ly/15Oiq8J

[13]. Plumber, M. Make UID numbers must in FIRs: Bombay HC. DNA. October 2011. Available at: http://bit.ly/tVsInl. Last accessed: February 28th 2013.

[14]. Press Information Bureau. Government of India. Identity Card to Every Adult Resident of the Country under NPR; No Card being issued by UIDAI. December 2011. Available at: http://bit.ly/tJwZG1

[15]. TravelBiz. Railways to use Aadhar database for passenger validation. February 2013. Available at: http://bit.ly/YcW5wl. Last accessed: February 28th 2013.

[16]. Vombatkere. S.G. Questions for Mr. Nilekani. The Hindu. February 2013. Available at: http://bit.ly/YqPlK1. Last accessed: February 28th 2013.

[17]. Economic Times. UIDAI orders probe into duplication of Aadhaar numbers. http://bit.ly/ZORowg. Last accessed: February 28th 2013.

[18]. Jain. B. Battle over turf muddies waters. Times of India. February 2013. Available at: http://bit.ly/16ud3gm. Last accessed: February 28th 2013

[19]. Rediff. Aadhaar’s allocation is Parliament’s contempt. February 2013. Available at: http://bit.ly/Y638JS. Last accessed: February 28th 2013.

[20]. Ibid 17.

[21]. Times of India. Confused over Aadhaar, Cabinet clears GoM. February 2013. Available at http://bit.ly/UTH2JS. Last accessed: February 28th 2013.

[22]. Times of India. Supreme Court notice to govt on PIL over Aadhar. December 2012. Available at: http://bit.ly/13UNs0i. Last accessed: February 2013.

[23]. The Indian Express. HC issues notice to Centre, UT over mandatory UID for license. January 2013. Available at: http://bit.ly/WJq43M. Last accessed: February 28th 2013.

[24]. Economic Times. PIL seeks to scrap Nandan Nilekani’s Aadhar project. January 2012. Available at: http://bit.ly/zB1H07. Last accessed: February 28th 2013.

[25]. Times of India. UID poses national security threat: BJP. January 2012. Available at: http://bit.ly/WeM6KA. Last accessed: February 28th 2013.

[26]. Zeenews. UIDAI launches Public Data Portal for Aadhaar. November 8th 2012. Available at: http://bit.ly/T9NdX3. Last Accessed: November 12th 2012.

[27]. Punj, S. Wages of Haste: Implementing the cash transfer scheme is proving a challenge. January 2013. Available at: http://bit.ly/1024Dwo. Last accessed: February 28th 2013.

[28]. The International Business Times. India to Roll Out World’s Biggest Direct Cash Transfer Scheme for the Poor. November 2012. Available at: http://bit.ly/UYbtw4. Last accessed: February 28th 2013.

[29]. Mid Day. Do not register for Aadhaar card before March 15: UID in –charge. February 2013. Available at:  http://bit.ly/Xymx9d. Last accessed: February 28th 2013.

[30]. These points were raised in the following frontline article Ibid: Ramachandran, R. How reliable is UID? Frontline. Volume 28 – Issue 24 November 19th – December 2nd 2011. Available at: http://bit.ly/13UMiSv. Last accessed February  28th 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!

Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill[1], with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India[2]. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.

However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…

DNA databases...and Justice for All?

Source: Libertas Academica on flickr

During the workshop [3]on the 2012 draft Human DNA Profiling Bill, DNA[4] was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling[5] was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:

Should DNA databases be created at all?

The following concerns were raised and discussed during the workshop:

●      The myth of the infallibility of DNA evidence

The Innocence Project[6], which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is not infallible[7].

False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides probabilities of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles[8].

●      The non-criteria of DNA data collection

How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that all offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under ´any other law as may be specified by the regulations made by the Board´. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.

●      The DNA Profiling Board´s power

The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses[9].  The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.

No human rights experts

Despite the various amendments[10] to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.

Vague authorisation for communication of DNA profiles

The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies´[11]. Although the 2007 Bill [12]restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.[13] This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.

Protecting the public

The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´[14]. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate[15]. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.

Sharing data with international agencies…and regulating DNA laboratories

In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies[16]. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.

The Board would also be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories[17]. The draft 2012 Bill ultimately gives monopolistic control to the DNA Profiling Board over all the procedures related to the handling of DNA data!

●      The DNA Data Bank Manager

According to the 2012 draft Human DNA Profiling Bill[18], it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

The Bill also empowers the Manager to determine appropriate instances for the communication of information[19]. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.

• DNA access restrictions

Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill [20]states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.

●      Availability of DNA profiles and DNA samples

According to the amended draft 2012 Bill[21], DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a population statistics database´. This is controversial because it remains unclear how such a database would be used.

●      Data destruction

According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.

Workshop conclusions

Source: micahb37 on flickr

The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.

During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.

A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.

However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:

Should DNA databases be created at all?

[1] Draft DNA Profiling Bill 2007, http://dbtindia.nic.in/DNA_Bill.pdf

[2] Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,

[3] Centre for Internet and Society, Analyzing the Draft Human DNA Profiling Bill 2012, 25 February 2013, http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill

[4] Genetics Home Reference: Your Guide to Understanding Genetic Conditions, What is DNA?, http://ghr.nlm.nih.gov/handbook/basics/dna

[5] Shanna Freeman, How DNA profiling Works, http://science.howstuffworks.com/dna-profiling.htm

[6] Innocence Project, DNA exoneree case profiles, http://www.innocenceproject.org/know/

[7] Australian Law Reform Commission (ALRC), Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), ´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence

[8] Ibid.

[9] Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[10] Ibid: Section 4(q)

[11] Ibid: Section 12(j)

[12] Draft DNA Profiling Bill 2007, Section 13, http://dbtindia.nic.in/DNA_Bill.pdf

[13] : Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(j), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[14] Ibid: Section 12(l)

[15] Schneier, B.(2008), Schneier on Security, ´CCTV cameras´, http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html

[16] Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(u) and 12(v), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[17] Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´

[18] Ibid: Section 33

[19] Ibid: Section 35

[20] Ibid: Section 43

[21] Ibid: Section 40

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Last April, the most recent version of the DNA Profiling Bill was leaked in India. The draft 2007 DNA Profiling Bill failed to adequately regulate the collection, use, sharing, analysis and retention of DNA samples, profiles and data, whilst its various loopholes created a potential for abuse. However, its 2012 amended version is not much of an improvement. On the contrary, it excessively empowers the DNA Profiling Board, while remaining vague in terms of collection, use, analysis, sharing and storage of DNA samples, profiles and data. Due to its ambiguity and lack of adequate safeguards, the draft April 2012 Human DNA Profiling Bill can potentially enable the infringement of the right to privacy and other human rights.

Draft 2007 DNA Profiling Bill vs. Draft 2012 Human DNA Profiling Bill

1. Composition of the DNA Profiling Board

Amendment: The Draft 2007 DNA Profiling Bill listed the members which would be appointed by the Central Government to comprise the DNA Profiling Board. A social scientist of national eminence, as stated in section 4(q) of Chapter 3, was included. However, the specific section has been deleted from the Draft 2012 Human DNA Profiling Bill and no other social scientist has been added to the list of members to comprise the DNA Profiling Board. Despite the amendments to the section on the composition of the Board, no privacy or human rights expert has been included.

Analysis: The lack of human rights experts on the board can potentially be problematic as a lack of expertise on privacy laws and other human rights laws can lead to the regulation of DNA databases without taking privacy and other civil liberties into consideration.

• DNA 2007 Bill (Section 4): “The DNA Profiling Board shall consist of the following members appointed by the Central Government from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics , social sciences, law and criminal justice or any other discipline which would, in the opinion of the Central Government, be useful to DNA Profiling , namely:  (a) a Renowned Molecular Biologist to be appointed by the Central Government Chairperson, (b) Secretary, Ministry of Law and Justice,  or his nominee ex-officio Member; (c) Chairman, Bar Council of India, New Delhi  or his nominee ex-officio Member; (d) Vice Chancellor, NALSAR University of Law,  Hyderabad ex-officio Member; (e) Director, Central Bureau of Investigation  or his nominee ex-officio Member;  (f) Chief Forensic Scientist, Directorate of  Forensic Science, Ministry of Home Affairs,   New Delhi ex-officio Member; (g) Director, National Crime Records Bureau, New Delhi ex-officio Member; (h) Director, National Institute of Criminology  and Forensic Sciences, New Delhi ex-officio Member; (i) a Forensic DNA Expert to be nominated  by Secretary, Ministry of Home Affairs,  New Delhi, Government of India Member; (j) a DNA Expert from All India Institute of  Medical Sciences, New Delhi to be nominated by its Director, Member; (k) a Population Geneticist to be nominated by the President, Indian National Science  Academy, New Delhi Member; (l) an Expert to be nominated by the Director, Indian Institute of Science, Bangalore Member; (m) Director, National Accreditation Board for  Testing and Calibration of Laboratories, New Delhi ex-officio Member; (n) Director, Centre for Cellular and Molecular  Biology, Hyderabad ex-officio Member; (o) Representative of the Department of  Bio-technology, Government of India, New Delhi to be nominated by Secretary, DBT, Ministry of S&T, Government of India Member; (p) The Chairman, National Bioethics  Committee of Department of Biotechnology,  Government of India, New Delhi ex-officio Member; (q) a Social Scientist of National Eminence  to be nominated by Secretary, MHRD,  Government of India Member; (r) four Directors General of Police representing different regions of the country to be  nominated by MHA Members; (s) two expert Members to be nominated  by the Chairperson Members (t) Manager, National DNA Data Bank ex-officio Member; (u) Director, Centre for DNA and  Fingerprinting and Diagnostics  (CDFD), Hyderabad ex-officio Member Secretary”

• DNA April 2012 Bill (Section 4):“The Board shall consist of the following Members appointed from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics, social sciences, law and criminal justice or any other discipline which would be useful to DNA profiling, namely:- (a) A renowned molecular biologist to be appointed by the Central Government- Chairperson; (b) Vice Chancellor of a National Law University established under an Act of Legislature to be nominated by the Chairperson- ex-officio Member; (c) Director, Central Bureau of Investigation or his nominee (not below the rank of Joint Director)- ex-officio Member; (d) Director, National Institute of Criminology and Forensic Sciences, New Delhi- ex-officio Member;(e) Director General of Police of a State to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member (g) Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (h) Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (i) Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member; (j) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- exofficio Member; (k) Financial Adviser, Department of Biotechnology, Government of India or his nominee- ex-officio Member; (l) Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members; (m) A population geneticist to be nominated by the President, Indian National Science Academy, New Delhi- Member; (n) A representative of the Department of Biotechnology, Government of India to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Member; (o) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad- ex-officio Member- Secretary”

2. Powers and functions of the Chief Executive Officer

Amendment: Although the Chief Executive Officer´s (CEO) powers and functions are set out in the 2007 Draft DNA Bill, these have been deleted from the amended 2012 Draft Bill. The Draft 2012 Bill merely states how the CEO will be appointed, the CEO´s status and that the CEO should report to the Member Secretary of the Board. As for the powers and functions of the CEO, the 2012 Bill states that they will be specified by the Board, without any reference to what type of duties the CEO would be eligible for. Furthermore, section 10(3) has been added which determines that the CEO will be ´a scientist with understanding of genetics and molecular biology´.

Analysis: The lack of legal guidelines which would determine the scope of such regulations indicates that the CEO´s power is subject to the Board. This could create a potential for abuse, as the CEO´s power and the criteria for the creation of the regulations by the Board are not legally specified. Although an understanding of genetics and molecular biology is a necessary prerequisite for the specific CEO, an official understanding of privacy and human rights laws should also be a prerequisite to ensure that tasks are carried out adequately in regards to privacy and data protection.

• DNA 2007 Bill (Section 11):“(1) The DNA Profiling Board shall have a Chief Executive Officer who shall be appointed by the Selection Committee consisting of Chairperson and four other members nominated by the DNA Profiling Board. (2) The Chief Executive Officer shall be of the rank of Joint Secretary to the Govt. of India and report to the Member Secretary of the DNA Profiling Board. (3)The Chief Executive Officer appointed under sub-section (1)shall exercise powers of general superintendence over the affairs of the DNA Profiling Board and its day-to-day management under the direction and control of the Member Secretary. (4) The Chief Executive Officer shall be responsible for the furnishing of all returns, reports and statements required to be furnished, under this Act and any other law for the time being in force, to the Central Government. (5) It shall be the duty of the Chief Executive Officer to place before the DNA Profiling Board for its consideration and decision any matter of financial importance if the Financial Adviser suggests to him in writing that such matter be placed before the DNA Profiling Board.”
• DNA April 2012 Bill (Section 10): “(1) There shall be a Chief Executive Officer of the Board who shall be appointed by a selection committee consisting of the Chairperson and four other Members nominated by the Board. (2) The Chief Executive Officer shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board. (3) The Chief Executive Officer shall be a scientist with understanding of genetics and molecular biology. (4) The Chief Executive Officer appointed under subsection (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary”

3. Functions of the Board

Amendment: The section on the functions of the DNA Profiling Board of the 2007 Draft DNA Profiling Bill has been amended. In particular, sub-section 12(j) of the Draft 2012 Human DNA Profiling Bill states that the Board would ´authorise procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies´. The equivalent sub-section in the 2007 Draft DNA Bill restricted the Board´s authorisation to crime investigation by law enforcement agencies, and did not include civil proceedings and other agencies.

Analysis: This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ are not defined and remain vague. The broad use of the terms ´other agencies´ and ´civil proceedings´ could create a potential for abuse, as it is unclear which parties would be authorised to use DNA profiles and under what conditions, nor is it clear what ´civil proceedings´ entail.

DNA 2007 Bill (Section 13(x)): The DNA Profiling Board constituted under section 3 of this Act shall exercise and discharge the following powers and functions, namely: “authorize communication of DNA profile for crime investigation by law enforcement agencies;”

DNA April 2012 Bill (Section 12(j)): The Board shall exercise and discharge the following functions for the purposes of this Act, namely: “authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies;”

4. Regional DNA Data Banks

Amendment: Section 33(1) of the 2007 Draft DNA Profiling Bill has been amended and its 2012 version (section 32(1)) states that the Central Government will establish a National DNA Data Bank and ´as many Regional DNA Data Banks thereunder, for every state or group of States, as necessary´.

Analysis: This amendment enables the potential establishment of infinite regional DNA Data Banks without setting out the conditions for their function, how they would use data, how long they would retain it for or who they would share it with. The establishment of such regional data banks could potentially enable the access to, analysis, sharing and retention of huge volumes of DNA data without adequate regulatory frameworks restricting their function.

• DNA 2007 Bill (Section 33(1)): “The Central Government shall, by a notification published in the Gazette of India, establish a National DNA Data Bank.”
• DNA April 2012 Bill (Section 32(1)): “The Central Government shall, by notification, establish a National DNA Data Bank and as many Regional DNA Data Banks thereunder for every State or a group of States, as necessary.

5. Data sharing

Section 33(2) of the 2007 Draft DNA Profiling Bill has been amended and section 32(2) of the 2012 draft Human DNA Profiling Bill includes that every state government should establish a State DNA Data Bank which should share the information with the National DNA Data Bank.

This sharing of DNA data between state and national DNA Data Banks could potentially increase the probability of data being accessed, shared, analysed and retained by unauthorised third parties. Furthermore, specific details, such as which information should be shared, how often and under what conditions, have not been specified.

• DNA 2007 Bill (Section 33(2)): “A State Government may, by notification in the Official Gazette, establish a State DNA Data Bank.”
• DNA April 2012 Bill (Section 32(2)):“Every State Government may, by notification, establish a State DNA Data Bank which shall share the information with the National DNA Data Bank.”

6. Data retention

Amendment: Section 32(3) of the 2012 draft DNA Bill has been amended from its original 2007 form to include that regulations on the retention of DNA data would be drafted by the DNA Profiling Board.

Analysis: This amendment does not set out the DNA data retention period, nor who would have the authority to access such data and under what conditions. Furthermore, regulations on the retention of such data would be drafted by the DNA Profiling Board, which could increase their probability of being subject to bias and lack of transparency.

• DNA 2007 Bill (Section 33(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA Profiles received from different laboratories in the format as may be specified by regulations.”
• DNA April 2012 Bill (Section 32(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA profiles received from different laboratories in the format as may be specified by the regulations made by the Board.”

7. Data Bank Manager

Amendment: Section 33 has been added to the 2012 draft Human DNA Profiling Bill and establishes a DNA Data Bank Manager, who would carry out ´all operations of and concerning the National DNA Data Bank´.

Analysis: All such operations are not clearly specified and could create a potential for abuse. The DNA Data Manager would have the same type of status as the Chief Executive Officer, but he/she would be required to have an understanding of computer applications and statistics, possibly to support data mining efforts. However, the powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

• DNA 2012 Bill (Section 33):“(1) All operations of and concerning the National DNA Data Bank shall be carried out under the supervision of a DNA Data Bank Manager who shall be appointed by a selection committee consisting of Chairperson and four other Members nominated by the Board.(2) The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board.(3) The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics. (4) The DNA Data Bank Manager appointed under sub-section (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary.”

8. Communication of DNA profiles to foreign agencies

Amendment: The 2007 Draft DNA Profiling Bill has been amended and sub-sections 35(2, 3) have been excluded from the 2012 Draft Human DNA Profiling Bill. These sub-clauses prohibited the use of DNA profiles for purposes other than the administration of the Act, as well as the communication of DNA profiles. Furthermore, sub-section 36(1) has been added to the 2012 Bill, which authorises the communication of DNA profiles to international agencies for the purposes of crime investigation.

Analysis: The exclusion of sub-sections 35(2, 3) from the 2012 Bill indicates that the use and communication of DNA profiles without prior authorisation may be legally permitted, which raises major privacy concerns. Sub-section 36(1) does not define a ´crime investigation´, which indicates that DNA profiles could be shared with international agencies for loosely defined ´criminal investigations´ or even for civil proceedings. The lack of a strict definition to the term ´crime investigation´, as well as the broad reference to foreign states and international agencies raises concerns, as it remains unclear who will have access to information, for how long, under what conditions and whether that data will be retained.

• DNA 2007 Bill (Sections 35(2,3)): “(2) No person who receives the DNA profile for entry in the DNA Data Bank shall use it or allow it to be used for purposes other than for the administration of this Act. (3) No person shall, except in accordance with the provisions hereinabove, communicate or authorize communication, or allow to be communicated a DNA profile that is contained in the DNA Data Bank or information that is referred to in sub-section (1) of Section 34”
• DNA April 2012 Bill (Section 36(1)): “On receipt of a DNA profile from the government of a foreign state, an international organisation established by the governments of states or an institution of any such government or international organization, the National DNA Data Bank Manager may compare the DNA profile with those in the DNA Data Bank in order to determine whether it is already contained in the Data Bank and may then communicate through Central Bureau of Investigation or any other appropriate agency of the Central Government and with the prior approval of the Central Government information referred to in subsection (1) of section 35 to that government, international organisation or institution.”

9. Data destruction

Amendment: Section 37 of the 2007 draft DNA Profiling Bill states that the DNA Data Bank Manager shall expunge the DNA analysis of a person from the DNA index once the court has certified that the conviction of a person has been set aside. The 2007 Bill had no particular reference to data retention. The equivalent clause (37) of the 2012 draft DNA Bill, however, not only states that individuals´ DNA data will be kept on a ´permanent basis´, but also that the DNA Data Bank Manager shall expunge a DNA profile under the same conditions under the 2007 Bill.

Analysis: This amendment indicates that Indians´ DNA data will be kept indefinitely and that it will be deleted only once the court has cleared an individual from conviction. This raises major concerns, as it does not clarify under what conditions individuals can have access to data during its retention, nor does it give ´non-convicts´ the opportunity to have their data deleted from the data bank.

• DNA 2007 Bill (Section 37): “The Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person included in the DNA data bank has been set aside, expunge forthwith the DNA analysis of such person from the DNA index. Explanation:- For the purposes of this section, a court order is not ‘final’ till the expiry of the period of limitation for filing an appeal, or revision application, or review if permissible under the law, with respect to the order setting aside the conviction.”
• DNA April 2012 Bill (Section 37):“(1) Subject to sub-sections (2) and (3), the information in the offenders’ index pertaining to a convict shall be kept on a permanent basis. (2) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the person in respect of whom the information is included in the offenders’ index has been acquitted of the charge against him, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed. (3) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person in respect of whom the information is included in the offenders’ index has been set aside, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed.”

10. Use of DNA profiles and DNA samples and records

Amendment: Section 39 of the 2007 draft DNA Profiling Bill has been amended and the equivalent section of the 2012 DNA Bill (section 39) states that DNA profiles, samples and records can be used for purposes related to ´other civil matters´ and ´other purposes´, as specified by the regulations made by the DNA Profiling Board.

Analysis: The vague use of the terms ´other civil matters´ and ´other purposes´ can create a potential for abuse, especially since the Board will not be comprised by an adequate amount of members with legal expertise on civil matters. This section enables the use of DNA data for potentially any purpose, as long as it is enabled by the Board. Furthermore, the section does not specify who can be authorised to use DNA data under such conditions, which raises further concerns.

• DNA 2007 Bill (Section 39): “(1)All DNA profiles, samples and records shall solely be used for the purpose of facilitating identification of the perpetrator(s) of a specified offence: Provided that such records or samples may be used to identify victims of accidents, disasters or missing persons or for such other purposes. (2) Information stored on the DNA data base system may be accessed by the authorized persons for the purposes of:  (i) forensic comparison permitted under this Act; (ii) administering the DNA data base system; (iii) accessing any information contained in the DNA database system by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force;  (iv) inquest or inquiry;  (v) any other purpose as may be prescribed: Provided that nothing contained in this section shall apply to information which may be used to determine the identity of any person.”
• DNA April 2012 Bill (Section 39): “All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule: Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part I of the Schedule or for other purposes as may be specified by the regulations made by the Board.”

11. Availability of DNA profiles and DNA samples

Amendment: Section 40 of the 2007 draft DNA Bill has been amended and an extra paragraph has been included to the equivalent 2012 Bill. In particular, section 40 enables the availability of DNA profiles and samples in criminal cases, judicial proceedings and for defence purposes among others.

Analysis: ´Criminal cases´ are loosely defined and could enable the availability of DNA data on low profile cases.

• DNA 2007 Bill (Section 40):“The information on DNA profiles, samples and DNA identification records shall be made available only : (i) to law enforcement agencies for identification purposes in a criminal case; (ii) in judicial proceedings, in accordance with the rules of admissibility of evidence; (iii) for facilitating decisions in cases of criminal prosecution; (iv) for defense purposes, to a victim or the accused to the extent relevant and in connection with the case in which such accused is charged; (v) for population statistics data base, identification, research and protocol development, or for quality control provided that it does not contain any personally identifiable information and does not violate ethical norms, as specified by rules. (vi) for any other purposes as specified by rules.”
• DNA April 2012 Bill (Section 40):“Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely:- (a) for identification purposes in criminal cases, to law enforcement agencies; (b) in judicial proceedings, in accordance with the rules of admissibility of evidence; (c) for facilitating decisions in cases of criminal prosecution; (d) for defence purposes, to the accused to the extent relevant and in connection with the case in which such accused is charged; (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms; or (f) in the case of investigations related to civil dispute and other civil matter listed in Part I of the Schedule, to the concerned parties to the said civil dispute or civil matter and to the concerned judicial officer or authority; or (g) for any other purposes, as may be prescribed.”

12. Restriction on access to information in DNA Data Banks

Amendment: Section 43 has been added to the 2012 draft Human DNA Profiling Bill which states that access to information shall be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect.

Analysis: This section implies that everyone who does not belong in these two categories has his/her data exposed to (unauthorised) access by third parties.

• DNA April 2012 Bill (Section 43): “Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from- (a) a victim of an offence which forms or formed the object of the relevant investigation, or (b) a person who has been excluded as a suspect in the relevant investigation.”

13. Board exemption from tax on wealth and income, profits and gains

Amendment: Section 53 of the 2007 draft DNA Bill on “Returns and Reports” on behalf of the Board has been deleted and section 62 on the Board exemption from tax on wealth and income, profits and gains, has been added to the 2012 DNA Bill.

Analysis: Although the 2007 DNA Bill stated that the Central Government was authorised to issue directions, this has been replaced by section 64 of the 2012 DNA Bill, which authorises the DNA Profiling Board to issue directions.

• DNA 2007 Bill (Section 53):“(1) The DNA Profiling Board shall furnish to the Central Government at such time and in such form and manner as may be specified by rules or as the Central Government may direct, such returns and statements as the Central Government may, from time to time, require. (2) Without prejudice to the provisions of sub-section (1), the DNA Profiling Board shall, within ninety days after the end of each financial year, submit to the Central Government a report in such form, as may be prescribed, giving a true and full account of its activities, policy and programmes during the previous financial year. (3) A copy of the report received under sub-section (2) shall be laid, as soon may be after it is received, before each House of Parliament.”
• DNA April 2012 Bill (Section 62):  “Notwithstanding anything contained in- (a) the Wealth-tax Act, 1957; (b) the Income-tax Act, 1961; or (c) any other enactment for the time being in force relating to tax, including tax on wealth, income, profits or gains or the provision of services,- the Board shall not be liable to pay wealth-tax, income-tax or any other tax in respect of its wealth, income, profits or gains derived.”

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.

Combat Zones That See (CTS)

Source: swanksalot on flickr

Ten years ago DARPA started funding the Combat Zones That See (CTS) project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.

Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that 40 million surveillance cameras were already in use around the world by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. Police in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.

However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.

Mind´s Eye

Source: watchingfrogsboil on flickr

A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a thinking camera. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with ´visual intelligence´. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to predict future human activities and situations.

Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. General James Cartwright, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying operationally significant activity and predicting outcomes.

Mounting these smart cameras on drones is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?

SyNAPSE

Source: A Health Blog on flickr

The Terminator could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE) programme.  Is DARPA funding the creation of the Terminator? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.

SyNAPSE is a programme which aims to develop electronic neuromorphic machine technology which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received $102.6 million in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create biological neural systems which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s cognitive computers would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.

Although this original type of computational device could be beneficial to predict natural disasters and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.

Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.

Brain-Computer Interface (BCI)

Remember Orwell's ´Thought Police´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in 1984. Unlike the ´Thought Police´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can literally read our thoughts.

Once again, DARPA appears to be funding one of the world´s most innovative projects: the Brain-Computer Interface (BCI). The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph - an EEG) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely thinking of the action.

Ten years ago it was reported that the brains of rats and monkeys could control robot arms through the use of such technologies. A few years later brainstem implants were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as to control robotic limbs with their thoughts. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally thinking about them, while using a BCI.

Brain-controlled robotic limbs could change the lives of disabled persons, but ethical concerns have arisen in regards to the BCI´s mind-reading ability.  If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain?  Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out sensitive data, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the P300 response, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to DARPA:

´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´

This constitutes the human brain as a new warfighting domain of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.

Security expert, Barnaby Jack, of IOActive demonstrated the vulnerability of biotechnological systems, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.

Will BCI be used in the future to interrogate terrorists and suspects? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our thoughts - can potentially be hacked? Human rights are essential because they protect us from those in power; but the privacy of our thoughts is even more important, because without it, we can have no human rights, no individuality.

Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals.  Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.

Apparently, anyone can buy Emotiv or Neurosky BCI online to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

“The UIDAI will own our data...When we hand over information, we hand over the ownership of that data...”, stated Usha Ramanathan, legal researcher and human rights activist.She also pointed out that, although the UID has been set up by an executive order, there is no statute which legally backs up the UID. In other words, the collection of our data through the UID scheme is currently illegal in India, hinging only on an executive order. However, Usha Ramanathan stated that if the UID scheme is going to be carried out, it is highly significant that a statute for the UID is enacted to prevent potential abuse of human rights, especially since the UIDAI is currently collecting, sharing, using and storing our data on untested grounds.

´What is alarming is that the Indian government has not even attempted to legalize the UID! When a government does not even care about legalizing its actions, then we have much bigger problems...”

The NPR is legally grounded in the provisions of the Citizenship Act 1955 and in the Citizenship Rules 2003 and it is mandatory for every usual resident in India to register with the NPR. Even though the collection of biometrics is not accounted for in the statute or rules, the NPR is currently collecting photographs, iris prints and fingerprints. Concerns regarding the use of biometrics in the UID and NPR schemes were raised during the workshop; biometrics are not infallible and can be spoofed, an individual´s biometrics can change in response to a number of factors (including age, environment and stress), the accuracy of a biometric match depends on the accuracy of the technology used and the larger the population is, the higher the probability of an error. Thus, individuals are required to re-enrol every two to three years, to ensure that the biometric data collected is accurate; but the accuracy of the data is not the only problem. The Indian government is illegally collecting biometrics and as of yet has not amended the 2003 Citizenship Rules to include the collection of biometrics! As Usha Ramanathan stated:

“It´s not really about the UID and the NPR per se...it´s more about the idea of profiling citizens and the technologies which enable this...”

In his presentation, Anant Maringanti, from the Hyderabad Urban Labs and Right to the City Foundation, stated that even though seventy seven lakh duplicates have been found, no action has been taken, other than discarding one of them. Despite the fact that enrolment with the UID is considered to be voluntary, children in India are forced to get a unique identification number as a prerequisite of going to school. Anant emphasized that the UID scheme supposedly provides some form of identity to the poor and marginalised groups in India, but it actually targets some of the most vulnerable groups of people, such as HIV patients and sex workers. Furthermore, though Indians living below the poverty line (BPL) are eligible for direct cash transfer programmes, apparently registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BLP category. This is problematic as individuals who have not enrolled in the UID or do not want to enroll in the UID could risk being denied benefits because they did not enroll and thus were not classified in the BPL category. Anant also pointed out that, linking biometric data to a bank account through the UID scheme is basically exposing personal data to fraud. Anant Maringanti characteristically stated:

“I wish the 100 people applying the UID scheme had UIDs so that we could track them...!”

Following the end of the workshop on the UID and NPR schemes, CIS interviewed Usha Ramanathan and Anant Maringanti:

The workshop can be viewed in two parts:

Indeed, where there are significant departures from prior language, they tend to raise additional privacy and human rights concerns.  Overall the current version of the Bill is littered with significant and striking human rights and privacy concerns and, if passed in its current form, would place India far outside the mainstream of both law and policy in this area.  Beyond the privacy and human rights concerns that are addressed in this analysis of the Bill, the breadth of the structural and financial costs of enacting the Bill in its current form should also be seriously considered as they would most certainly be staggeringly high.

Bill Analysis

Introduction

The introduction of the Bill sets out the broad policy objectives of its drafters. The most telling portion in paragraph 1 states: “[DNA analysis] makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any doubt.”   (emphasis added).  It is evident that the policy animating the Bill presupposes the objective infallibility of genetic analysis. This patent mistruth underpins the policy rationale for the Bill, and as such casts a long shadow over its substantive provisions. At the very least, it tells the reader (and perhaps one day the court) to broadly interpret the Bill’s language to favor DNA analysis as the privileged solution to investigational and prosecutorial needs. This provision, and indeed the bill as a whole, ignores the occurrence of false matches, cross-contamination, laboratory error and other limitations of forensic DNA analysis.

The introduction goes on to state, truthfully, that “DNA analysis offers sensitive information which, if misused can cause harm to person or society.”  However this statement does not acknowledge that DNA analysis often causes more harm when used as intended as part of  unnecessarily expansive powers given to law enforcement authorities. Indeed this is further illustrated by language showing the legislative intent to draft a broad based bill that would govern the use of DNA in a variety of civil and criminal proceedings as well as for purposes to be determined at a later point.

Definitions (Chapter II)

A number of the Bill’s definitions are overbroad, further expanding the scope of its later provisions. The “crime scene index” is defined to include “DNA profiles from forensic material found . . . on or within the body of any person, on anything, or at any place, associated with the commission of a specified offence.” Chapter II(2)(iv). A “specified offence” is defined as any   “offence listed in Part 1of the Schedule [to the Bill].” Part 1 of the “Schedule,” on page 56 of the Bill , includes in (A) “Offences under Indian Penal Code”  without any specification.  In the 2007 version of the bill, the language related to criminal offences was incredibly expansive but specified the various crimes covered inc. rape,“offences relating to dowry,” defamation, and “unnatural offenses.” (See 2007 Bill Schedule p. 34). The current Bill version dispenses with such identified crimes and seemingly expands the Schedule to create an “all crimes” database.  The new Bill (Section B) further adds a variety of additional offences under special laws ranging from the Medical Termination of Pregnancy Act to the Motor Vehicles Act and empowers the Board to add any new law it wants to the Schedule. Section C of the Schedule identifies a wide variety of civil matters to be included in the Schedule including disputes related to paternity, pedigree, and organ transplantation.  In adds additional civil categories not contemplated by prior versions of the Bill including issues related to assisted reproductive technologies, issues related to immigration/emigration and similar to Section B of the Schedule and in another significant departure from previous Bill versions, empowers the Board to include any other civil matter it chooses in the future.  The Crime Scene Index also defines victim expansively to include a person “reasonably suspected of being a victim” (Section 2 ii).  Taken together, the government is empowered to conduct genetic testing on almost anyone in any way connected with even minor infractions of the criminal law or involved in virtually any civil proceeding.

The definition of “offender” (Section 2y) is not limited to one with a criminal conviction but includes anyone even charged with an offense, thereby expanding coverage of the criminal provisions of the Bill to include individuals who have not yet been convicted of any crime.

The crucial term “suspect” (Section 2zi) is defined as anyone “suspected of having committed an offence.” By intentionally leaving out the qualifier “specified,” the drafters’ intent is plain: to sweep within the Bill’s breadth all persons suspected of any crime whatsoever even if there is insufficient probable cause for arrest. And, accordingly, the Bill defines the “suspects index” to include “DNA profiles derived from forensic material lawfully taken from suspects.”

Furthermore the definitions include a category of persons entitled “volunteers,” (Section 2 zo) defined as “a person who volunteers to undergo a DNA procedure and, in case of a child or incapable person, his parent or guardian having agreed…” There is no additional clarification as to how this category might be treated in practice but without any clear provisions for informed consent, it is highly unlikely that such participation will be truly voluntary; especially without provisions for decision making subsequent to offering the sample such as future expungement from the system.

Taken together the definitions of victim, offender and suspect expand the reach of this Bill to a broad range of potentially innocent individuals involved in the criminal justice system, while the Schedule and definition of “volunteers” sweep a broad range of categories of innocent citizens into the purview of this Bill- including children and the mentally incapacitated-having nothing to do with the criminal justice system.  There is simply no corollary in any other country to such expansive authority. The Bill places India far outside the mainstream of policy in this area and raises serious and far ranging human rights concerns

DNA Profiling Board (Chapter III)

The DNA Profiling Board (hereinafter “Board”) is responsible for administering and overseeing the Indian DNA database . Oversight is an important and valuable concept, however the value of such principles in this Bill are completely overshadowed by the expansive powers given to the Board.

The Bill lays out a number of fields from which the members are to be chosen inc. molecular biology, population biology, criminal justice and bioethics.  There is no representation from civil society human rights organizations or the criminal defense bar to ensure that privacy, human rights and the general public interest are ensured.  Furthermore the Chief Executive Office of the Board is to be a scientist and therefore unlikely to be familiar with criminal justice matters and evaluations of their efficacy. (Chapter III, Section 10)

The Board is given an almost limitless list of responsibilities including “recommendations for maximizing the use of DNA techniques and technologies (Section 10k) and identifying scientific advances that may assist law enforcement (Section 10L). Such powers are particularly concerning because the Bill does not include any privacy provisions whatsoever but rather  invests in the Board the power to make “recommendations for privacy protection laws, regulations and practices relating to access to, or use of stored DNA samples or DNA analyses,” as well as “mak[ing] specific recommendations to . . . ensure the appropriate use and dissemination of DNA information [and] take any other necessary steps required to be taken to protect privacy.” (Section 10o and p). Furthermore the Board is given the responsibility of “deliberating and advising on all ethical and human rights issues emanating out of DNA profiling.” (Section 10t).

These provisions are in lieu of any substantive language limiting the scope of the legislation, and protecting privacy and human rights principles (which the bill otherwise lacks.) These are significant omissions. As expressed in the introduction, the stated purpose of the Bill is “to enhance protection of people in the society and [the] administration of justice.” Taken alone, this Bill actually expresses only the government’s interest in the legislation, suggesting an ambiguously wide scope for its provisions. Substantive concepts of individual privacy and human rights are required to counterbalance the interests of the government and provide protections for the equally vital privacy and human rights interests of the individual. As such,  limiting privacy and human rights principles should be included alongside the expression of the government’s security interest. Without it, the Board will effectively have carte blanche with regard to what privacy and human rights protections are—or are not—adopted.

Also in a departure from previous versions of this Bill, this Bill expands the Boards powers to include areas of policy beyond the coverage of the Bill’s other provisions including “intellectual property issues. (Section 10i)

Finally, as noted earlier in the discussion of the Schedule (and in a significant departure from previous versions of the Bill), the Board is given total control to expand every category of person to be included under the Bill. In a democratic system of government, such decisions should rest exclusively with the Parliament and therefore be subject to the checks and balances of government as well as the transparency necessary to ensure public participation.  Leaving such decision making to an unelected body raises serious human rights concerns.

Approval of Laboratories (Chapter IV)

Sections 13 to 17 provide for the approval by the DNA Profiling Board of DNA laboratories that will process and analyze genetic material for eventual inclusion on the DNA database. Under Section 13, all laboratories must be approved in writing prior to processing or analyzing any genetic material. However, a conflicting provision appears in the next section, Section 14(2), which permits DNA laboratories in existence at the time the legislation is enacted to process or analyze DNA samples immediately, without first obtaining approval.

Either an oversight on the part of the drafters, or the product of overly-vague language, the result is that established genetic laboratories—including whatever genetic material or profiles they may already have for whatever reason—are in effect “grandfathered” into the system. The only review of these laboratories is the post hoc approval of the laboratory by the DNA profiling board. The potential for abuse and error that this conflict of provisions would be best addressed in keeping with the rule articulated in Section 13, i.e. correcting the language of Section 14(2) that allows for laboratories to be “grandfathered” into the system.

Standards, Obligations of DNA Laboratory (Chapter V)

Chapter V, which concerns the obligations of and the standards to be observed by approved DNA laboratories, lacks adequate administrative requirements. For example, Section 21 requires that labs ensure “adequate security” to minimize contamination without providing for accountability in the event of contamination. Similarly, Section 27 provides for audits of DNA laboratories only, withholding from similar scrutiny of the DNA Profiling Board itself. However, the greatest limitation of every Section of this Chapter is that rather than offering any specific substantive requirements, they instead offer categories requiring attention “as may be specified “ by the DNA Board.  Any actual standard or obligation by a laboratory is set entirely by the DNA Board.  Minimum standards must be set by law to ensure compliance.

Infrastructure and Training (Chapter VI)

Similar to Chapter V, this section offers no legislative benchmarks but rather categories of activities, with further regulation “as may be specified” by the Board.  As noted earlier, there are serious concerns in using DNA analysis with regards to false matches, cross-contamination and laboratory error.  Not taking such concerns seriously, and taking serious steps to minimize their occurrence, can lead to significant distrust of government and police authority when such incidents occur.

DNA Databank (Chapter VII)

In addition on one national DNA database, the Bill sanctions the several Indian states to maintain their own DNA databases, provided these state-level databases forward copies of their content to the national database. Section 32(3). Section 32(5) states that the indices should include records related thereto” the DNA analysis. (See also Section 35(b)) Such  provisions allow for access to “the information” contained in the database, not simply “the DNA profiles” contained in the database. Without further clarification it would appear to authorize an unlimited amount of private information unrelated to identification to be included in the indices.

The national database is envisioned to comprise several sub-databases (Section 32(4)), each to contain the genetic information of a subset of persons/samples, namely: (a) unidentified crime scene samples, (b) samples taken from suspects, (c) samples taken from offenders inc. persons convicted or currently subject to prosecution for criminal offenses   (d) samples associated with missing persons, (e) samples taken from unidentified bodies, (f) samples taken from “volunteers,” and finally (g) samples taken for reasons “as may be specified by regulations made by the Board. Section 33 (4) et seq. Putting to one side the breadth of persons subject to inclusion under subcategories (1) through (6), subsection (7) appears on its face to be a “catch all” provision, leaving one only to guess at the circumstances under which its specificities may be promulgated.

A close reading of Section 32(6) strongly suggests that the agency conducting the forensic analyses and populating the DNA database shall retain the actual DNA samples thereafter. This section reads in relevant part:

The “DNA Data Bank shall contain . . . the following information, namely: (a) in case of a profile in the offenders index, the identity of the person from whose body substance or body substances the profile was derived, and (b) in case of all other profiles, the case reference number of the investigation associated with the body substance or body substances from which the profile was derived.

Allowing retention of the biological sample, even after a profile has been created from it, in conjunction with the unlimited ability of the Board to create regulations for additional uses of that sample raises serious privacy and human rights concerns.

Moreover, rather than choosing to link the DNA profile data to a specific offender or case, the drafters of the Bill instead link the “body substance or body substances” with that specific offender or case. Whether sloppy drafting or clever nuance, this provision equates the DNA profile with the DNA sample, injecting unneeded—and potentially harmful—ambiguity into the proposed law.

Section 37 (1) allows for indefinite retention of information in the offenders index (which includes individuals charged with an offense but not convicted).  This provision raises serious human rights concerns as it would appear to allow indefinite retention of profiles of individuals who have not been convicted of a crime.  This directly conflicts with Section 37 (II) which  allows for expungement when a certified copy of a court order stating that the individual in question has been acquitted.  This provision also appears to conflict with Chapter VIII Section 43(b) which appears to allow indefinite retention of DNA of suspects even after they’ve been excluded from an investigation. Indeed no process or procedures for expungement and removal of records are in place for suspects generally who are never charged or for any of the other categories of indices that are present in the Bill, thereby raising serious question as to how and even whether such profiles can be removed from the Databank.

Confidentiality, Access to DNA Profiles, Samples, and Records (Chapter VIII)

Two further provisions regarding access to the database warrant close scrutiny. First, Sections 39 and 40 confers upon the Board the unlimited power to expand categories for which DNA profiles, samples and records can be used. Considering that the Bill (Section 40(e)) already questionably allows such records to be used for population research, these provisions raise serious questions as to the classes of potential use such private information might be subject.
Sections 40-42  purport to confer upon the police and other authorized individuals direct access to all of the information contained in the national DNA database. While administratively expedient, this arrangement opens up the possibility for misuse. A more prudent system would place the Board (or some administrative subordinate portion thereof) between the police and the content of the DNA database, with the latter having to make specific and particular requests to the former. This would minimize the risks inherent in the more expansive model of database access the bill currently envisions.

Section 45 related to post-conviction DNA testing has the laudable goal of offering “any individual undergoing a sentence of imprisonment or death pursuant to conviction for an offence, may apply to the court which convicted him for an order of DNA testing” in order to prove their innocence.   However such an application lists eleven separate criteria that such an applicant must meet before qualifying, and allows a court total discretion in deciding whether all such criteria have been met.  High barriers and absolute discretion make such testing highly unlikely and therefore make a provision seeming to offer human rights protections completely hollow.

Offences and Penalties (Chapter X)

This chapter lays out penalties for misuse of the Database. Most notably, the bill specifically excludes a private cause of action for the unlawful collection of DNA, or for the unlawful storage of private information on the national DNA database. A new provision in Section 58 does allow for an aggrieved person to petition the Central Government or Board if an instance of misuse is not being addressed but such provision does not contain any required processes such entities must follow in responding to such a petition, making an otherwise positive new provision relatively empty.  Nor does the bill grant an individual right to review one’s personal data contained on the database. Without these key features, there are limited checks against the unlawful collection, analysis, and storage of private genetic information on the database.

Best Practices Analysis

Collection of DNA

Analysis of DNA

Storage of DNA and Linked Data

Uses of Samples and Data

Destruction of DNA and Linked Data

Use in court

Other

Click for more information on the Council for Responsible Genetics.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Privacy (Protection) Bill 2013 contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of a possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.

Click to download a full draft of the Privacy (Protection) Bill, 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have already adopted measures to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, privacy concerns have arisen as it remains unclear how data collected will be used.

Red light cameras

Last week, the Chennai police announced that it plans to install traffic enforcement cameras, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since early 2008 and a study indicates that they have reduced the traffic violation rates. A 2003 report by the National Cooperative Highway Research Programme (NCHRP) examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.

However, how are traffic violation rates even measured? According to Barbara Langland Orban, an associate professor of health policy and management at the University of South Florida:

“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”

Last year,  the Bombay state government informed the High Court that the 100 CCTV cameras installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s due-process rights?

RFID tags and Black Boxes

A communication revolution is upon us, as Maharashtra state transport department is currently including radio frequency identification (RFID) tags on each and every number plate of vehicles. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the 2001 amendment of Rule 50 of the Central Motor Vehicles Rules, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.

RFID technology has also been launched at Maharashtra´s state border check-posts. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.

By 31 March 2014, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to Dr. Joshi, the Union Minister for Road Transport and Highways:

“The RFID technology shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”

Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it uniquely identifies each vehicle, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.

The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an Event Data Recorder (EDR), otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.

Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it mandatory for cars to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.

Are monitored cars safer?

The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a 2005 Federal Highway Administration study, although it shows a decrease in  front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other studies of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.

Furthermore, there have been claims that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.

Companies which manufacture vehicle tracking systems are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?

And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope, but us. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored, we are all suspects and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.

Maneuvering our monitoring

Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.

Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as increasing the duration of the yellow light between the green and the red, re-timing lights so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.

Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:

Should we be monitored at all?

Click to read the Parliamentary Standing Committee Report on the IT Rules. A modified version was published in CiOL on March 27, 2013.

These rules have been noted by many, including CIS, Software Freedom Law Centre, and Society for Knowledge Commons, and many eminent lawyers, as being unconstitutional. The Standing Committee, noting this, has asked the government to make changes to the Rules to ensure that the fundamental rights to freedom of speech and privacy are safeguarded, and that the principles of natural justice are respected when a person’s  freedom of speech or privacy are curtailed.

Ambiguous and Over-reaching Language

The Standing Committee has noted the inherent ambiguity of words like "blasphemy", "disparaging", etc., which are used in the Intermediary Guidelines Rules, and has pointed out that unclear language can lead to harassment of people as has happened with Section 66A of the IT Act, and can lead to legitimate speech being removed.  Importantly, the Standing Committee recognizes that many categories of speech prohibited by the Intermediary Guidelines Rules are not prohibited by any statute, and hence cannot be prohibited by the government through these Rules.  Accordingly, the Standing Committee has asked the government to ensure "no new category of crimes or  offences is created" by these Rules.

Government Confused Whether Rules Are Mandatory or Advisory

The Standing Committee further notes that there is a discrepancy in the government’s stand that the Intermediary Guidelines Rules are not mandatory, and are only "of advisory nature and self-regulation", and that "it is not mandatory for the Intermediary to disable the information, the rule does not lead to any kind of censorship". The Standing Committee points out the flaw in this, and notes that the language used in the rules is mandatory language (“shall act” within 36 hours). Thus, it rightly notes that there is a "need for clarity on the aforesaid contradiction".  Further, it also notes that there is "there should be safeguards to protect against any abuse", since this is a form of private censorship by intermediaries."

Evidence Needed Against Foreign Websites

The government has told the Standing Committee that "foreign websites repeatedly refused to honour our laws", however, it has not provided any proof for this assertion.  The government should make public all evidence that foreign web services are refusing to honour Indian laws, and should encourage a public debate on how we should tackle this problem in light of the global nature of the Internet.

Cyber Cafes Rules Violate Citizens’ Privacy

The Standing Committee also pointed out that the Cyber Cafe Rules violated citizens’ right to privacy in requiring that "screens  of the computers installed other than in partitions and  cubicles should face open space of the cyber café".  Unfortunately, the Standing Committee did not consider the privacy argument against retention of extensive and intrusive logs. Under the Cyber Cafe Rules, cyber cafes are required to retain (for a minimum of one year) extensive logs, including that of "history of websites accessed using computer resource at cyber café" in such a manner that each website accessed can be linked to a person. The Committee only considered the argument that this would impose financial burdens on small cybercafes, and rejected that argument.  CIS wishes the Committee had examined the provision on log maintenance on grounds of privacy as well."

Government’s Half-Truths

In one response, the government notes that "rules under Section 79 in particular have undergone scrutiny by High Courts in the country. Based on the Rules, the courts have given reliefs to a number of individuals and organizations in the country. No provision of the Rules notified under Sections 43A and 79 of the IT  Act, 2000 have been held ultra vires."

What the government says is a half-truth.  So far, courts have not struck down any of the IT Rules. But that is because none of the High Court cases in which the vires of the Rules have been challenged has concluded. So it is disingenuous of the government to claim that the Rule have "undergone scrutiny by High Courts".  And in those cases where relief has been granted under the Intermediary Guidelines, the cases have been ex-parte or have been cases where the vires of the Rules have not been challenged.  The government, if it wants to defend the Rules, should point out to any case in which the vires of the Rules have been upheld.  Not a single court till date has declared the Rules to be constitutional when that question was before it.

Lack of Representation of Stakeholders in Policy Formulation

Lastly, the Standing Committee noted that it is not clear whether the Cyber Regulatory Advisory Committee (CRAC), which is responsible for policy guidance on the IT Act, has "members representing the interests of  principally affected or having special knowledge of the  subject matter as expressly stipulated in Section 88(2) of the  IT Act".  This is a problem that we at CIS also noted in November 2012, when the CRAC was reconstituted after having been defunct for more than a decade.

CIS hopes that the government finally takes note of the view of legal experts, the Standing Committee on Delegated Legislation, the Parliamentary motion against the Rules, and numerous articles and editorials in the press, and withdraws the Intermediary Guidelines Rules and the Cyber Cafe Rules, and instead replaces them with rules that do not infringe our constitutional rights.

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities. It was among the organizations that submitted evidence to the Standing Committee on Subordinate Legislation on the IT Rules.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Last week, Microsoft released its first report with data on the number of requests received from law enforcement agencies around the world relating to Microsoft online and cloud services. Microsoft´s newly released 2012 Law Enforcement Requests Report depicts the company's willingness to join the ranks of Google, Twitter and other Web businesses that publish transparency reports.

As of 30 June 2012, 137 million Indians are regular Internet users, many of which use Microsoft services including Skype, Hotmail, Outlook.com, SkyDrive and Xbox Live. Yet, until recently, it was unclear whether Indian law enforcement agencies were requesting data from our Skype calls, emails and other Microsoft services. Thus, Microsoft's release of a report on law enforcement requests is a decisive step in improving transparency in regards to how many requests for data are made by law enforcement agencies and how many requests are granted by companies. Brad Smith, an executive vice president and Microsoft´s general counsel, wrote in his blog post:

“As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”

Microsoft 2012 Law Enforcement Requests

Democratic countries requested the most data during 2012, according to Microsoft´s report. The law enforcement agencies in the United States, the United Kingdom, Germany, France and Turkey accounted for 69 percent of the 70, 665 requests Microsoft (excluding Skype) received last year. Although India did not join the rank of the countries which made the fewest requests from Microsoft, it did not join the top-five league which accounted for the most requests, despite the country having one of the world´s highest number of Internet users.

Out of the 70,665 requests to Microsoft by law enforcement agencies around the world, only about 0.6 percent of the requests were made by Indian law enforcement agencies. These 418 requests specified 594 accounts and users, which is significantly low in comparison to the top-five and other countries, such as Taiwan, Spain, Mexico, Italy, Brazil and Australia. Indian law enforcement requests accounted for about 0.5 percent of the total 122, 015 accounts and user data that was requested by law enforcement agencies around the world.

Content data is defined by Microsoft as what customers create, communicate and store on or through their services, such as words in an e-mail or photographs and documents stored on SkyDrive or other cloud offerings. Non-content data, on the other hand, refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration. According to Microsoft´s 2012 report, the company did not disclose any content data to Indian law enforcement agencies. In fact, only 2.2 percent of requests from law enforcement agencies around the world resulted in the disclosure of content data, 99 percent of which were in response to warrants from courts in the United States. Microsoft may have not disclosed any of our content data, but 370 requests from Indian law enforcement agencies resulted in the disclosure of our non-content data. In other words, 88.5 percent of the requests by India resulted in the disclosure of e-mail addresses, IP addresses, names, locations and other subscriber information.

Out of the 418 requests made to Microsoft by Indian law enforcement agencies, only 4 were rejected (1 percent) and no data was found for 44 requests (10.5 percent). In total, Microsoft rejected the disclosure of 1.2 percent of the requests made by law enforcement agencies around the world, while data was not found for 16.8 percent of the international requests. Thus, the outcome of the data shows that the majority of the requests by Indian law enforcement agencies resulted in the disclosure of non-content data, while very few requests were rejected by Microsoft (excluding Skype). The following table summarizes the requests by Indian law enforcement agencies and their outcome:

Skype 2012 Law Enforcement Requests

Microsoft acquired Skype towards the end of 2011 and the integration of the two companies advanced considerably over the course of 2012. According to the Microsoft 2012 report, Indian law enforcement agencies made 53 requests for Skype user data and 101 requests for specified accounts on Skype. In other words, out of the total 4,715 requests for Skype user data by law enforcement agencies around the world, the requests by Indian law enforcement accounted for about 0.1 percent. 15,409 international requests were made for specified accounts on Skype, but Indian law enforcement requests only accounted for about 0.6 percent of those.

The report appears to be extremely reassuring, as it states that Skype did not disclose any content data to any law enforcement agencies around the world. That essentially means that, according to the report, that all the content we created and communicated through Skype during 2012 was kept private from law enforcement. Although Microsoft claims to not have disclosed any of our content data, it did disclose non-content data, such as SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number. However, Microsoft did not report how many requests the company received for non-content data, nor how much data was disclosed and to which countries.

Microsoft reported that data was not found for 47 of India´s law enforcement requests, which represents 88.6 percent of the requests. In total, Microsoft reported that data was not found for about half the requests made by law enforcement agencies on an international level. Out of the 53 requests, Microsoft provided guidance to Indian law enforcement agencies for 10 requests. In particular, such guidance was provided either in response to a rejected request or general questions about the process for obtaining Skype user data. Yet, the amount of rejected requests for Skype user data was not included in the report and the guidance provided remains vague. The following table summarizes the requests by Indian law enforcement agencies for Skype user data and their outcome:

The Centre for Internet and Society (CIS) supports the publication of Microsoft´s 2012 Law Enforcement Requests Report and encourages Microsoft (including Skype) to continue releasing such reports which can provide an insight on how much user data is being shared with law enforcement agencies around the world. In order to ensure that such reports adequately provide transparency, they should be broadened in the future to include more data, such as the amount of non-content data requests disclosed by Skype, the type of guidance provided to law enforcement agencies and the amount of requests rejected by Skype. Nonetheless, this report is a decisive first step in increasing transparency and further, more detailed reports are strongly encouraged.

Click to read more about the Trademark Clearing House.

As a non-profit organization, established in agreement with the US Department of Commerce in 1998, the current arrangement of ICANN has come under serious questions in recent years, with the United Nations wanting the ITU to oversee Internet Governance while Europe seeking more public participation in the decision making process that currently comprises a majority of private stakeholders as ICANN board members with vested interests. In this post we shall look at a few instances that give room for thought about the regulatory powers and methods adopted by ICANN as well as reparatory measures taken to reaffirm it’s image as an able governing body amidst disputes over trademarks and fair competition that might actually call for a wider and objective inclusion in future. An outline of functional and structural arrangements of ICANN maybe found at the CIS Knowledge Repository page.

The Business Model

Earlier this month, (March 15, 2013) was the 28^th birthday of symbolics.com, the first ever domain name registered in 1985 through the formal ICANN process. (nordu.net being the first domain name created by the registry on January 1, 1985 for the first root server, nic.nordu.net) Symbolics, that spun-off the MIT AI Lab and specialized in building workstations running LISP finally sold the domain for an undisclosed amount to XY.com, an Internet investment firm that has been proudly boasting about their acquired relic for over three years now. The golden days of fancy one word domain name resale at exorbitant prices are over, as Google’s page ranking crawler now really looks at unique content and backlinks. Nevertheless, those with the same archaic view of a real estate agent still believe that a good domain name does have a high ROI and have managed to find naïve takers who will offer ridiculous amounts. One of many such examples is the plain looking www.business.com that was bought initially for $1,50,000 and changed hands twice from $7.5 million to an absurd $345 million of R.H. Donnelley Inc., that soon filed for bankruptcy!

The top level domain market however, is consistently lucrative. A TLD registry on an average receives $5 - $7 per domain registered under it. So the .COM registry run by VeriSign which, as of 2013 has over a 100 million registered domains, receives a revenue of $500 to $700 million per year of which a fraction is paid to ICANN periodically on a per-registration or per-renewal basis. Competing registrars and registries across TLDs, their revenue generation practices as well as the application process for new TLDs gradually began to be regulated by ICANN in mysterious ways, as we will see in the following legal case studies.

VeriSign vs. ICANN

VeriSign began to operate the .COM and .NET TLD after taking over Network Solutions Inc. and entering into a contractual agreement with ICANN in 2001. Let’s take a look at some methods used by VeriSign to garner internet traffic and registrant revenue, that were clamped down by the ICANN, which resulted in a lawsuit by plaintiff VeriSign claiming prevention of fair competition and revenue by impeding innovation.

Clamping of Site Finder & WLS: In September 2003, VeriSign introduced a Wild Card DNS Service called Site Finder for all .com and .net domains. This meant that any user trying to access a non-existent domain name no longer received the 404 Error but were instead redirected to the VeriSign website with adverts and links to affiliate registrars. Often a result of a misspelled domain, in ICANN’s view, the redirection by VeriSign amounted to typo squatting internet users as within a month VeriSign’s traffic rose dramatically moving it to the top 20 most visited websites on the web. As seen below in this archived image of Alexa’s 2003 traffic statistic (Courtesy: cyber.law.harvard.edu).

Shortly, in October 2003, ICANN issued a suspension ultimatum pointing Site Finder in violation of the 2001 .Com agreement. This was not the first time ICANN clamped down on VeriSign’s ‘profiteering’ methods. In 2001, ICANN prevented VeriSign’s WLS (Wait Listing Service) that allowed a registrant (through selected participating affiliate registrars of VeriSign) to apply to register an already registered domain in the event that the registration is deleted – a nifty scheme considering the fact that about 25000 domains are deleted everyday!

Remarks and Submissions

The long drawn case of VeriSign Vs. ICANN ended on a reconciliatory note, with ICANN bringing the Site Finder service to a halt at the cost of VeriSign walking away happier with a free 5 year extension on the .COM domain (2007 extended to 2012).

While the ingenious Site Finder service did pose a huge problem to spam filters, both the WLS and yet another service that VeriSign launched to allow registration of non-English language SLDs were also met with a cringe by ICANN.

However looking closer, one may realize that the act of ICANN permitting a DNS root redirect service such as Site Finder for all TLD operators (with an acceptable template that also carried information about the 404 error besides other marketing options) meant the first step towards paving the way towards a plausible scenario of multiple competing DNS roots across TLDs being able to interact with each other  — a system often argued by network theorists to be the most efficient and competitive model that would reduce the disjoint between the demand and supply of TLDs in a decentralized infrastructure, and that definitely was not in the best interest of ICANN’s monopolistic plan. Hence, this could be seen as a move by ICANN to nip the Site Finder bud while still young.

Finally, as brought to public notice in more than one instance (name.Space Vs. ICANN, IOD Vs. ICANN), the vested interests of ICANN board members has come under glaring light. Can the ICANN leadership consisting of members from the very same domain name business industry be able to objectively deal with competing registry services and legal issues? Conspicuous targets have been chairperson Steve Crocker who owns a consulting firm Shinkuro, whose subtle investor is infact AFILIAS INC which runs the .INFO and .MOBI TLDs, provides backend services to numerous TLDs (.ORG, .ASIA, .AERO (aviation)), has applied for a further 31 new TLDs and has it’s CTO Ram Mohan on the Board of Directors of ICANN. Also ICANN Vice Chariman, Bruce Tonkin is Senior Executive at Australia’s largest domain name provider Melbourne IT, and Peter Thrush former chairman of the ICANN Board of Directors is Executive Chairman of Top Level Domain Holdings,Inc which filed 92 gTLD applications in 2012.

Trademark Protection and Domain Names

Image Online Design (IOD) is a company that since 1996 has been providing Internet registry services using the trademark .WEB (trademark #3,177,334 including computer accessories) registered with the US Patents and Trademarks Office (USPTO).

It’s registry services however, were not through the primary DNS root server maintained by ICANN, but through an alternate DNS root that required prospective users to manually make changes in their browser settings in order to resolve .WEB domains registered through IOD. Despite not running the primary DNS root server for. WEB, by the year 2000 IOD had acquired about 20,000 registered .WEB customers.

The beacon of ‘hope’ arrived upon IOD in mid-2000 as ICANN (on advise of supporting organization GNSO) opened a call for proposals for registrations of new TLDs, with a non-refundable deposit of $50,000 for an application to be considered. By then the importance of the .WEB TLD for e-commerce was well known amongst ICANN board members with Louis Touton lobbying for his preferred applicant AFILIAS INC to be given the .WEB TLD, with others raising concerns about IOD’s preregistration of .WEB domains. One of the founding fathers of the internet, Vinton Cerf, the then Chairman of ICANN took a benevolent stance-- "I'm still interested in IOD," he repeated over Touton's objections. "They've worked with .WEB for some time. To assign that to someone else given that they're actually functioning makes me uneasy," he said, prompting board member Linda Wilson to chime in, "I agree with Vint." (http://goo.gl/d1v6X , http://goo.gl/eV9Jd).

Finally amidst all the contention, no one was offered the .WEB domain and ICANN announced that all applications not selected will remain pending and those who submitted will have the option of being re-considered when additional TLD selections are made in future. And the future being, 2012, when ICANN invited a new round of TLD applicants, this time with the non-refundable deposit of whopping $185,000 for a single application (1 TLD/application as opposed to the $50,000 in the year 2000 that allowed multiple TLD requests within the same application) to be considered. While 7 new applicants for the .WEB TLD registered their interest, IOD considered their application to be still pending and did not join the new pool that included AFILIAS INC. and GOOGLE.

The litigation of IOD Vs ICANN ended in Feb 2013, with IOD claiming weak causes of action under “Trademark Infringement” and “Breach of Contract” &“Fair Dealing” hinging on the fact that the initial $50,000 application was still pending and never was officially rejected by ICANN. Further, there was not enough room to make a valid trademark infringement, as there was no substantial room for consumer confusion in the .WEB case.

Remarks and Submissions

The IOD Vs. ICANN case not only increased concerns globally, over the uncertainty associated with the ICANN application process for generic TLDs along with questions regarding the objectivity of its board members, but at the same time has alerted ICANN to take the necessary big sister steps to ensure that it’s well in the game.

The fact of the matter is that the USPTO does not provide trademark protection services for the Top level Domain industry citing the reason that TLDs trademarks do not provide a distinct service mark that can identify or differentiate the service of an applicant from others, and further cannot be used to ascertain the source of an applicant’s services.  This view is flawed, as by looking at a TLD, say BBC.com, an informed person can easily say that VeriSign INC manages the service of directing a user to a correct location on the .COM registry. With introduction of new gTLDs, perhaps BBC would shift it’s content to BBC.news, where the source may be an abstracted Registrar and the nature of service being quite evident. And to those registered trademarks, especially those that shall result in substantial brand confusion to the customer if infringed, granting a TLD like .ibm or .bbc may well be granted to the owner of the trademark who may then outsource registry services to a service provider. This shall invert the current model by relegating the role of a TLD registry holder to that of a contracted service provider.

So the question is, should have the US Department of Commerce, who contracted ICANN in the first place, mediated with USPTO to place the business of a registrar on par with other trades and businesses, and modify it’s trademark infringement policies? And more importantly, will ICANN view this as introducing yet another key stakeholder to the gTLD assignment process?

The answer to the latter is already clear as ICANN being in the top of it’s game decided to take matters into its own hands and on March 26, 2013) launched http://trademark-clearinghouse.com/ with a new set of guidelines for accepted trademarks and a mechanism that allows trademark holders to submit their application to a central repository.

Accepted trademark holders shall be given priority to register gTLDs during the ‘sunrise’ period. Deloitte Enterprise Risk Services have been assigned the responsibility of evaluating submitted trademarks while IBM shall maintain the actual database of trademarks by the later half of 2013.

The tip of the iceberg is well in scope of view. ICANN46 is currently being hosted in Beijing, at the China Internet Network Information Centre (CINIC) from April 7 to 11, 2013 while hopefully parallel discussions will happen on all other global forums to hopefully re-consider a future of multiple competing DNS root servers towards healthy competition that is decentralized.

Key References

1. http://www.icann.org/en/news/litigation
2. http://cyber.law.harvard.edu/tlds/
3. Lynn, S. [2001] “Discussion Draft: A Unique, Authoritative Root for the DNS” Internet Corporation for Assigned Names and Numbers, 28 May, 2001.
4. Internet Architecture Board [2000] “IAB Technical Comment on the Unique DNS Root.” RFC 2826, Internet Society, May 2000.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

The author, Divij Joshi is a law student at NLS and is interning with CIS for its privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

What is the Criminal Law (Amendment) Bill, 2013? What will it change?
The Criminal Law (Amendment) Bill is a bill which is to be introduced in the Indian Parliament, which will replace the Criminal Law (Amendment) Ordinance, 2013[1] currently in force, and aims at amending the existing provisions in criminal law in order to improve the safety of women. The Bill seeks to make changes to the Indian Penal Code, the Code of Criminal Procedure, and the Indian Evidence Act. The Bill will introduce unprecedented provisions in the Indian Penal Code which would criminalise sexual voyeurism and stalking and would amend legal provisions to protect the privacy of individuals, such as discontinuing the practice of examination of the sexual history of the victim of a sexual assault for evidence. With instances of threats to individual privacy on the rise in India, [2] it is high time that the criminal law expands its scope to deal with offences which violate physical privacy.

What threats to privacy will the Act address?
The Act will address the following violations of physical privacy:

Stalking
Draft provision: The ordinance introduces the offence of stalking under Section 345D of the Indian Penal Code, and makes it punishable by imprisonment of not less than one year, which may extend to three years, and a fine. The provision prescribes that ‘Whoever follows a person and contacts, or attempts to contact such person to foster personal interaction repeatedly, despite a clear indication of disinterest by such person, or whoever monitors the use by a person of the internet, email or any other form of electronic communication, or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person.’ Hence, under the new law, constant, unwanted interaction of any one person with another, for any reason, can be made punishable, if the actions results in fear of violence or distress in any person, or interferes with their mental peace.

Current law and need for amendment: Stalking is generally characterized by unwanted and obsessive harassment or persecution of one person by another. Stalking can be a physical act such as constantly following a person, or can be done through electronic means — usually the internet (known as cyberstalking). Stalking may or may not be an act which physically threatens the security of an individual; however, it can cause mental trauma and fear to the person being stalked. Stalking is a blatant intrusion into an individual’s privacy, where the stalker attempts to establish relationships with their victim which the victim does not consent to and is not comfortable with. The stalker also intrudes into the victim’s private life by collecting or attempting to collect personal information the victim may not want to disclose, such as phone numbers or addresses, and misusing it. If the stalker is left undeterred to continue such actions, it can even lead to a threat to the safety of the victim. Cyber-stalking is a phenomenon which can prove to be even more invasive and detrimental to privacy, as most cyber-stalkers attempt to gain access to private information of the victims so that they can misuse it. Stalking, in any form, degrades the privacy of the victim by taking away their choice to use their personal information in ways they deem fit. [3] Recognizing stalking as an offence would not only protect the physical privacy rights of the victims, but also nip potentially violent crimes in the bud.

Many nations including Australia, the United States of America and Japan have penal provisions which criminalise stalking. [4] In India however, there is no appropriate response to stalking as an offence — either in its physical or electronic forms. The Information Technology Act, the legislation purported to deal with instances of cyber-crimes, overlooks instances of breach of online privacy and stalking which does not lead to publication of obscene images or other obvious manifestations of physical or mental threat. The general provision under which victims of stalking can file complaints is Section 509 of the Indian Penal Code (IPC), which states that — ‘Whoever, intending to insult the modesty of any woman, utters any word, makes any sound or gesture, or exhibits any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen, by such woman, or intrudes upon the privacy of such woman, shall be punished with simple imprisonment for a term which may extend to one year, or with fine, or with both.’There are several problems with using this section as a response to stalking. Without a particular definition of what comes under the scope of ‘intrusion of privacy’ under this section, there is reluctance both for the victim to approach the police and for the police to file the complaint. Usually the offence is coupled with some other form of harassment or violence, and the breach of privacy and trauma is not considered as a separate offence. For example, if a person is continuously following or trying to contact you without your consent or approval, but does not physically threaten or insult you, there is no protection in law against such a person. Hence, as pointed out, there is a need to recognize the breach of privacy as a separate ground of offence, notwithstanding other physical or mental grounds. Secondly, the provisions of this section require the criminal to have the ‘intent of insulting the modesty of a woman’. Aside from the difficulties in adjudging the ‘modesty’ of a woman, the provision limits the scope of harassment to only that which intends to insult the modesty of a woman and excludes any other intention as criminal behaviour. The present law amends these problems by disregarding the reason or intent for the behaviour, and by clearly defining the elements of the offence and making stalking as a stand-alone, punishable offence.

Sexual Voyeurism

Draft provision: The Act will add Section 345D to the Indian Penal Code, which reads as follows — ‘Whoever watches, or captures the image of, a woman engaging in a private act in circumstances where she would usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator shall be punished on first conviction with imprisonment of either description for a term which shall not be less than one year, but which may extend to three years, and shall also be liable to fine, and be punished on a second or subsequent conviction, with imprisonment of either description for a term which shall not be less than three years, but which may extend to seven years, and shall also be liable to fine.

Explanation 1.–– For the purposes of this section, “private act” includes an act carried out in a place which, in the circumstances, would reasonably be expected to provide privacy, and where the victim's genitals, buttocks or breasts are exposed or covered only in underwear; or the victim is using a lavatory; or the person is doing a sexual act that is not of a kind ordinarily done in public.

Explanation 2.–– Where the victim consents to the capture of images or any act, but not to their dissemination to third persons and where such image or act is disseminated, such dissemination shall be considered an offence under this section.’

The provision seeks to protect victims of voyeurism, who have been watched, or recorded, without their consent and under circumstances where the victim could reasonably expect privacy, and where the victim’s genitals, buttocks or breasts have been exposed. A reasonable expectation of privacy means that in the circumstances, whether in a public or a private place, the victim has a reasonable expectation that she is not being observed engaging in private acts such as disrobing or sexual acts. The test of reasonable expectation of privacy can be derived from similar provisions in voyeurism laws across the world, and also section 66E of the Information Technology Act.[5] It is particularly important because voyeurism does not necessarily take place in private places like the victims home, but also in public spaces where there is generally an expectation that exposed parts of one’s body are not viewed by anyone.

Current law and need for amendment: A ‘voyeur’ is generally defined as "a person who derives sexual gratification from the covert observation of others as they undress or engage in sexual activities." [6] Voyeurism is the act of a person who, usually for sexual gratification, observes, captures or distributes the images of another person without their consent or knowledge. With the development in video and image capturing technologies, observation of individuals engaged in private acts in both public and private places, through surreptitious means, has become both easier and more common. Cameras or viewing holes may be placed in changing rooms or public toilets, which are public spaces where individuals generally expect a reasonable degree of privacy, and where their body may be exposed. Voyeurism is an act which blatantly defies reasonable expectations of privacy that individuals have about their bodies, such as controlling its exposure to others.[7] Voyeurism is an offence to both the privacy as well as the dignity of a person, by infringing upon the right of individuals to control the exposure of their bodies without their consent or knowledge, either through unwarranted observation of the individual, or through distribution of images or videos against the wishes or without the knowledge of the victim.

Voyeurism is a criminal offence in many jurisdictions across the world such as Australia,[8] the United States,[9] Canada,[10] and the UK,[11] which criminalise either the capturing of certain images, or observation of individuals, or both. In India, the capturing, distribution and transferring of images of ‘private areas’ of a person’s body, under circumstances where the person would have a reasonable expectation of privacy that their body would not be exposed to public view, is punishable with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both. However, this does not cover instances where a person observes another in places and situations where they do not consent to being observed. The inclusion of voyeurism as an offence in the IPC would close several loopholes in the voyeurism law and hopefully be a precedent for the state to better work towards securing the bodily privacy of its citizens.

Examination of Sexual History and Privacy
Draft provision: The amendment to Section 53A of the Indian Evidence Act in the Bill reads, “In a prosecution for an offence under section 354, section 354A, section 354B, section 354C, sub-section (1) or sub-section (2) of section 376, section 376A, section 376B, section 376C, section 376D or section 376E of the Indian Penal Code or for attempt to commit any such offence, where the question of consent is in issue, evidence of the character of the victim or of such person’s previous sexual experience with any person shall not be relevant on the issue of such consent or the quality of consent.”

A similar proviso is added to Section 376 of the Indian Evidence Act.

According to the above provision, in a trial for sexual assault or rape the evidence supplied of a victim’s previous sexual experience or her ‘character’ would not be admissible as relevant evidence to determine the fact of the consent or the quality of the consent.

Current law and need for amendment: The Indian Evidence Act is the legislation which governs the admissibility of evidence in the different courts. In cases of rape or sexual assault and related crimes, the evidence of consent often considered is not just that of the consent of the woman in the act at that time itself, but rather her previous sexual experience and “promiscuous character”. Even though it has been widely censured by the highest court,[12] such practices continue to dominate and prejudice the justice of victims of sexual assault and harassment.[13] The examination of the victim’s sexual history in court is an unwarranted intrusion into their privacy through public disclosure of the sexual history and details of her sexual life, which causes potential embarrassment and sexual stereotyping of the victim, especially in a conservative, patriarchal society like in India. With the new amendments, such evidence will not be permitted in a court of law, hence, it will act as a safeguards against defendants attempting to influence the court's decision through disparaging the ‘character’ of the victim, and will protect the disclosure of intimate, personal details like previous sexual encounters of the victim.

Conclusion
Privacy, crime, and safety of women are intricately linked in any legal system. An essential part of the security of citizens is the safety of their privacy and personal information. If any legal system does not protect the privacy — both of body and of information — of its people, there will always be insecurity in such a system. With the recent debates on women’s safety, several crucial privacy and security issues have been raised, such as the criminalization of voyeurism and stalking, which is a huge boost for privacy rights of citizens in India, and it is hopeful that the government will continue the trend of considering privacy issues along when addressing security concerns for the state.

Update to the Criminal Law Amendment Bill 2013 - Penalising Peeping Toms and other privacy issues

The Criminal Law (Amendment) Bill, 2013, was made into law on April 3, 2013. Several provisions under the Act differ from the provisions in the ordinance. Under the Act, unlike in the Ordinance, the terms or watches or spies on a person in a manner that results in a fear of violence or serious  alarm or distress in the mind of such person, or interferes with the mental peace of such person are not included as a part of the offence  of stalking. Hence, the offence is limited to the physical act of  following or contacting a person, provided that there has been a clear  sign of disinterest, or to monitoring the use by a woman of the internet, email or any other forms of electronic communication.  

Hence, from the confusing language of the provision, it would seem that the offence of stalking related to monitoring of activities of a woman is restricted to the monitoring of online communications, and not physical acts. The caveat of such monitoring having to cause serious alarm, distress or interference with the mental peace of the victim is also removed. The removal of unwaranted intrusion through watching or spying of a person, and indeed, the removal of any subjective test to determine the effect of stalking is a departure from stalking provisions accross the world, and is a setback for individual privacy, because stalking per se is a privacy offence, relating not only to the physical interference but also the mental harassment it causes to the victims.

The provision has also increased the puinishment for the crime in the first offence to upto three years, and subsequently to upto five years. Further, the provisions sought to be included within Section 53A and Section 376 of the Indian Evidence Act are now included in Section 146 of the Act.

Link to the Criminal Law (Amendment) Act, 2013

[1]. Criminal Law (Amendment) Ordinance, 2013, available at http://mha.nic.in/pdfs/criminalLawAmndmt-040213.pdf

[2]. http://bit.ly/10nMSTT

[3]. Anita Gurumurthy and Nivedita Menon, Violence against Women via Cyberspace, Economic and Political Weekly, 44 (40), 19, (October, 2009).

[4]. For example, see laws listed http://bit.ly/126hBpO

[5]. Section 66E, The Information Technology Act, 2000: ‘66E. Punishment for violation of privacy.- Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

Explanation - For the purposes of this section--

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;
(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
(d) “publishes” means reproduction in the printed or electronic form and making it available for public;
(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that--(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[6]. Oxford English Dictionary, available at http://bit.ly/YN2ZvI

[7]. Lance Rothenberg, Rethinking Privacy: Peeping Toms, Video Voyeurs, and the failure of criminal law to recognize a reasonable expectation of privacy in the public space, American University Law Review, 49, 1127, (1999).

[8]. Section 91J, Crimes Act, 1910: "A person who, for the purpose of obtaining sexual arousal or sexual gratification, observes a person who is engaged in a private act without the consent of the person being observed to being observed for that purpose, and knowing that the person being observed does not consent to being observed for that purpose, is guilty of an offence."

[9]. Video Voyeurism Protection Act, 2004.

[10]. Section 162, Criminal Code of Canada: " (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if
(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;
(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or
(c) the observation or recording is done for a sexual purpose.

[11]. Section 67, Sexual Offences Act, 2003.

[12]. http://bit.ly/10nNDwg

[13]. http://reut.rs/13CIDXU

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I  Preliminary

1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“Cyber Café Rules”).

1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21^st Report, the Committee on Subordinate Legislation presciently noted that:

“…statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.” [See the 21^st Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]

Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:

II  Validity of the Cyber Cafe Rules

2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (“IT Act”). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:

“the guidelines to be observed by the intermediaries under sub-section (2) of section 79”

Sections 79 (1) and (2) state:

“79. Exemption from liability of intermediary in certain cases. – (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or

(b) the intermediary does not—

(i)  initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.”

2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “any third party information, data, or communication link made available or hosted” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are ultra vires the IT Act.

III Clause-by-Clause Analysis and Comments

Rule 2 - Definitions

3.1  Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:

““cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”

This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.

Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:

“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”

3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.

Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.

3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.

Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.

Rule 3 - Agency for Registration of Cyber Cafes

4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:

“3. Agency for registration of cyber cafe. – (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include:

(i) name of establishment;

(ii) address with contact details including email address;

(iii) whether individual or partnership or sole properitership or society or company;

(iv) date of incorporation;

(v) name of owner/partner/proprietor/director;

(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and

(vii) type of service to be provided from cyber cafe

Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency.

(2) The details of registration of cyber cafe shall be published on the website of the registration agency.

(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line.

(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”

CIS raises two unrelated and substantial objections to this provision: firstly, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, secondly, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.

4.2  At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.

Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:

“5. Registration of establishment. – (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing

(a) the name of the employer and the manager, if any;

(b) the postal address of the establishment;

(c) the name, if any, of the establishment,

(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment;

(e) the number of employees working about the business of the establishment; and

(f) such other particulars as may be prescribed.

(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier.

(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect.

(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act.

(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).”

Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.

4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.

In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.

4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.

4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:

“(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”

This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, prima facie violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.

Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.

Rule 4 - Identification of User

5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:

“(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:

(i)   Identity card issued by any School or College; or

(ii)  Photo Credit Card or debit card issued by a Bank or Post Office; or

(iii) Passport; or

(iv) Voter Identity Card; or

(v)  Permanent Account Number (PAN) card issued by Income-Tax Authority; or

(vi) Photo Identity Card issued by the employer or any Government Agency; or

(vi) Driving License issued by the Appropriate Government; or

(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).”

The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.

Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.

5.2  Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:

“The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.”

While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Therefore, it is proposed that rule 4(2) be amended to read as follows:

“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”

5.3  Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:

“(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.”

Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.

Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.

5.4  Sub-rue (4) of rule 4 reads as follows:

“(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).”

Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.

Therefore, it is proposed that rule 4(4) be amended to read as follows:

“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”

5.5  Rule 4(5) of the Cyber Cafe Rules states that a user “shall be allowed to enter the cyber cafe after he has established his identity.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “allow[ing] any user to use its computer resource without the identity of the user of the user being established,” this rule 4(5) is redundant.

Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.

5.6  Rule 4(6) of the Cyber Cafe Rules states:

“(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.”

This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.

Therefore, it is proposed that rule 4(6) be deleted.

Rule 5 - Log Register

6.1  Rule 5(3) of the Cyber Cafe Rules states:

“(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.”

This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.

Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.

Rule 7 - Inspection of Cyber Cafe

7.1  Rule 7 of the Cyber Cafe Rules provides for an inspection regime:

“An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.”

The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.

Therefore, it is proposed that rule 7 be deleted.

IV Summary

8.1  In sum:

(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are ultra vires the parent statute;

(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:

• Rule 2(1)(c);
• Rule 2(1)(e);
• Rule 2(1)(g);
• Rule 3(1);
• Rule 3(4);
• Rule 4(1);
• Rule 4(2);
• Rule 4(3);
• Rule 4(4);
• Rule 4(5);
• Rule 4(6);
• Rule 5(3); and
• Rule 7.

(c)  The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.

8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1  The Centre for Internet and Society (“CIS”) is pleased to present this submission on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011 (“Sensitive Personal Data Rules” or “Rules”) to the Committee on Subordinate Legislation of the Fifteenth Lok Sabha.

1.2 The protection of personal information lies at the heart of the right to privacy; and, for this reason, it is an imperative legislative and policy concern in liberal democracies around the world. In India, although remedies for invasions of privacy exist in tort law and despite the Supreme Court of India according limited constitutional recognition to the right to privacy[1], there have never been codified provisions protecting the privacy of individuals and their personal information.

The Sensitive Personal Data Rules represent India’s first legislative attempt to recognise that all persons have a right to protect the privacy of their personal information. However, the Rules suffer from numerous conceptual, substantive and procedural weaknesses, including drafting defects, which demand scrutiny and rectification. The interpretation and applicability of the Rules was further confused when, on 24 August 2011, the Department of Information Technology of the Ministry of Communications attempted to reinterpret the Rules through a press release oblivious to the universally accepted basic proposition that law cannot be made or reinterpreted via press releases.[2] Therefore, the attention of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha is called to the following submissions:

II Principles to Facilitate Appraisal
2.1  The Sensitive Personal Data Rules are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities. The Rules are to be welcomed in principle. However, at present, the Rules construct an incomplete regime that does not adequately protect privacy and, for this reason, falls short of internationally accepted data protection standards.[3]

This not only harms the personal liberties of Indian citizens, it also affects the ability of Indian companies to conduct commerce in foreign countries. More importantly, the Rules offer no protection against the state.

2.2  To enact a comprehensive personal information protection regime, CIS believes that the Rules should proceed on the basis of the following broad principles:

(a)   Principle of Notice / Prior Knowledge

All persons from whom personal information is collected have a right to know, before the personal information is collected and, where applicable, at any point thereafter: (i) of an impending collection of personal information; (ii) the content and nature of the personal information being collected; (iii) the purpose for which the personal information is being collected; (iv) the broad identities of all natural and juristic persons who will have access to the collected personal information; (v) the manner in which the collected personal information will be used; (vi) the duration for which the collected personal information will be stored; (vii) whether the collected personal information will be disclosed to third parties including the police and other law enforcement agencies; (viii) of the manner in which they may access, check, modify or withdraw their collected personal information; (ix) the security practices and safeguards that will govern the sanctity of the collected personal information; (x) of all privacy policies and other policies in relation to the collected personal information; (xi) of any breaches in the security, safety, privacy and sanctity of the collected personal information; and, (xii) the procedure for recourse, including identities and contact details of ombudsmen and grievance redress officers, in relation to any misuse of the collected personal information.

(b)    Principle of Consent

Personal information must only be collected once the person to whom it pertains has consented to its collection. Such consent must be informed, explicit and freely given. Informed consent is conditional upon the fulfilment of the principle of notice/prior knowledge set out in the preceding paragraph. Consent must be expressly given: the person to whom the personal information to be collected pertains must grant explicit and affirmative permission to collect personal information; and, he must know, or be made aware, of any action of his that will constitute such consent. Consent that is obtained using threats or coercion, such as a threat of refusal to provide services, does not constitute valid consent. Any person whose personal information has been consensually collected may, at any time, withdraw such consent for any or no reason and, consequently, his personal information, including his identity, must be destroyed. When consent is withdrawn in this manner, the person who withdrew consent may be denied any service that requires the use of the personal information for which consent was withdrawn.

(c)  Principle of Necessity / Collection Limitation

Personal information must only be collected when, where and to the extent necessary. Necessity cannot be established in general; there must be a specific nexus connecting the content of the personal information to the purpose of its collection. Only the minimal amount of personal information necessary to achieve the purpose should be collected. If a purpose exists that warrants a temporally specific, or an event-dependent, collection of personal information, such a collection must only take place when that specific time is reached or that event occurs. If the purpose of personal information is dependent upon, or specific to, a geographical area or location, that personal information must only be collected from that geographical area or location.

(d)  Right to be Forgotten / Principle of Purpose Limitation

Once collected, personal information must be processed, used, stored or otherwise only for the purpose for which it was collected. If the purpose for which personal information was collected is achieved, the collected personal information must be destroyed and the person to whom that personal information pertained must be ‘forgotten.’ Similarly, collected personal information must be destroyed and the person to whom it pertained ‘forgotten’ if the purpose for which it was collected expires or ceases to exist. Personal information collected for a certain purpose cannot be used or stored for another purpose nor even used or stored for a similar purpose to arise in the future without the express and informed consent of the person from whom it was collected in accordance with the principles of notice/prior knowledge and consent.

(e)    Right of Access

All persons from whom personal information is collected have a right to access that personal information at any point following its collection to check its accuracy, make corrections or modifications and have destroyed that which is inaccurate. Where personal information of more than one person is held in an aggregated form such that affording one person access to it may endanger the right to privacy of another person, the entity holding the aggregated personal information must, to the best of its ability, identify the portion of the personal information that pertains to the person seeking access and make it available to him. All persons from whom personal information is collected must be given copies of their personal information upon request.

(f)   Principle­ regarding Disclosure

Personal information, once collected, must never be disclosed. However, if the person to whom certain personal information pertains consents to its disclosure in accordance with the principle of consent after he has been made aware of the proposed disclosee and other details related to the personal information in accordance with the principle of notice/prior knowledge, the personal information may be disclosed. Consent to a disclosure of this nature may be obtained even during collection of the personal information if the person to whom it pertains expressly consents to its future disclosure. Notwithstanding the rule against disclosure and the consent exception to the rule, personal information may be disclosed to the police or other law enforcement agencies on certain absolute conditions. Since the protection of personal information is a policy imperative, the conditions permitting its disclosure must be founded on a clear and serious law enforcement need that overrides the right to privacy; and, in addition, the disclosure conditions must be strict, construed narrowly and, in the event of ambiguity, interpreted to favour the individual right to privacy. Therefore, (i) there must be a demonstrable need to access personal information in connection with a criminal offence; (ii) only that amount of personal information that is sufficient to satisfy the need must be disclosed; and, (iii), since such a disclosure is non-consensual, it must follow a minimal due process regime that at least immediately notifies the person concerned and affords him the right to protest the disclosure.

(g)  Principle of Security

All personal information must be protected to absolutely maintain its sanctity, confidentiality and privacy by implementing safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure and other risks. Such a level of protection must include physical, administrative and technical safeguards that are constantly and consistently audited. Protection measures must be revised to incorporate stronger measures and mechanisms as and when they arise.

(h) Principle of Transparency / ‘Open-ness’

All practices, procedures and policies governing personal information must be made available to the person to whom that personal information pertains in a simple and easy-to-understand manner. This includes policies relating to the privacy, security and disclosure of that personal information. If an entity that seeks to collect personal information does not have these policies, it must immediately draft, publish and display such policies in addition to making them available to the person from whom it seeks to collect personal information before the collection can begin.

(i)  Principle of Accountability

Liability attaches to the possession of personal information of another person. Since rights and duties, such as those in relation to privacy of personal information, are predicated on accountability, this principle binds all entities that seek to possess personal information of another person. As a result, an entity seeking to collect, use, process, store or disclose personal information of another person is accountable to that person for complying with all these principles as well as the provisions of any law. The misuse of personal information causes harm to the person to whom it pertains to attract and civil and criminal penalties.

2.3 These principles are reflective of internationally accepted best practices to form the basis upon which Indian legislation to protect personal information should be drafted. The Sensitive Personal Data Rules, in their current form, fall far short of the achieving the substantive intent of these principles. CIS submits that either (i) the Sensitive Personal Data Rules should be replaced with new and comprehensive legislation that speaks to the objectives and purpose of these principles, or (ii) the Sensitive Personal Data Rules are radically modified by amendment to bring Indian law to par with world standards. Nevertheless, without prejudice to the preceding submission, CIS offers the following clause-by-clause comments on the Sensitive Personal Data Rules:

III Clause-by-Clause Analysis and Comments

Rule 2 - Definitions

3.1.1    Rule 2(1)(b) of the Sensitive Personal Data Rules defines “biometrics” as follows:

"Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes.

3.1.2   Firstly, the Sensitive Personal Data Rules do not use the term “biometrics.” Instead, rule 3(vi), which defines sensitive personal data, uses the term “biometric information.” It is unclear why rule 2(1)(b) provides a definition of the technologies by which information is obtained instead of clearly identify the information that constitutes sensitive personal data. This is one of several examples of poor drafting of the Sensitive Personal Data Rules. Secondly, biometric information is not used only for authentication; there are many other reasons for collecting and using biometric information. For instance, DNA is widely collected and used for medical research. Restricting the application of the definition to only that biometric information that is used for authentication is illogical to deprive the Rules of meaning.

3.1.3    Therefore, it is proposed that rule 2(1)(b) be re-drafted to read as follows:

““Biometric information” means any information relating to the physical, physiological or behavioural characteristics of an individual which enable their unique identification including, but not limited to, fingerprints, retinas, irises, voice patterns, facial patterns, Deoxyribonucleic acid (DNA) and genetic information.”

3.2.1  Rule 2(1)(c) of the Sensitive Personal Data Rules defines “body corporate” in accordance with the definition provided in clause (i) of the Explanation to section 43A of the Information Technology Act, 2000 (“IT Act”) as follows:

“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

3.2.2 Firstly, this definition of a body corporate is poorly drafted to extend beyond incorporated entities to bring within its ambit even unincorporated professional organisations such as societies and associations which, by their very nature, are not bodies corporate.[4]

This is an arbitrary reinterpretation of the fundamental principles of company law. As it presently stands, this peculiar definition will extend to public and private limited companies, including incorporated public sector undertakings, ordinary and limited liability partnerships, firms, sole proprietorships, societies and associations; but, will exclude public and private trusts[5] and unincorporated public authorities. Hence, whereas non-governmental organisations that are organised as societies will fall within the definition of “body corporate,” those that are organised as trusts will not. Similarly, incorporated public authorities such as Delhi Transport Corporation and even municipal corporations such as the Municipal Corporation of Delhi will fall within the definition of “body corporate” but unincorporated public authorities such as the New Delhi Municipal Council and the Delhi Development Authority will not. This is a prima facie violation of the fundamental right of all persons to be treated equally under the law guaranteed by Article 14 of the Constitution of India.

3.2.3  Secondly, whereas state entities and public authorities often collect and use sensitive personal data, with the exception of state corporations the Sensitive Personal Data Rules do not apply to the state. This means that the procedural safeguards offered by the Rules do not bind the police and other law enforcement agencies allowing them a virtually unfettered right to collect and use, even misuse, sensitive personal data without consequence. Further, state entities such as the Unique Identification Authority of India or the various State Housing Boards which collect, handle, process, use and store sensitive personal data are not covered by the Rules and remain unregulated. It is not possible to include these unincorporated entities within the definition of a body corporate; but, in pursuance of the principles set out in paragraph 2.2 of this submission, the Rules should be expanded to all state entities, whether incorporated or not.

3.2.4  Therefore, it is proposed that rule 2(1)(c) be re-drafted to read as follows:

““body corporate” means the body corporate defined in sub-section (7) of section 2 read with section 3 of the Companies Act, 1956 (1 of 1956) and includes those entities which the Central Government may, by notification in the Official Gazette, specify in this behalf but shall not include societies registered under the Societies Registration Act, 1860 (21 of 1860), trusts created under the Indian Trusts Act, 1882 (2 of 1882) or any other association of individuals that is not a legal entity apart from the members constituting it and which does not enjoy perpetual succession.”

Further, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to societies registered under the Societies Registration Act, 1860 and trusts created under the Indian Trusts Act, 1882 in a manner reflective of their distinctiveness from bodies corporate.

Furthermore, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to public authorities and the state as defined in Article 12 of the Constitution of India.

3.3.1  Rule 2(1)(d) of the Sensitive Personal Data Rules defines “cyber incidents” as follows:

"Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.

3.3.2  Before examining the provisions of this clause, CIS questions the need for this definition. The term “cyber incidents” is used only once in these rules: the proviso to rule 6(1) which specifies the conditions upon which personal information or sensitive personal data may be disclosed to the police or other law enforcement authorities without the prior consent of the person to whom the information pertains. An analysis of rule 6(1) is contained at paragraphs 3.11.1 – 3.11.4 of this submission. Firstly, personal information and sensitive personal data should only be disclosed in connection with the prevention, investigation and prosecution of an existing offence. Offences cannot be created in the definitions clause of sub-statutory rules, they can only be created by a parent statute or another statute. Secondly, the scope and content of “cyber incidents” are already covered by section 43 of the IT Act. When read with section 66 of IT Act, an offence is created that is larger than the scope of the term “cyber incidents” to render this definition redundant.

3.3.3   Therefore, it is proposed that the definition of “cyber incidents” in rule 2(1)(d) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

3.4.1  Rule 2(1)(g) of the Sensitive Personal Data Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. However, the term “intermediary” is not used anywhere in the Sensitive Personal Data Rules and so its definition is redundant. This is another instance of careless drafting of the Sensitive Personal Data Rules.

3.4.2   Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

Rule 3 - Sensitive Personal Data

3.5.1    Rule 3 of the Sensitive Personal Data Rules provides an aggregated definition of sensitive personal data as follows:

Sensitive personal data or information of a person means such personal information which consists of information relating to –

(i)   password;

(ii)  financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v)  medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

3.5.2    In accordance with the principle that certain kinds of personal information are particularly sensitive, due to the intimate nature of their content in relation to the right to privacy, to invite privileged protective measures regarding the collection, handling, processing, use and storage of such sensitive personal data, it is surprising that rule 3 does not protect electronic communication records of individuals. Emails and chat logs as well as records of internet activity such as online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection.

3.5.3    Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Sensitive personal data or information of a person means personal information as to that person’s –

(i)  passwords and encryption keys;

(ii)  financial information including, but not limited to, information relating to his bank accounts, credit cards, debit cards, negotiable instruments, debt and other payment details;

(iii) physical, physiological and mental condition;

(iv)  sexual activity and sexual orientation;

(v)   medical records and history;

(vi)  biometric information; and

(vii) electronic communication records including, but not limited to, emails, chat logs and other communications made using a computer;

and shall include any data or information related to the sensitive personal data or information set out in this rule that is provided to, or received by, a body corporate.

Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”

Rule 4 - Privacy and Disclosure Policy

3.6.1    Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:

Body corporate to provide policy for privacy and disclosure of information. – (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –

(i)  Clear and easily accessible statements of its practices and policies;

(ii) type of personal or sensitive personal data or information collected under rule 3;

(iii) purpose of collection and usage of such information;

(iv) disclosure of information including sensitive personal data or information as provided in rule 6;

(v)  reasonable security practices and procedures as provided under rule 8.

3.6.2  This rule is very badly drafted, contains several discrepancies and is legally imprecise. Firstly, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data. The application of this provision should turn on the reception and use of personal information, which includes sensitive personal data, and not simply information. Secondly, although this rule only applies when a provider of information provides information, the term “provider of information” is undefined. It may mean any single individual who gives his personal information to a body corporate, or it may even mean another entity that outsources or subcontracts work that involves the handling of personal information. This lack of clarity compromises the enforceability of this rule. The government’s press release of 24 August 2011 acknowledged this error but since it is impossible, not to mention unconstitutional, for a statutory instrument like these Rules to be amended, modified, interpreted or clarified by a press release, CIS is inclined to ignore the press release altogether. It is illogical that privacy policies not be required when personal information is directly given by a single individual. This rule should bind all bodies corporate that receive and use personal information irrespective of the source of the personal information. Thirdly, it is unclear whether separate privacy policies are required for personal information and for sensitive personal data. There is a distinction between personal information and sensitive personal data and since these Sensitive Personal Data Rules deal with the protection of sensitive personal data, this rule 4 should unambiguously mandate the publishing of privacy policies in relation to sensitive personal data. Any additional requirement for personal information must be set out to clearly mark its difference from sensitive personal data. Fourthly, because of sloppy drafting, the publishing duties of the body corporate in respect of any sensitive personal data are unclear. For example, the phrase “personal or sensitive personal data or information” used in clause (ii) is meaningless since “personal information” and “sensitive personal data or information” are defined terms.

3.6.3  Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Duty to publish certain policies. – (1) Any body corporate that collects, receives, possesses, stores, deals with or handles personal information or sensitive personal data from any source whatsoever shall, prior to collecting, receiving, possessing, storing, dealing with or handling such personal information or sensitive personal data, publish and prominently display the policies listed in sub-rule (2) in relation to such personal information and sensitive personal data.

(2) In accordance with sub-rule (1) of this rule, all bodies corporate shall publish separate policies for personal information and sensitive personal data that clearly state –

(i) the meanings of personal information and sensitive personal data in accordance with these rules;

(ii) the practices and policies of that body corporate in relation to personal information and sensitive personal data;

(iii) descriptive details of the nature and type of personal information and sensitive personal data collected, received, possessed, stored or handled by that body corporate;

(iv) the purpose for which such personal information and sensitive personal data is collected, received, possessed, stored or handled by that body corporate;

(v) the manner and conditions upon which such personal information and sensitive personal data may be disclosed in accordance with rule 6 of these rules; and

(vi) the reasonable security practices and procedures governing such personal information and sensitive personal data in accordance with rule 8 of these rules.”

Rule 5 - Collection of Information

3.7.1    Rule 5(1) of the Sensitive Personal Data Rules lays down the requirement of consent before personal information can be collected as follows:

Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.

3.7.2 Firstly, the principle and requirement of consent is of overriding importance when collecting personal information, which includes sensitive personal data. Pursuant to the principles laid down in paragraph 2.2 of this submission, consent must be informed, explicit and freely given. Since sub-rule (3) of rule 5 attempts to secure the informed consent of persons giving personal information, this sub-rule must establish that all personal information can only be collected upon explicit consent that is freely given, irrespective of the medium and manner in which it is given. Secondly, it may be noted that sub-rule (1) only applies to sensitive personal data and not to other personal information that is not sensitive personal data. This is ill advised.  Thirdly, this sub-rule relating to actual collection of personal information should follow a provision establishing the principle of necessity before collection can begin. The principle of necessity is currently laid down in sub-rule (2) of rule 5 which should be re-numbered to precede this sub-rule relating to collection.

3.7.3   Therefore, it is proposed that rule 5(1) be re-numbered to sub-rule (2) of rule 5 and re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to collecting that personal information or sensitive personal data, obtain the express and informed consent of that person in any manner, and through any medium, that may be convenient but shall not obtain such consent through threat, duress or coercion.”

3.8.1    Rule 5(2) of the Sensitive Personal Data Rules sets out the principle of necessity governing the collection of personal information as follows:

Body corporate or any person on its behalf shall not collect sensitive personal data or information unless —

(a)  the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and

(b) the collection of the sensitive personal data or information is considered necessary for that purpose.

3.8.2    Firstly, before allowing a body corporate to collect personal information, which includes sensitive personal data, the law should strictly ensure that the collection of such personal information is necessary. Necessity cannot be established in general, there must be a nexus connecting the personal information to the purpose for which the personal information is sought to be collected. This important sub-rule sets out the principles upon which personal information can be collected; and, should therefore be the first sub-rule of rule 5. Secondly, this sub-rule only applies to sensitive personal data instead of all personal information. It is in the public interest that the principle of necessity applies to all personal information, including sensitive personal data.

3.8.3 Therefore, it is proposed that rule 5(2) be re-numbered to sub-rule (1) of rule 5 and re-drafted to read as follows:

“No body corporate shall collect any personal information or sensitive personal data of a person unless it clearly establishes that –

(a) the personal information or sensitive personal data is collected for a lawful purpose that is directly connected to a function or activity of the body corporate; and

(b) the collection of the personal information or sensitive personal data is necessary to achieve that lawful purpose.”

3.9.1 Rule 5(3) of the Sensitive Personal Data Rules attempts to create an informed consent regime for the collection of personal information as follows:

While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of —

(a)  the fact that the information is being collected;

(b)  the purpose for which the information is being collected;

(c)  the intended recipients of the information; and

(d)  the name and address of —

(i)   the agency that is collecting the information; and

(ii)  the agency that will retain the information.

3.9.2   Firstly, this sub-rule (3) betrays the carelessness of its drafters by bringing within its application any and all information collected by a body corporate from a person instead of only personal information or sensitive personal data. Secondly, this provision is crucial to establishing a regime of informed consent before personal information is given by a person to a body corporate. For consent to be informed, the person giving consent must be made aware of not only the collection of that personal information or sensitive personal data, but also the purpose for which it is being collected, the manner in which it will be used, the intended recipients to whom it will be sent or made accessible, the duration for which it will be stored, the conditions upon which it may be disclosed, the conditions upon which it may be destroyed as well as the identities of all persons who will collect, receive, possess, store, deal with or handle that personal information or sensitive personal data. Thirdly, the use of the phrase “take such steps as are, in the circumstances, reasonable” dilutes the purpose of this provision and compromises the establishment of an informed consent regime. Instead, the use of the term “reasonable efforts”, which has an understood meaning in law, will suffice to protect individuals while giving bodies corporate sufficient latitude to conduct their business.

3.9.3    Therefore, it is proposed that rule 5(3) be re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to such collection, make reasonable efforts to inform that person of the following details in respect of his personal information or sensitive personal data –

(a)  the fact that it is being collected;

(b)  the purpose for which it is being collected;

(c)  the manner in which it will be used;

(d)  the intended recipients to whom it will be sent or made available;

(e)  the duration for which it will be stored;

(f)   the conditions upon which it may be disclosed;

(g)  the conditions upon which it may be destroyed; and

(h)  the identities of all persons and bodies corporate who will collect, receive, possess, store, deal with or handle it.”

3.10.1  Rule 5(4) of the Sensitive Personal Data Rules lays down temporal restrictions to the retention of personal information:

Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

3.10.2  Since this sub-rule (4) only applies to sensitive personal data instead of all personal information, bodies corporate are permitted to hold personal information of persons that is not sensitive personal data for as long as they like even after the necessity that informed the collection of that personal information expires and the purpose for which it was collected ends. This is a dangerous provision that deprives the owners of personal information of the ability to control its possession to jeopardise their right to privacy. The Sensitive Personal Data Rules should prescribe a temporal limit to the storage of all personal information by bodies corporate.

3.10.3  Therefore, it is proposed that rule 5(4) be re-drafted to read as follows:

“No body corporate shall store, retain or hold personal information or sensitive personal data for a period longer than is required to achieve the purpose for which that personal information or sensitive personal data was collected.”

Rule 6 - Disclosure of Information

3.11.1  Rule 6(1) of the Sensitive Personal Data Rules, which deals with the crucial issue of disclosure of personal information, states:

Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation:

Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.

3.11.2  In addition to errors and discrepancies in drafting, this sub-rule contains wide and vague conditions of disclosure of sensitive personal data to gravely impair the privacy rights and personal liberties of persons to whom such sensitive personal data pertains. A summary of drafting errors and discrepancies follows: Firstly, this sub-rule only applies to sensitive personal data instead of all personal information. The protection of personal information that is not sensitive personal data is an essential element of the right to privacy; hence, prohibiting bodies corporate from disclosing personal information at will is an important public interest prerogative. Secondly, the use of the phrase “any third party” lends vagueness to this provision since the term “third party” has not been defined. Thirdly, the repeated use of the undefined phrase “provider of information” throughout these Rules and in this sub-rule is confusing since, as pointed out in paragraph 3.6.2 of this submission, it could mean either or both of the single individual who consents to the collection of his personal information or another entity that transfers personal information to the body corporate.

3.11.3  Further, the conditions upon which bodies corporate may disclose personal information and sensitive personal data without the consent of the person to whom it pertains are dangerously wide. Firstly, the disclosure of personal information and sensitive personal data when it is “necessary for compliance of a legal obligation” is an extremely low protection standard. The law must intelligently specify the exact conditions upon which disclosure sans consent is possible; since the protection of personal information is a public interest priority, the conditions upon which it may be disclosed must outweigh this priority to be significant and serious enough to imperil the nation or endanger public interest. The disclosure of personal information and sensitive personal data for mere compliance of a legal obligation, such as failure to pay an electricity bill, is farcical. Secondly, the proviso sets out the conditions upon which the state, through its law enforcement agencies, may access personal information and sensitive personal data without the consent of the person to whom it pertains. Empowering the police with access to personal information can serve a public good if, and only if, it results in the prevention or resolution of crime; if not, this provision will give the police carte blanche to misuse and abuse this privilege. Hence, personal information should only be disclosed for the prevention, investigation and prosecution of an existing criminal offence. Thirdly, the definition and use of the term “cyber incidents” is unnecessary because section 43 of the IT Act already lists all such incidents. In addition, when read with section 66 of the IT Act, there emerges a clear list of offences to empower the police to seek non-consensual disclosure of personal information to obviate the need for any further new terminology. In sum, with regard to the non-consensual disclosure of personal information for the purposes of law enforcement: a demonstrable need to access personal information to prevent, investigate or prosecute crime must exist; only that amount of personal information sufficient to satisfy the need must be disclosed; and, finally, no disclosure may be permitted without clearly laid down procedural safeguards that fulfil the requirements of a minimal due process regime.

3.11.4  Therefore, it is proposed that rule 6(1) be re-drafted to read as follows:

“No body corporate shall disclose any personal information or sensitive personal data to anyone whosoever without the prior express consent of the person to whom the personal information or sensitive personal data to be disclosed pertains.

Provided that if the personal information or sensitive personal data was collected pursuant to an agreement that expressly authorises the body corporate to disclose such personal information or sensitive personal data, and if the person to whom the personal information or sensitive personal data pertains was aware of this authorisation prior to such collection, the body corporate may disclose the personal information or sensitive personal data without obtaining the consent of the person to whom it pertains in the form and manner specified in such agreement.

Provided further that if a reasonable threat to national security, defence or public order exists, or if the disclosure of personal information or sensitive personal data is necessary to prevent, investigate or prosecute a criminal offence, the body corporate shall, upon receiving a written request from the police or other law enforcement authority containing the particulars and details of the personal information or sensitive personal data to be disclosed, disclose such personal information or sensitive personal data to such police or other law enforcement authority without the prior consent of the person to whom it pertains.”

3.12.1  Rule 6(2) of the Sensitive Personal Data Rules creates an additional disclosure mechanism:

Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.

3.12.2  This sub-rule is overbroad to enable anyone’s sensitive personal data to be disclosed to any other person without the application of any standards of necessity, proportionality or due process and without the person to whom the sensitive personal data pertains having any recourse or remedy. Such provisions are the hallmarks of authoritarian and police states and have no place in a liberal democracy. For instance, the invocation of this sub-rule will enable a police constable in Delhi to exercise unfettered power to access the biometric information or credit card details of a politician in Kerala since an order of a policeman constitutes “an order under the law”. Pursuant to our submission in paragraph 3.11.4, adequate measures exist to secure the disclosure of personal information or sensitive public data in the public interest. The balance of convenience between privacy and public order has already been struck. This sub-rule should be removed.

3.12.3 Therefore, it is proposed that rule 6(2) be deleted and the remaining sub-rules in rule 6 be accordingly renumbered.

3.13.1  Rule 6(4) of the Sensitive Personal Data Rules states:

The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

3.13.2  Firstly, as mentioned elsewhere in this submission, the phrase “third party” has not been defined. This is a drafting discrepancy that must be rectified. Secondly, this sub-rule only encompasses sensitive personal data and not other personal information that is not sensitive personal data. Thirdly, it may be necessary, in the interests of business or otherwise, for personal information or sensitive personal data that has been lawfully disclosed to a third person to be disclosed further if the person to whom that personal information consents to it.

3.13.3  Therefore, it is proposed that rule 6(4) be re-drafted to read as follows:

“Personal information and sensitive personal data that has been lawfully disclosed by a body corporate to a person who is not the person to whom such personal information or sensitive personal data pertains in accordance with the provisions of these rules may be disclosed further upon obtaining the prior and express consent of the person to whom it pertains.”

Rule 7 - Transfer of Information

3.14.1  Rule 7 of the Sensitive Personal Data Rules sets out the conditions upon which bodies corporate may transfer personal information or sensitive personal data to other bodies corporate in pursuance of a business arrangement:

A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

3.14.2  This provision allows personal information and sensitive personal data to be transferred across international borders to other bodies corporate in pursuance of a business agreement. The transfer of such information is a common feature of international commerce in which Indian information technology companies participate with significant success. Within India too, personal information and sensitive personal data is routinely transferred between companies in furtherance of an outsourced business model. Besides affecting ease of business, the sub-rule also affects the ability of persons to control their personal information and sensitive personal data. However, the sub-rule has been poorly drafted: firstly, the simultaneous use of the phrases “provider of information” and “such person” is imprecise and misleading; secondly, the person to whom any personal information or sensitive personal data pertains must pre-consent to the transfer of such information.

3.14.3  Therefore, it is proposed that rule 7 be re-drafted to read as follows:

“A body corporate may transfer any personal information or sensitive personal data in its possession to another body corporate, whether located in India or otherwise, if the transfer is pursuant to an agreement that binds the other body corporate to same, similar or stronger measures of privacy, protection, storage, use and disclosure of personal information and sensitive personal data as are contained in these rules, and if the express and informed consent of the person to whom the personal information or sensitive personal data pertains is obtained prior to the transfer.”

Rule 8 - Reasonable Security Practices

3.15.1  Following rule 8(1) of the Sensitive Personal Data Rules that prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1):

The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

3.15.2  ISO/IEC 27001 is an information security management system standard that is prescribed by the International Organisation for Standardisation and the International Electrotechnical Commission. CIS raises no objection to the content or quality of the ISO/IEC 27001 standard. However, to achieve ISO/IEC 27001 compliance and certification, one must first purchase a copy of the standard. A copy of the ISO/IEC 27001 standard costs approximately Rs. _____/-. The cost of putting in place the protective measures required by the ISO/IEC 27001 standard are higher: these include the cost of literature and training, the cost of external assistance, the cost of technology, the cost of employees’ time and the cost of certification.

3.15.3  Therefore, to bring these standards within the reach of small and medium-sized Indian bodies corporate, an appropriate Indian authority, such as the Bureau of Indian Standards, should re-issue affordable standards that are equivalent to ISO/IEC 27001.

IV The Press Release of 24 August 2011

4.1  The shoddy drafting of the Sensitive Personal Data Rules resulted in national and international confusion about its interpretation. However, instead of promptly correcting the embarrassingly numerous errors in the Rules, the Department of Information Technology of the Ministry of Communications and Information Technology chose to issue a press release on 24 August 2011 that was published on the website of the Press Information Bureau. The content of that press release is brought to the attention of the Committee of Subordinate Legislation as follows:

Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000.

Press Note

The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).

These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.

Ministry of Communications & Information Technology (Dept. of Information Technology)

Press Information Bureau, Government of India, Bhadra 2, 1933, August 24, 2011

SP/ska
(Release ID :74990)

4.2  It is apparent from a plain reading of the text that this press release seeks to re-interpret the application of rules 5 and 6 of the Sensitive Personal Data Rules insofar as they apply to Indian bodies corporate receiving personal information collected by another company outside India. Also, it seeks to define the term “providers of information” to address the confusion created by the repeated use this term in the Rules. Further, it re-interprets the scope and application of rule 4 relating to duty of bodies corporate to publish certain policies. Furthermore, it seeks to amend the provisions of rule 5(1) relating to manner and medium of obtaining consent prior to collecting personal information.

4.3  At the outset, it must be understood that a press release is not valid law. According to Article 13(3) of the Constitution of India,

...law includes any Ordinance, order, bye law, rule, regulation, notification, custom or usages having in the territory of India the force of law.

Law includes orders made in exercise of a statutory power as also orders and notifications made in exercise of a power conferred by statutory rules.

[See, Edward Mills AIR 1955 SC 25 at pr. 12, Babaji Kondaji Garad 1984 (1) SCR 767 at pp. 779-780 and Indramani Pyarelal Gupta 1963 (1) SCR 721 at pp. 73-744]

Sub-delegated orders, made in exercise of a power conferred by statutory rules, cannot modify the rules.

[See, Raj Narain Singh AIR 1954 SC 569 and Re Delhi Laws Act AIR 1951 SC 332]

Therefore, press releases, which are not made or issued in exercise of a delegated or sub-delegated power are not “law” and cannot modify statutory rules.

V Summary

5.1 CIS submits that the following provisions of the Sensitive Personal Data Rules be amended or annulled

• Rule 2(1)(b);
• Rule 2(1)(c);
• Rule 2(1)(d);
• Rule 2(1)(g);
• Rule 3;
• Rule 4(1);
• Rule 5(1);
• Rule 5(2);
• Rule 5(3);
• Rule 5(4);
• Rule 6(1);
• Rule 6(1) Proviso;
• Rule 6(2);
• Rule 6(4);
• Rule 7; and
• Rule 8.

5.2 CIS submits that the Committee on Subordinate Legislation should take a serious view of the press release issued by the Department of Information Technology of the Ministry of Communications and Information Technology on 24 August 2011.

5.3 CIS submits that in exercise of the powers granted to the Committee on Subordinate Legislation under Rules 317 and 320 of the Lok Sabha Rules of Procedure, the provisions of the Sensitive Personal Data Rules listed in the preceding paragraph 5.1 should be annulled; and, the Committee may be pleased to consider and recommend as an alternative the amendments proposed by CIS in this submission.

5.4 CIS thanks the Committee on Subordinate Legislation for the opportunity to present this submission and reiterates its commitment to supporting the Committee with any clarification, question or other requirement it may have.

[1]. See generally, Kharak Singh AIR 1963 SC 1295, Gobind (1975) 2 SCC 148, R. Rajagopal (1994) 6 SCC 632, People’s Union for Civil Liberties (1997) 1 SCC 301 and Canara Bank (2005) 1 SCC 496.

[2]. See infra pr. 4.3.

[3]. See, for comparison, Directive 95/46/EC of 24 October 1995 of the European Parliament and Council, the Data Protection Act, 1998 of the United Kingdom and the Proposed EU Regulation on on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[4].See generally, Board of Trustees of Ayurvedic College AIR 1962 SC 458 and S. P. Mittal AIR 1983 SC 1.

[5]. See generally, W. O. Holdsworth AIR 1957 SC 887 and Duli Chand AIR 1984 Del 145.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1  This submission presents comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Electronic Service Delivery) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on 11 April 2011 (“ESD Rules” or “Rules”).

1.2  The ESD Rules were notified only eight months before the Electronic Delivery of Services Bill, 2011 was tabled in the Lok Sabha on 27 December 2011 (Bill 137 of 2011) (“EDS Bill” or “Bill”). Both the ESD Rules and the EDS Bill are concerned with enabling computer-based electronic delivery of government services to Indian citizens (“electronic service delivery”). Both the Rules and the Bill originate from the same government department: the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology. Since the EDS Bill seeks to enact a comprehensive legislative framework for mandating and enforcing electronic service delivery, the purpose of the ESD Rules are called into question.

II Basic Issues Regarding Electronic Service Delivery

2.1  CIS believes that there are significant conceptual issues regarding electronic service delivery that demand attention. The Department-related Parliamentary Standing Committee on Information Technology of the Fifteenth Lok Sabha (“Standing Committee”) raised a few concerns when it submitted its 37th Report on the EDS Bill on 29 August 2012. There is a clear need for a national debate on the manner of effecting exclusive electronic service delivery to the exclusion of manual service delivery. Some of these issues are briefly summarised as follows:

(a) Mandatory exclusive electronic service delivery pre-supposes the ability of all Indian citizens to easily access such mechanisms. While there are no authoritative national statistics on familiarity with computer-related technologies, it is apparent that a large majority of Indians, most of whom are likely to be already marginalised and vulnerable, are totally unfamiliar with such technologies to endanger their ability to receive basic government services;

(b)  Consequent upon mandatory exclusive electronic service delivery for basic government services, a large group of ‘middlemen’ will arise to facilitate access for that majority of Indians who cannot otherwise access these services. This group will control the interface between citizens and their government. As a result, citizens’ access to governance will deteriorate. This problem may be mitigated to a certain extent by creating a new class of public servants to solely facilitate access to electronic service delivery mechanisms;

(c) The issue of governmental incapacity at the citizen-government interface might be addressed by contracting private service providers to operate mandatory exclusive electronic service delivery mechanisms. However, it is difficult to see how commercialising access to essential government services serves the public interest, especially when public funds will be expended to meet the costs of private service providers. Permitting private service providers to charge a fee from the general public to allow access to essential government services is also ill advised;

(d)  All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must be accompanied by strong data protection measures to ensure the sanctity of sensitive personal information shared online with the state. At present, there are no specific laws that bind the state, or its agents, to the stringent requirements of privacy necessary to protect personal liberties. In the same vein, strong data security measures are necessary to prevent sensitive personal information from being compromised or lost;

(e) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must ensure ease and equality of accessibility. For this reason, electronic service delivery mechanisms should conform to the National Policy on Open Standards, 2010 (or the proposed National Electronic Access Policy which is currently awaiting adoption), the Interoperability Framework for E-Governance in India and the Website Guidelines of the National Informatics Centre;

(f) Electronic service delivery requires infrastructure which India does not currently have but can develop. Only 1.44 per cent of India’s population has access to a broadband internet connection[1] and current daily energy demand far exceeds supply. On the other hand, the number of broadband subscribers is increasing,[2] the annual installed capacity for electricity generation is growing[3] and the literacy rate is increasing.[4]

2.2  The ESD Rules do not address any of the issues raised in the preceding paragraph. As a result, they cannot be seen to represent the result of a national consensus on the crucial question of mandating exclusive electronic service delivery and the means of enforcing such a scheme. Further, very few of the provisions of the Rules are binding; instead, the Rules appear to be drafted to serve as a minimal model for electronic service delivery. In this background, CIS believes that the Rules should be treated as an incomplete arrangement that prescribe the minimal standards necessary to bind private service providers before comprehensive and statutory electronic service delivery legislation is enacted, perhaps in the form of the EDS Bill or otherwise. Therefore, without prejudice to the issues raised in the preceding paragraph, CIS offers the following comments on the provisions of the Rules while reserving the opportunity to make substantive submissions on electronic service delivery in general to an appropriate forum at a later date.

III Improper Exercise of Subordinate Legislative Power

3.1  Rule 317 of the Rules of Procedure and Conduct of Business in the Lok Sabha (Fourteenth Edition, July 2010) (“Rules of Procedure”), which empowers the Committee on Subordinate Legislation to scrutinise exercises of statutory delegation of legislative powers for impropriety, states:

There shall be a Committee on Subordinate Legislation to scrutinize and report to the House whether the powers to make regulations, rules, subrules, bye-laws etc., conferred by the Constitution or delegated by Parliament are being properly exercised within such delegation.

Further, the Committee on Subordinate Legislation is specifically empowered by rule 320(vii) of the Rules of Procedure to examine any provision of the ESD Rules to consider “whether it appears to make some unusual or unexpected use of the powers conferred by the Constitution or the Act pursuant to which it is made.”

3.2 Accordingly, the attention of the Committee on Subordinate Legislation is called to an improper exercise of delegated power under rule 3(1) of the ESD Rules, which states:

The appropriate Government may on its own or through an agency authorised by it, deliver public services through electronically- enabled kiosks or any other electronic service delivery mechanism.

This sub-rule (1) empowers both the Central Government and State Governments to provide electronic service delivery on their own.

3.3 The ESD Rules are made in exercise of delegated powers conferred under section 87(2)(ca) read with section 6-A(2) of the Information Technology Act, 2000 (“IT Act”). Section 87(2)(ca) of the IT Act empowers the Central Government to make rules to provide for:

the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A.

Section 6-A(2) of the IT Act states:

The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.

Prima facie, the delegated powers under section 87(2)(ca) read with section 6-A(2) of the IT Act, in exercise of which the ESD Rules are made, only permit delegated legislation to regulate private service providers, they do not permit the executive to exercise these powers to empower itself to conduct electronic service delivery on its own. Therefore, to the extent that the ESD Rules authorise the Central Government and State Governments to provide electronic service delivery on their own, such authorisation constitutes an improper exercise of delegated power and is ultra vires the IT Act. This may be resolved by deriving the delegated legislative competence of the ESD Rules from section 87(1) of the IT Act, instead of section 87(2)(ca) read with section 6-A(2).

IV Clause-by-Clause Comments

Rule 2 - Definitions

4.1.1    Rule 2(c) of the ESD Rules states:

"authorised agent" means an agent of the appropriate Government or service provider and includes an operator of an electronically enabled kiosk who is permitted under these rules to deliver public services to the users with the help of a computer resource or any communication device, by following the procedure specified in the rules

In accordance with the argument regarding improper exercise of delegated power contained in paragraphs 3.1 – 3.3 of this submission, the appropriate Government cannot undertake electronic service delivery under these Rules. Consequently, the appropriate Government cannot appoint an agent to provide electronic service delivery on behalf, and under the control, of the appropriate Government since, as the principal, the appropriate Government would be responsible for the acts of its agents. Instead, private service providers may provide electronic service delivery as contractees of the appropriate Government who might enter into such contracts as a sovereign contractor. Therefore, only a private service provider may appoint an authorised agent under these Rules.

4.1.2 Therefore, it is proposed that rule 2(c) is amended to read as follows:

““authorised agent” means an agent of a service provider, and includes an operator of an electronically enabled kiosk, who is permitted under these rules to deliver public services with the help of a computer resource or any communication device, by following the procedure specified in these rules”

Rule 3 - System of Electronic Service Delivery

4.2.1    Rule 3(3) of the ESD Rules states:

The appropriate Government may determine the manner of encrypting sensitive electronic records requiring confidentiality, white they are electronically signed.

This sub-rule is supposed to prescribe stringent standards to maintain the security, confidentiality and privacy of all personal information used during electronic service delivery transactions. In the absence of transactional security, electronic service delivery will invite fraud, theft and other misuse to impugn its viability as a means of delivering public services. However, the use of the term “may” leaves the prescription of security standards up to the discretion of the appropriate Government. Further, the language of the sub-rule is unclear and imprecise.

4.2.2    Therefore, it is proposed that rule 3(3) is amended to read as follows:

“The appropriate Government shall, prior to any electronic service delivery, determine the manner of encrypting electronic records and shall prescribe standards for maintaining the safety, security, confidentiality and privacy of all information collected or used in the course of electronic service delivery.”

4.3.1    Rule 3(5) of the ESD Rules states:

The appropriate Government may allow receipt of payments made by adopting the Electronic Service Delivery System to be a deemed receipt of payment effected in compliance with the financial code and treasury code of such Government.

Firstly, if these Rules enable payments to be made electronically, they must also validate the receipt of these payments. Inviting citizens to make electronic payments for government services without recognising the receipt of those payments is farcical to attract abusive and corrupt practices. Therefore, it is imperative that these Rules compulsorily recognise receipt of payments, either by deeming their receipt to be valid receipts under existing law or by specially recognising their receipt by other means including the law of evidence. Either way, electronic receipts of electronic payments must be accorded the validity in law that manual/paper receipts have; and, copies of such electronic receipts must be capable of being adduced in evidence. Secondly, the use of the phrase “financial code and treasury code” is avoidable since these terms are undefined.

4.3.2 Therefore, it is proposed that rule 3(5) be amended to read as follows:

“Any receipt of payment made by electronic service delivery shall be deemed to be a valid receipt of such payment under applicable law and shall be capable of being adduced as evidence of such payment.”

4.4.1    Rule 3(6) of the ESD Rules states:

The appropriate Government may authorise service providers or their authorised agents to collect, retain and appropriate such service charges as may be specified by the appropriate Government for the purpose of providing such services from the person availing such services:

Provided that the apportioned service charges shall be clearly indicated on the receipt to be given to the person availing the services.

This sub-rule is an almost verbatim reproduction of the provisions of section 6-A(2) of the IT Act which reads as follows:

The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.

Since the IT Act specifically delegates to the appropriate Governments the power to authorise service providers to levy charges, rule 3(6) of the ESD Rules that merely copies the provisions of the parent statute is meaningless. The purpose of delegated legislation is to give effect to the provisions of a statute by specifying the manner in which statutory provisions shall be implemented. Copying and pasting statutory provisions is a absurd misuse of delegated legislative powers.

4.4.2 Therefore, it is proposed that sub-rule (6) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.5.1 Rule 3(7) of the ESD Rules states:

The appropriate Government shall by notification specify the scale of service charges which may be charged and collected by the service providers and their authorised agents for various kinds of services.

This is an almost verbatim reproduction of the provisions of section 6-A(4) of the IT Act which reads as follows:

The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section.

As noted in paragraph 4.3.1 of this submission, the purpose of delegated legislation is not to copy the provisions of the parent statute, but to amplify the scope of the delegated power and the manner of effecting its implementation.

4.5.2  Therefore, it is proposed that sub-rule (7) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.6.1 Rule 3(8) of the ESD Rules states:

The appropriate Government may also determine the norms on service levels to be complied with by the Service Provider and the authorised agents.

There is no quarrel with the power of the government to determine norms for, or directly prescribe, service levels to regulate service providers. However, without a scheme of statutory or sub-statutory penalties for contravention of the prescribed service levels, a sub-delegated service level cannot enforce any penalties. Simply put, the state cannot enforce penalties unless authorised by law. Unfortunately, rule 3(8) contains no such authorisation. Service levels for service providers without a regime of penalties for non-compliance is meaningless, especially since service providers will be engaged in providing access to essential government services.

4.6.2  Therefore, it is proposed that rule 3(8) be amended to read as follows:

“The appropriate Government shall prescribe service levels to be complied with by all service providers and their authorised agents which shall include penalties for failure to comply with such service levels.”

[1]. Thirty-Seventh Report of the Standing Committee on Information Technology (2011-12) on the Electronic Delivery of Services Bill, 2011 (New Delhi: Lok Sabha Secretariat, 29 August 2012) at pp. 13, 17 and 34. See also, Telecom Sector in India: A Decadal Profile (New Delhi: Telecom Regulatory Authority of India, 8 June 2012).

[2]. Annual Report (2011-12) of the Department of Telecommunications, Ministry of Communications and Information Technology, Government of India (New Delhi: Department of Telecommunications, 2012) at pp. 5 and 1-3.

[3]. Report of the Working Group on Power of the Twelfth Plan (New Delhi: Planning Commission, Government of India, January 2012).

[4]. Provisional Report of the Census of India 2011 (New Delhi: Registrar General and Census Commissioner, 2011) from p. 124.

Details of the event were published on the UNESCO website.

Session Personnel

Pranesh Prakash was the moderator for the session. There were about 10-15 participants along with 5 remote participants.

There were four speakers:

• William Drake, International Fellow and Lecturer, Media Change & Innovation Division, IPMZ at the University of Zurich
• Carlos Afonso, Executive Director of the Núcleo de Pesquisas, Estudos e Formação (NUPEF) institute
• Avri Doria, Dotgay LLC, Association for Progressive Communications, International School for Internet Governance
• Désirée Miloshevic, International Affairs and Policy Adviser, Afilias

Summary of the Discussion

Speakers Summaries

William Drake:
Mr. Drake argued that the WGIG process demonstrated the benefits of multistakeholder collaboration, and facilitated the WSIS negotiations, and the multistakeholder process that WGIG embodied promoted public engagement in the Internet governance debate.  The working definition of “Internet governance” that the WGIG came up with demystified the nature and scope of Internet governance.  One important outcome of the WGIG report was the proposal of the establishment of the Internet Governance Forum.  The WGIG began the holistic assessment of “horizontal issues,” including development, and made some broad but useful recommendations on key “vertical issues”.  And lastly, the WGIG offered four models for the oversight of core resources that helped to focus the global debate on the governance of the Internet’s core resources.

Carlos Afonso:
Mr. Afonso commented on the issue of international interconnection costs, and pointed out that they continue to be complex and involve complicated cost accounting. Mr. Afonso then pointed out that the Number Resource Organization (NRO) and the Regional Internet Registries (RIRs) could be doing more in the context of IPv6, in the way of stimulating backbone operators to ensure IPv6 visibility of the networks below them — many are already IPv6-ready but upstream providers do not provide corresponding transit. He also drew attention to “enhanced cooperation” as an issue that had not been anticipated at the time of the report, but had since become an important issue; similarly, he identified social networking and (in response to a question) military uses of the Internet, etc., as other such issues.  He opined that the WGIG report needed to be elaborated upon in the present context.

Avri Doria:
Ms. Doria argued that while the report was reluctantly accepted after having been first rejected by the governments, it has proven to be highly useful. She praised the report for its working definition of IG, as it is still being used, and because the report made a clear distinction between governments and the governance of the Internet. She then argued that the definition of roles and responsibilities of stakeholders is very loose in the WGIG report and that these definitions are something that needs further study as they do not take into account the full role and responsibilities of all stakeholders. She also argued that the National Telecommunications and Information Administration is transferring some of its oversight powers over technical governance of the domain name system, to multistakeholder processes as can be seen from the “Affirmation of Commitments” which has replaced the earlier “Memorandum of Understanding” it had with ICANN."  She argued that the Affirmation of Commitment based review teams are an important experiment that should be followed with interest.

Désirée Miloshevic:
Ms. Miloshevic pointed out that outside the meta issue of keeping the Internet open for innovation, issues relating to freedom of speech and human rights were the most important challenges facing Internet governance today. She highlighted that several issues, such as economic benefits, consumer protection, freedom to connect and education are issues that have either not been addressed or have been addressed inadequately in the report. She then went on to argue that the IGF, which is an outcome of the WGIG report has had a tangible impact on IG, particularly on clarifying IG as a multi-stakeholder process rather than describing mere institutional regulation models. For example, the IGF allows for newly identified public policy issues to continue to feature as topics in the IGF as emerging issues, such as open data, etc.  Ms. Miloshevic also emphasised the need for stakeholders to increase the development of capacity in dealing with IG issues at the global level.

Summary of General Discussion

Overall, it was agreed by all panelists that the WGIG 2005 report and the WSIS process have had a large impact on Internet Governance (IG), particularly in terms of an increase in public awareness and participation in IG as well as in framing of IG as involving multiple stakeholders and not just governments. This has in turn led to a shifting of power equations as well as an increase in openness and transparency. The report has helped create the distinction between governments and governance of the Internet, and framed, through the working definition of IG that was later incorporated in the WSIS Tunis Agenda, the  non-technical aspects of IG as a core part of IG. Further, the identification and mapping of issues associated with IG and the generation of institutional governance models were important outcomes of the report.  The report was also seen as instrumental in the creation of the Internet Governance Forum (IGF).

Panellists also noted the changed context and the progress (and in many cases, lack of progress) since the WGIG report. Issues were raised around the lack of progress in implementing the specific recommendations made by the report. Inadequate capacity-building of actors in the global South, and efforts of the Number Resource Organization (NRO) and the Regional Internet Registries (RIRs) with respect to IPv6 were used as examples. It was also pointed out that a number of concerns have materialized that had not been anticipated at the time of the report, including 'enhanced cooperation', the emergence of social networking, and military uses of the Internet.

Moderator's summary

The WGIG and its report, the background report and the book that followed from that report, have proven to be crucial in defining the formulation and direction of Internet governance for the past 8 years, and have resulted in a multi-stakeholder governance model for the Internet and the IGF, and have set many norms that have shifted power equations. However, many significant issues that weren't central to Internet governance during the formulation of the WGIG report have since emerged, the majority of the recommendations made in the WGIG report haven't seen much progress, the capacity of actors in the global South to engage in IG issues has not increased greatly, and the IGF needs to gain greater credibility and centrality. Transnational private corporations are emerging as increasingly powerful actors in Internet governance and are slowly shifting the balance, a development that was unforeseen in 2005 when governments were seen as the most powerful actors.

Any agreed recommendations from the session

The panelists recommended the production of an analytical report that would explore the current status of the issues and recommendations laid in the original report issues as well as identify any new concerns that have arisen since 2005. An important aspect of this report would be an emphasis on the benefits of the IGF and the role of the WGIG process and report in underscoring the significance of multi-stakeholder processes. Further recommendations included the continued advancement of Internet rights and principles and enhanced cooperation, as these are two focus areas that have emerged since the WGIG report, and the strengthening of the IGF.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. What does that mean? It means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS).

The Central Monitoring System (CMS)

The Central Monitoring System (CMS) may just be another step in the wrong direction, especially since India currently lacks privacy laws which can protect citizens from potential abuse. Yet, all telecommunications and Internet communications are to be monitored by Indian authorities through the CMS, despite the fact that it remains unclear how our data will be used.

The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and by the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. The CMS project is likely to start operating this month and the government plans on creating a platform that will include all the service providers in Delhi, Haryana and Karnataka. The Information Technology Amendment Act 2008 enables e-surveillance and central and regional databases will be created to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, the CMS will equip government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers. The CMS will also enable Call Data Records (CDR) analysis and data mining to identify the personal information of the target numbers.

The estimated set up cost of the CMS is Rs. 4 billion and it will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). In particular, last October, the NIA approached the Department of Telecom requesting its connection with the CMS, which would help it intercept phone calls and monitor social networking sites without the cooperation of telcos. However, the NIA is currently monitoring eight out of 10,000 telephone lines and if it is connected with the CMS, the NIA will also get access to e-mails and other social media platforms. Essentially, the CMS will be converging all the interception lines at one location and Indian law enforcement agencies will have access to them. The CMS will also be capable of intercepting our calls and analyzing our data on social networking sites. Thus, even our attempts to protect our data from ubiquitous surveillance would be futile.

In light of the CMS being installed soon, the Mumbai police took the initiative of setting up a ´social media lab´ last month, which aims to monitor Facebook, Twitter and other social networking sites. This lab would be staffed by 20 police officers who would keep an eye on issues being publicly discussed and track matters relating to public security. According to police spokesman Satyanarayan Choudhary, the lab will be used to identify trends among the youth and to plan law and order accordingly. However, fears have arisen that the lab may be used to stifle political debate and freedom of expression. The arrest of two Indian women last November over a Facebook post which criticized the shutdown of Mumbai after the death of politician Bal Thackeray was proof that the monitoring of our communications can potentially oppress our freedom and human rights. And now that all our online activity will be under the microscope...will the CMS security trade-off be worth it?

Surveillance in the name of Security

In a digitised world, threats to security have been digitised. Terrorism is considered to be a product of globalisation and as such, the Internet appears to be a tool used by terrorists. Hence governments all around the world are convinced that surveillance is probably one of the most effective methods in detecting and prosecuting terrorists, as all movement, action, interests, ideas and everything else that could define an individual are closely being monitored under the ´surveillance umbrella´ True; if everything about our existence is being closely monitored and analysed, it seems likely that we will instantly be detected and prosecuted if engaged in illegal activity. But is that the case with big data? According to security expert Bruce Schneier, searching for a terrorist through data mining is like looking for a needle in a haystack. Generally, the bigger the amount of data, the bigger the probability of an error in matching profiles. Hence, when our data is being analysed through data mining of big data, the probability of us being charged for a crime we did not commit is real. Nonetheless, the CMS is going to start operating soon in an attempt to enable law enforcement agencies to tackle crime and terrorism.

A few days ago, I had a very interesting chat with an employee at SAS Institute (India) Pvt. Ltd. in Bangalore, which is a wholly owned subsidiary of SAS Institute Inc. SAS is a company which produces software solutions and services to combat fraud in financial services, identify cross-sell opportunities in retail, and all the business issues it addresses are based on three capabilities: information management, analytics and business intelligence. Interestingly enough, SAS also produces social network analysis which ´helps institutions detect and prevent fraud by going beyond individual and account views to analyze all related activities and relationships at a network dimension´. In other words, social network analysis by SAS would mean that, through Facebook, for example, all of an individual's´ interests, activities, habits, relationships and everything else that could be, directly or indirectly, linked to an individual would be mapped out in relation to other individuals. If, for example, several individuals appear to have mutual interests and activities, there is a high probability that an individual will be associated with the same type of organization as the other individuals, which could potentially be a terrorist organization. Thus, an essential benefit of the social network analysis solution is that it uncovers previously unknown network connections and relationships, which significantly enables more efficient investigations.

According to the SAS employee I spoke to, the company provides social network analysis to Indian law enforcement agencies and aims at supporting the CMS project in an attempt to tackle crime and terrorism. Furthermore, the SAS employee argued that their social network analysis solution only analyzes open source data which is either way in the public online domain, hence respecting individuals´ online privacy. In support of the Mumbai ´social media lab´, cyber security expert, Vijay Mukhi, argued:

´There may be around 60 lakh twitter users in the city and millions of other social media network users. The police will require a budget of around Rs 500 crore and huge resources such as complex software, unique bandwidth and manpower to keep a track of all of them. To an extent, the police can monitor select people who have criminal backgrounds or links with anti-social or anti-national elements...[...]...Even the apprehension that police is reading your tweet is wrong. The volume of networking on social media sites is beyond anybody's capacity. Deleting any user's message is humanly impossible. It is even difficult to find the origin of messages and shares. However, during the recent Delhi gangrape incident such monitoring of data in public domain helped the police gauge the mood of the people.´

Another cyber security expert argued that the idea that the privacy of our messages and online activity would be intercepted is a misconception. The expert stated that:

´The police are actually looking out for open source intelligence for which information in public domain on these sites is enough. Through the lab, police can access what is in the open source and not the message you are sending to your friend.´

Cyber security experts also argued that the purpose of the creation of the Mumbai social media lab and the CMS in general is to ensure that Indian law enforcement agencies are better informed about current public opinion and trends among the youth, which would enable them to take better decisions on a policy level. It was also argued that, apparently, there is no harm in the creation of such monitoring centres, especially since other countries, such as the U.S., are conducting the same type of surveillance, while have enacted stringent privacy regulations. In other words, the monitoring of our communications appears to be justified, as long as it is in the name of security.

CMS targeting individuals: myth or reality?

The CMS is not a big deal, because it will not target us individually...or at least that is what cyber security experts in India appear to be claiming. But is that really the case? Lets look at the following hypothesis:

The CMS can surveille and target individuals, if Indian law enforcement agencies have access to individuals content and non-content data and are simultaneously equipped with the necessary technology to analyse their data.

The two independent variables of the hypothesis are: (1) Indian law enforcement agencies have access to individuals´ content and non-content data, (2) Indian law enforcement agencies are equipped with the necessary technology to analyse individuals´ content and non-content data. The dependent variable of the hypothesis is that the CMS can surveille and target individuals, which can only be proven once the two independent variables have been confirmed. Now lets look at the facts.

The surveillance industry in India is a vivid reality. ClearTrail is an Indian surveillance technology company which provides communication monitoring solutions to law enforcement agencies around the world and which is a regular sponsor of ISS world surveillance trade shows. In fact, ClearTrail sponsored the ISS world surveillance trade show in Dubai last month - another opportunity to sell its surveillance technologies to law enforcement agencies around the world. ClearTrail´s solutions include, but are not limited to, mass monitoring of IP and voice networks, targeted IP monitoring, tactical Wi-Fi monitoring and off-the-air interception. Indian law enforcement agencies are equipped with such technologies and solutions and thus have the technical capability of targeting us individually and of monitoring our ´private´ online activity.

Shoghi Communications Ltd. is just another example of an Indian surveillance technology company. WikiLeaks has published a brochure with one of Shoghi´s solutions: the Semi Active GSM Monitoring System. This system can be used to intercept communications from any GSM service providers in the world and has a 100% target call monitor rate. The fact that the system is equipped with IMSI analysis software enables it to extract the suspect´s actual mobile number from the network without any help from the service provider. Indian law enforcement agencies are probably being equipped with such systems by Shoghi Communications, which would enable the CMS to monitor telecommunications more effectively.

As previously mentioned, SAS provides Indian law enforcement agencies social network analysis solutions. In general, many companies, Indian and international, produce surveillance products and solutions which they supply to law enforcement agencies around the world. However, if such technology is used solely to analyse open source data, how do law enforcement agencies expect to detect criminals and terrorists? The probability of an individual involved in illegal activity to disclose secrets and plans in the public online sphere is most likely significantly low. So given that law enforcement agencies are equipped with the technology to analyse our data, how do they get access to our content data in order to detect criminals? In other words, how do they access our ´private´ online communications to define whether we are a terrorist or not?

Some of the biggest online companies in the world, such as Google and Microsoft, disclose our content data to law enforcement agencies around the world. Sure, a lawful order is a prerequisite for the disclosure of our data...but in the end of the day, law enforcement agencies can and do have access to our content data, such as our personal emails sent to friends, our browsing habits, the photos we sent online and every other content created or communicated via the Internet. Law enforcement requests reports published by companies, such as Google and Microsoft, confirm the fact that law enforcement agencies have access to both our content and non-content data, much of which was disclosed to Indian law enforcement agencies. Thus, having access to our ´private´ online data, all Indian law enforcement agencies need is the technology to analyse our data and match patterns. The various surveillance technology companies operating in India, such as ClearTrail and Shoghi Communications, ensure that Indian law enforcement agencies are equipped with the necessary technology to meet these ends.

The hypothesis that the CMS can surveille and target us individually can be confirmed, since Indian law enforcement agencies have access to our content and non-content data, while simultaneously being equipped with the necessary technology to analyse our data. Thus, the arguments brought forth by cyber security experts in India appear to be weak in terms of validity and reliability and the CMS appears to be a new type of ´Big Brother´ upon us. But what does this mean in terms of our privacy and human rights?

The telephone tapping laws in India are weak and violate constitutional protections. The Information Technology Amendment Act 2008 has enabled e-surveillance to reach its zenith, but yet surveillance projects, such as the CMS, lack adequate legal backing. No privacy legislation currently exists in India which can protect us from potential abuse. The confirmed CMS hypothesis indicates that all individuals can potentially be targeted and monitored, regardless of whether they have been involved in illegal activity. Yet, India currently lacks privacy laws which can protect individuals from the infringement of their privacy and other human rights. The following questions in regards to the CMS remain vague: Who can authorise the interception of telecommunications and Internet communications? Who can authorise access to intercepted data? Who can have access to data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by the CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

Immense vagueness revolves around the CMS, yet the project is due to start operating this month. In order to ensure that our right to privacy and other human rights are not breached, parliamentary oversight of intelligence agencies in India is a minimal prerequisite. E-surveillance regulations should be enacted, which would cover both policy and legal issues pertaining to the CMS project and which would ensure that human rights are not infringed. The overall function of the CMS project and its use of data collected should be thoroughly examined on a legal and policy level prior to its operation, as its current vagueness and excessive control over communications can create a potential for unprecedented abuse.

The necessity and utility of the CMS remain unclear and thus it has not been adequately proven yet that the security trade-off is worth it. One thing, though, is clear: we are giving up a lot of our data....we are giving up the control of our lives...with the hope that crime and terrorism will be reduced. Does this make sense?

This was cross-posted in Medianama

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

1. New Delhi Roundtable: 13 April 2013
2. Bangalore Roundtable: 20 April 2013
3. Chennai Roundtable: 18 May 2013
4. Mumbai Roundtable: 15 June 2013
5. Kolkata Roundtable: 13 July 2013
6. New Delhi Final Roundtable and National Meeting: 17 August 2013

This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.

Overview of Justice A P Shah Report: Purpose, Principles and Framework

The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.

During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.

Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:

• The purpose of the collection of data
• The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case
• Data is shared with third parties and it is hard to control how long they retain the data for
• Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data

Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.

While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.

The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.

The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.

Discussion Highlights:

• The pros and cons of self-regulation and co-regulation
• The national privacy principles – and how to build in insurance for technology
• The role of the Privacy Commissioner
• The definition of terms used in the draft Privacy (Protection) Bill 2013

Overview, explanation and discussion on the Privacy (Protection) Bill 2013

The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.

During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.

Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.

As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.

Many participants agreed that India´s proposed Privacy Law should meet global standards in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.

The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.

The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.

The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.

Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.

During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on where it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.

The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.

The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.

Discussion Highlights:

• If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills
• Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)
• If personal data should be distinguished in the private and public sector
• If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards
• The nuances of consumer consent
• Various ways to define ´public figures´
• Freedom of expression in the context of the draft Privacy (Protection) Bill 2013
• The distinction between exemptions and exceptions

In depth explanation and discussions regarding the Privacy (Protection)

Bill 2013

The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.

The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals choose to disclose a large amount of information.

The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.

Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.

A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A  participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.

In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.

In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.

Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.

The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible.  A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.

The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should not be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.

The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies. 

Discussion Highlights:

• The different instances of data collection and consumer consent
• The nuances of data sharing
• The issue of consumer consent and security assurances offered by companies
• The pros and cons of having a data retention regulatory framework
• How transparency is incorporated into the draft Privacy Protection Bill 2013
• What is needed in provisions that speak to data destruction

Meeting conclusion

The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.

Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the Privacy Protection Bill, 2013 based on participants´ feedback, concerns, comments and ideas.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

1. New Delhi Roundtable: 13 April 2013
2. Bangalore Roundtable: 20 April 2013
3. Chennai Roundtable: 18 May 2013
4. Mumbai Roundtable: 15 June 2013
5. Kolkata Roundtable: 13 July 2013
6. New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first Privacy Round Table in Delhi, this report entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20^th April 2013.

Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”

The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13^th April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.

DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.

The discussion points brought forward by DSCI were:

• What role should government and industry respectively play in developing and enforcing a regulatory framework?
• How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?
• How can an organization be incentivized to follow the codes of practice under the SRO?
• What should be the role of SROs in redressal of complaints?
• What should be the business model for SROs?

DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions and preamble: Chapter I & II

The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.

Sensitive Personal Data

The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.

Information vs. Data

During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.

Exemptions

Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants.  Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.

Discussion of “Protection of Personal Data”: Chapter III

Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.

Data Collection

In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.

Consent

On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they choose to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.

Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.

Data Disclosure

In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.

A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.

Data Destruction

In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.

Data Processing

In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.

However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.

In brief, the following questions with regards to chapter III of the bill were raised during the meeting:

• Should consent be required prior to the collection of data?
• Should consent be acquired prior and after the disclosure of data?
• Should the purpose of data collection be the same as the purpose for the disclosure of data?
• Should an executive order or a court order be required to disclose data?
• At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?
• An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?

• Should companies notify individuals when they share their (individuals´) data with international third parties?

In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:

• The data subject has to be informed, unless there is a model contract.
• The request for consent should depend on the type of data that is to be disclosed.
• Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).
• The shared data may be considered private data (need of a relevant regulatory framework).
• An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.
• If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country.
• India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.
• The problem with disclosure is when there is an exception for certain circumstances
• Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability.
• Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).
• ´Data ownership´ should be included in the definitions of the Bill.
• What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.

Discussion of “Interception of Communications”: Chapter IV

The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.

Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.

Discussion on self-regulation and co-regulation

The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.

The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.

Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.

Meeting conclusion

The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

Nishant Shah's article was published in the Indian Express on April 6, 2013.

Never before have we lived in a world that is so seen,documented, archived and forgotten. Early Enlightenment philosophers had wondered, if a tree falls in loneliness and there is nobody there to see it, does the tree really fall? In the world of instant documentation, chances are that if the tree falls, there is somebody there to tweet it.

We live in a spectacular world. That is not to say that it is the best or worst of all possible. I want to ponder on the fact that we create spectacles of things that were otherwise swept under the carpet. Every little detail of our myriad and mundane life is potentially spectacular. From medical technologies that can decipher our chemical DNA to the mobile phone that Instagrams the food we eat and things that we see, we are surrounded by spectacles of everyday life. Pictures, tweets, blogs, geolocation services, status updates, likes, shares — the texture of living has never been this richly and overwhelmingly documented.

However, the data and information that constitutes the recognition of our life, have increased to such a scale that we have overturned the course of human history writing. We identify ourselves as a species that is able to document, store and relay information from one passing generation to another. So much so that we have invested a vast amount of our energies in creating museums, writing histories, building archives, and obsessively collecting facts and fictions of our origins, from the big bang to flying reptiles.

But big data has made us reach a point where we are trying to manage, filter the onslaught of data. We have, for the first time, created information that is no longer intelligible to the human eye or brain. From machines that can verify god particles to artificial intelligence which can identify patterns every day we have replaced the human being from its central position as consumer, producer and subject of data.

These are conditions of living in information societies that are producing, archiving and reorganising information for these information ecosystems. The multiple information streams remind us of the multitude and diversity of human life which cannot be reduced to a generalising theory of similarity. The rise of big data brings to focus the promise of the World Wide Web — a reminder that there are alternatives to the mainstream and that there are unheard, contradictory voices that deserve to be heard. Yet, even as the burgeoning information society explodes on our devices, there is another anxiety which we need to encounter. If the world of information, which was once supposed to be the alternative, becomes the central and dominant mode of viewing the world, what does it hide?

Take friendship, for instance.You can quantify how many friends exist on your social networks. Algorithms can work out complex proximity principles and determine who your closer connections are.

Data mining tools are able to figure out the similarities and likelihood of enduring conversations in your social sphere. But these are all human actions which can be captured by the network and the big data realities. They may be able to give us new information about what friends do and how often, but there is still almost no way of figuring out, which friend might call you in the middle of the night.

Friendship, like many other things, is not made of spectacles. It does not produce information sets which can be mapped and represented as information. Friendship cannot be reduced to pictures of being together or dramatic stories of survival and togetherness. More often than not, true friendships are made of things that do not happen. Or things, if they happen, cannot be put in a tweet, captured on Instagram or shared on Tumblr.

As we take these social networked realities as 'real' realities, it might be worth asking what is being missed out, what remains unheard and unrepresented in these information streams. Because if you love somebody and there is nobody to know it, report it, record it and convert it into a spectacle, does it make your love any less special? Any less intense? Any less true?

Below is a chart depicting the 69A Draft Rules and the 69A Rules:

There was a lot of structural change between the draft rules and the official rules—many of the draft clauses were shuffled around and combined—but not a lot of change in content. Many of the changes that appear in the official rules serve to clarify parts of the draft rules.

Three definitions were added under clause (2), two to clarify later references to a “designated officer” and a “nodal officer” and the third to indicate a form appended to the official Rules.

Clause (3) of the official rules then clarifies who shall be named the “designated officer”, which was not done in the draft rules as there was no inclusion of an official title of the officer who would have the responsibilities of the “designated officer”. Interestingly, clause (3) of the draft rules requires the Secretary of the Department of Information Technology, Ministry of Communications & Information Technology, Government of India to name an officer, whereas clause (3) of the official rules states that the “Central Government” shall designate an officer, a change in language that allows for much more flexibility on the government's part.

Clause (5) in the draft rules and clause (4) in the official rules deal with the designation of a Nodal Officer, but omitted in the official rules are responsibilities of the designated officer, which includes acting on the “direction of the indian competent court”. This responsibility does not appear in any part of the official rules. Further, clause (4) of the official rules requires the organizations implicated in the rules to publish the name of the Nodal Officer on their website; this is an addition to the draft rules, and a highly useful one at that. This is an important move towards some form of transparency in this contentious process.

Clause (5) of the official rules significantly clarifies clause (4) of the draft rules by stating that the designated officer may direct any Agency of the Government or intermediary to block access once a request from the Nodal Officer has been received.

Clause (7) of the official rules uses the word “information” instead of “computer resource”, which is used in the corresponding clause (12) in the draft rules, when referring to the offending object. This change in language significantly widens the scope of what can be considered offending under the rules.

The sub-sections (2), (3) and (4) of clause (9) of the official rules are additions to the draft rules. Sub-section (2) is a significant addition, as it deals with the ability of the Secretary of the Department of Information Technology's ability to block for public access any information or part thereof without granting a hearing to the entity in control of the offending information in a case of emergency nature. The request for blocking will then be brought before the committee of examination of request within 48 hours of the issue of direction, meaning that the offending information could be blocked for two days without giving notice to the owner/controller of the information of the reason for the blockage.

An important clarification has been included in clause (15) of the official rules, which differs from clause (23) of the draft rules through the inclusion of the following phrase: “The Designated Officer shall maintain complete record of the request received and action taken thereof [...] of the cases of blocking for public access”. This is a significant change from clause (23), which simply states that the “Designated Officer shall maintain complete record [...] of the cases of blocking”. This could be seen as an important step towards transparency and accountability in the 69B process of blocking information for public access if clause (16) of the official rules did not state that all requests and complaints received and all actions taken thereof must be kept confidential, so the maintenance of records mentioned in clause (15) of the official rules appears to be only for internal record-keeping. However, just the fact that this information is being recording is a significant change from the draft rules, and may, if the sub-rules relating to confidentiality were to be changed, be useful data for the public.

Though they are from different Acts entirely, the 419A Rules from the Indian Telegraph Act of 1885 and the 69 Rules from the Information Technology (Amended) Act, 2008 are very similar. In fact, much of the language that appears in the official 69 rules is very close, if not the same in many places, as the language found in the 419A rules. The majority of the change in language between the 419A Rules and the equivalent 69 Rules acts to clarify statements or wordings that may appear vague in the former. Aside from this, it appears that many of the 69 Rules have been cut-and-pasted from the 419A Rules.

Arguably the most important change between the two sets of rules takes place between Clause (3) of the 419A Rules and Clause (8) of the 69 Rules, where the phrase “while issuing directions [...] the officer shall consider possibility of acquiring the necessary information by other means” has been changed to “the competent authority shall, before issuing any direction under Rule (3), consider possibility of acquiring the necessary information by other means”. This is an important distinction, as the latter requires other options to be looked at before issuing the order for any interception or monitoring or decryption of any information, whereas the former could possibly allow the interception of messages while other options to gather the “necessary” information are being considered. It seems unreasonable that the state and various state-approved agencies could possibly be intercepting the personal messages of Indian citizens in order to gather “necessary” information without having first established that interception was a last resort.

Another potentially significant change between the rules can be found between Clause (15) of the 419A Rules, which states, in the context of punishment of a service provider, the action taken shall include “not only fine but also suspension or revocation of their licenses”, whereas Clause (21) of the 69 Rules states that the punishment of an intermediary or person in-charge of computer resources “shall be liable for any action under the relevant provisions of the time being in force”. This is an interesting distinction, possibly made to avoid issues with legal arbitrariness associated with assigning punishments that differ for those punishments for the same activities laid out under the Indian Penal Code. Either way, the punishments for a violation of the maintenance of secrecy and confidentiality as well as unauthorized interception (or monitoring or decryption) could potentially be much harsher under the 69 Rules.

In the same vein, the most significant clarification through a change in language takes place between Clause (10) of the 419A and Clause (14) of the 69 Rules: “the service providers shall designate two senior executives of the company” from the 419A Rules appears as “every intermediary or person in-charge of computer resource shall designate an officer to receive requisition, and another officer to handle such requisition” in the 69 Rules. This may be an actual difference between the two sets of Rules, but either way, it appears to be the most significant change between the equivalent Clauses.

The addition of certain clauses in the 69 Rules can also give us some interesting insights about what was of concern when the 419A rules were being written. To begin, the 419A rules provide no definitions for any of the specific terms used in the Rules, whereas the 69 Rules include a list of definitions in Clause (2). Clause (4) of 69 Rules, which deals which the authorisation of an agency of the Government to perform interception, monitoring and decryption, is sorely lacking in the 419A rules, which alludes to “authorised security [agencies]” without ever providing any framework as to how these agencies become authorised or who should be doing the authorising.

The 69 Rules also include Clause (5), which deals with how a state should go about obtaining authorisation to issue directions for interception, monitoring and/or decryption in territories outside of its jurisdiction, which is never mentioned in 419A rules, lamely sentencing states to carry out the interception of messages only within their own jurisdiction.

Lastly, Clause (24), which deals with the prohibition of interception, monitoring and/or decryption of information without authorisation, and Clause (25), which deals with the prohibition of the disclosure of intercepted, monitored and/or decrypted information, have fortunately been added to the 69 Rules.

Similar to the other comparisons that I have done on the 69A and 69B Draft and official Rules, the majority of the changes between these two sets of rules serves to restructure and clarify various clauses in the Draft 69 Rules.

Three new definitions appear in the Clause (2) of the 69 Rules, including a definition for “communication”, which appears in the Draft Rules but has no associated definition under Clause (2) of the Draft Rules.

Clause (31) of the Draft Rules, which deals with the requirement of security agencies of the State and Union territories to share any information gathered through interception, monitoring and/or decryption with federal agencies, does not make an appearance in the official rules. Further, this necessity does not seem to be implied anywhere in the official 69 Rules.

There has been a considerable amount of re-arrangement and re-structuring of the various clauses between the 69B Draft Rules and the official Rules, as can be seen in the comparison chart, but very little content has been changed. The majority of the changes made to the official Rules are changes in wording and language that serve to provide some much-needed clarification to the Draft Rules (see the differences between Clause (9) of the Draft Rules and sub-section (4) of Clause (3) of the official Rules as an example). Language redundancies, as well as full clauses (Clause [6] of the Draft Rules) have been thankfully removed in the official Rules.

Aside from the addition of four definitions, including a definition for a “security policy”, a phrase which appears in the Draft Rules without being defined, Clause (2) contains what is most likely one of the more noteable changes between the two definitions: under sub-section (g) in the 69 Rules, the words “or unauthorised use” have been added to the definition of “cyber security breaches”, which significantly increases the scope of what can be considered a cyber security breach under the Rules.

A significant change between the two sets of rules can be found in sub-section (2) of Clause (8) of the official rules, which states that, “save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or the person in-charge of computer resource shall destroy records pertaining to directions for monitoring or collection of information”. The section in italics has been added to the original Clause (22) of the Draft Rules, meaning that when the Rules were originally drawn up, no exceptions were to be made for the destructions of the records for the issuing of directions for monitoring and/or the collected information. They would simply have to be destroyed within six months of the discontinuance of the monitoring/collection.

One change that may or may not be significant is the replacement of the words “established violations” in the Draft Rules to simply “violation” in the official Rules in Clauses (19)/(6), which deal with the responsibility of the intermediary. This could be taken to mean that suspected and/or perceived violations may also be punishable under this clause, but this is a hard stance to argue. Most likely the adjustment was made when those superfluous and/or convoluted parts of the Draft rules were being removed.

This blog post has been cross-posted in Medianama on May 8, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

So yes, we live in an Internet Surveillance State. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?

Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it lacks privacy legislation which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.

The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?

A glimpse of the surveillance industry in India

In light of the UID scheme, the National Intelligence Grid (NATGRID), the Crime and Criminal Tracking Network System (CCTNS) and the Central Monitoring System (CMS), who supplies law enforcement agencies the technology to surveille us?

In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to  biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies simultaneously produce internet monitoring software and encryption tools! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.

Companies selling surveillance technology in India are listed in Table 1. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.

Table 2 shows the types of surveillance technology produced and sold by these 76 companies.

The graph below is based on Table 2 and shows which types of surveillance are produced the most by the 76 companies.

Graph on types of surveillance sold to law enforcement agencies by 76 companies in India

Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the UID scheme which is rapidly expanding across India. Only one company from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the Central Monitoring System (CMS), especially since the project would have to monitor and mine Big Data.

On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since the majority of the population in India does not even have Internet access. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while more than half the population owns mobile phones.  Seeing as companies, such as ClearTrail Technologies and Shoghi Communications, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.

Did you Know:

CARLOS62 on flickr

1. WSS Security Solutions Pvt. Ltd. is north India´s first CCTV zone
2. Speck Systems Limited was the first Indian company to design, manufacture and fly a micro UAV indigenously
3. Mobile Spy India (Retina-X Studios) has the following mobile spying features:

• SniperSpy: remotely monitors smartphones and computers from any location

• Mobile Spy: monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces

4. Infoserve India Private Limited produces an Internet monitoring System with the following features:

• Intelligence gathering for an entire state or a region
• Builds a chain of suspects from a single start point
• Data loss of less than 2%
• 2nd Generation Interception System
• Advanced link analysis and pattern matching algorithms
• Completely Automated System
• Data Processing of up to 10 G/s
• Automated alerts on the capture of suspicious data (usually based on keywords)

5.  ClearTrail Technologies deploys spyware into a target´s machine
6.  Spy Impex sells Coca Cola Tin Cameras!
7.  Nice Deal also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and Lighter Video Cameras to name a few...
8. Raviraj Technologies is an Indian company which supplies RFID and biometric technology to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?

• Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further oppression within these countries

• Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards

“I´m not a terrorist, I have nothing to hide!”

r1chardm on flickr

It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:

“I´m not a terrorist, I have nothing to hide!”

Indeed. You may not be a terrorist...and you may think you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?

Last year at the linux.conf.au, Jacob Appelbaum stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. Bruce Schneier has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.

That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, we are all potentially suspects. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called ´risky information´.  As long as our data is being surveilled, we are all suspects, which means that we can all potentially be arrested, interrogated and maybe even tortured, just like any other criminal suspect.

But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.

Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The market appears to demand for surveillance technologies because a pre-existing surveillance culture has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as 3M, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that surveillance is being socially integrated. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.

By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as NATGRID and the CMS in India- or by handing over our data, we are fuelling the surveillance state. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution and of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.

Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because India lacks privacy legislation which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.

Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as Raviraj Technologies, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus export controls are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.

Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even murdered in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.

The Google Policy Fellowship offers successful candidates an opportunity to develop research and debate on the fellowship focus areas, which include Access to Knowledge, Openness in India, Freedom of Expression, Privacy, and Telecom, for a period of about ten weeks starting from July 7, 2013 upto October 1, 2013. CIS will select the India Fellow. Send in your applications for the position by June 15, 2013.

To apply, please send to [email protected] the following materials:

1. Statement of Purpose: A brief write-up outlining about your interest and qualifications for the programme including the relevant academic, professional and extracurricular experiences. As part of the write-up, also explain on what you hope to gain from participation in the programme and what research work concerning free expression online you would like to further through this programme. (About 1200 words max).

2. Resume

3. Three references

Fellowship Focus Areas

Access to Knowledge: Studies looking at access to knowledge issues in India in light of copyright law, consumers law, parallel imports and the interplay between pervasive technologies and intellectual property rights, targeted at policymakers, Members of Parliament, publishers, photographers, filmmakers, etc.

• Openness in India: Studies with policy recommendations on open access to scholarly literature, free access to law, open content, open standards, free and open source software, aimed at policymakers, policy researchers, academics and the general public.

• Freedom of Expression: Studies on policy, regulatory and legislative issues concerning censorship and freedom of speech and expression online, aimed at bloggers, journalists, authors and the general public.

• Privacy: Studies on privacy issues like data protection and the right to information, limits to privacy in light of the provisions of the constitution, media norms and privacy, banking and financial privacy, workplace privacy, privacy and wire-tapping, e-governance and privacy, medical privacy, consumer privacy, etc., aimed at policymakers and the public.

• Telecom: Building awareness and capacity on telecommunication policy in India for researchers and academicians, policymakers and regulators, consumer and civil society organisations, education and library institutions and lay persons through the creation of a dedicated web based resource focusing on knowledge dissemination.

Frequently Asked Questions

What is the Google Policy Fellowship program?

The Google Policy Fellowship program offers students interested in Internet and technology related policy issues with an opportunity to spend their summer working on these issues at the Centre for Internet and Society at Bangalore. Students will work for a period of ten weeks starting from June 1, 2013. The research agenda for the program is based on legal and policy frameworks in the region connected to the ground-level perceptions of the fellowship focus areas mentioned above.

• I am an International student can I apply and participate in the program? Are there any age restrictions on participating?

  Yes. You must be 18 years of age or older by January 1, 2013 to be eligible to participate in Google Policy Fellowship program in 2013.

• Are there citizenship requirements for the Fellowship?

  For the time being, we are only accepting students eligible to work in India (e.g. Indian citizens, permanent residents of India, and individuals presently holding an Indian student visa. Google cannot provide guidance or assistance on obtaining the necessary documentation to meet the criteria.

• Who is eligible to participate as a student in Google Policy Fellowship program?

  In order to participate in the program, you must be a student. Google defines a student as an individual enrolled in or accepted into an accredited institution including (but not necessarily limited to) colleges, universities, masters programs, PhD programs and undergraduate programs. Eligibility is based on enrollment in an accredited university by January 1, 2013.

• I am an International student can I apply and participate in the program?

  In order to participate in the program, you must be a student (see Google's definition of a student above). You must also be eligible to work in India (see section on citizen requirements for fellowship above). Google cannot provide guidance or assistance on obtaining the necessary documentation to meet this criterion.

• I have been accepted into an accredited post-secondary school program, but have not yet begun attending. Can I still take part in the program?

  As long as you are enrolled in a college or university program as of January 1, 2013, you are eligible to participate in the program.

• I graduate in the middle of the program. Can I still participate?

  As long as you are enrolled in a college or university program as of January 1, 2013, you are eligible to participate in the program.

Payments, Forms, and Other Administrative Stuff

How do payments work?

Google will provide a stipend of USD 7,500 equivalent to each Fellow for the summer.

• Accepted students in good standing with their host organization will receive a USD 2,500 stipend payable shortly after they begin the Fellowship in June 2013.

• Students who receive passing mid-term evaluations by their host organization will receive a USD 1,500 stipend shortly after the mid-term evaluation in July 2013.

• Students who receive passing final evaluations by their host organization and who have submitted their final program evaluations will receive a USD 3,500 stipend shortly after final evaluations in August 2013.

Please note: Payments will be made by electronic bank transfer, and are contingent upon satisfactory evaluations by the host organization, completion of all required enrollment and other forms. Fellows are responsible for payment of any taxes associated with their receipt of the Fellowship stipend.

*While the three step payment structure given here corresponds to the one in the United States, disbursement of the amount may be altered as felt necessary.

What documentation is required from students?

Students should be prepared, upon request, to provide Google or the host organization with transcripts from their accredited institution as proof of enrollment or admission status. Transcripts do not need to be official (photo copy of original will be sufficient).

I would like to use the work I did for my Google Policy Fellowship to obtain course credit from my university. Is this acceptable?

Yes. If you need documentation from Google to provide to your school for course credit, you can contact Google. We will not provide documentation until we have received a final evaluation from your mentoring organization.

Host Organizations

What is Google's relationship with the Centre for Internet and Society?

Google provides the funding and administrative support for individual fellows directly. Google and the Centre for Internet and Society are not partners or affiliates. The Centre for Internet and Society does not represent the views or opinions of Google and cannot bind Google legally.

Important Dates

What is the program timeline?

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

1. New Delhi Roundtable: 13 April 2013
2. Bangalore Roundtable: 20 April 2013
3. Chennai Roundtable: 18 May 2013
4. Mumbai Roundtable: 15 June 2013
5. Kolkata Roundtable: 13 July 2013
6. New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18^th May 2013.

Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´

The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.

The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.

In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers choose to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.

The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.

The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.

The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.

Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.

Co-regulation was once again supported by the DSCI through the argument that customers choose to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of incentives companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter II

The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.

The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.

The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.

Discussion of “Protection of Personal Data”: Chapter III

The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers.

Issue of Consent

The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.

Outsourcing of Data

It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.

Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.

Data Retention

Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.

It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.

Data Processing

The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.

Data Disclosure

The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.

According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.

Discussion of “Interception of Communications”: Chapter IV

The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.

Meeting conclusion

The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Efforts to regulate the collection and use of DNA data were started in India in 2007 by the Centre for DNA Fingerprinting and Diagnostics through their draft DNA Profiling Bill. Although the bill has evolved from its original conception, several concerns with regard to human rights and privacy still remain. The draft bill heavily borrows the different aspects related to collection, profiling and use of forensic data from the legislations of the United States, United Kingdom, Canada and Australia.

Click to find an overview of a comparative analysis of DNA Profiling Legislations.

"We live in a surveillance state. The government can find out who we communicate with, who we talk to, who we are near, when we are at a protest, which stores we go to, where we travel to... they can find out all of these things. And it's unlikely it's going to get rolled back, but the best we can hope for is a system of law where the government gets to use its powers only in the right situation." – Christopher Soghoian, American Civil Liberties Union.

Centre for Internet and Society presents its first installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS interviews Christopher Soghoian, a privacy researcher and activist, working at the intersection of technology, law and policy. Christopher is the Principal Technologist and a Senior Policy Analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union (ACLU).

Christopher is based in Washington, D.C. His website is http://www.dubfire.net/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, [1] and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.[2]

On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.

The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation.  In 2011 the “Draft Privacy Bill 2011” was leaked.[3] In  2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. [4] In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.[5] The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.[6] Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.[7] The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.

The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.

The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation  of the 15th Lok Sabha.[8]

We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.

[1]. CII asks EU to accept India as 'Data Secure' nation: http://bit.ly/15Z77dH

[2]. India threatens to stall trade talks with EU: http://bit.ly/1716aF1

[3]. New privacy Bill: Data Protection Authority, jail term for offence: http://bit.ly/emqkkH

[4]. The Report of the Group of Experts on Privacy http://bit.ly/VqzKtr

[5]. Law Minister Seeks stand along privacy legislation, writes PM: http://bit.ly/16hewWs

[6]. The Privacy Protection Bill 2013 drafted by CIS: http://bit.ly/10eum5d

[7]. Privacy Roundtable: http://bit.ly/12HYoj5

[8]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: http://bit.ly/Z2FjX6

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was cross-posted in Medianama on 24th June 2013.

¨Does the NSA collect any type of data at all on millions or hundreds of millions of  Americans?”, the democratic senator, Ron Wyden, asked James Clapper, the director of national intelligence a few months ago. “No sir”, replied Clapper.

True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of Americans, Indians, Egyptians, Iranians, Pakistanis and others all around the world.

Leaked NSA surveillance

Verizon Court Order

Recently, the Guardian released a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.

USA Today reported in 2006 that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the April 25 top secret order is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes metadata such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.

Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. Privacy and human rights concerns rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives. Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.

PRISM

Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by The Washington Post. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to disclose the security requests they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.

Yet it appears that the PRISM online surveillance programme enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The Guardian reported that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.

James R. Clapper, the US Director of National Intelligence, stated:

“Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”

So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world.

Boundless Informant

And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data?

The Guardian released top secret documents about the NSA data mining tool, called Boundless Informant; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide.

The following “global heat map” reveals how much data is being collected by the NSA from around the world:

The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.

During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with 15% of all information being tapped by the NSA coming from India during February-March 2013.

Edward Snowden is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.

So what does this all mean for India?

In his keynote speech at the 29th Chaos Communications Congress, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have a history in spying on civilians, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?

By tapping into the servers of some of the biggest Internet companies in the world, such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial Boundless Informant data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?

India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches.

Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining.

Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, Bruce Schneier:

“Our data reflects our lives...and those who control our data, control our lives”.

How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in corporations seeking data request transparency, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since the larger the database, the larger the probability for error. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since technology is not infallible and data trails are not always accurate.

What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even murdered - remember the drones?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?

What can we do now?

Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.

Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.

As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:

• What type of data is collected from India and which parties have access to it?

• How long is such data retained for? Can the retention period be renewed and if so, for how long?

• Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?

In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.

On an individual level, Indians can protect their data by using encryption, such as GPG encryption for their emails and OTR encryption for instant messaging. Tor is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.

To avoid surveillance, the use of HTTPS-Everywhere in the Tor Browser is recommended, as well as the use of combinations of additional software, such as TorBirdy and Enigmail, OTR and Diaspora. Tor hidden services are communication endpoints that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.

Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.

The principles formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these principles are:

• Legality: Limitations to the right to privacy must be prescribed by law

• Legitimate purpose: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose

• Necessity: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases

• Adequacy: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose

• Competent authority: Authorities must be competent when making determinations relating to communications or communications metadata

• Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis

• Due process: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public

• User notification: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request

• Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public

• Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests

• Integrity of communications and systems: Service providers are responsible for the secure transmission and retention of communications data or communications metadata

• Safeguards for international cooperation: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public

• Safeguards against illegitimate access: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress

• Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation

Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for everyone to fight for their right to be free.

Is a world without freedom worth living in?

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The Irish Data Protection Commissioner was asked the following questions:

1. What powers does the Irish Data Commissioner´s office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

2. Does your office differ from other EU data protection commissioner offices?

3. What challenges has your office faced? What is the most common type of privacy violation that your office has faced?

4. Why should privacy legislation be enacted in India?

5. Does India need a Privacy Commissioner? Why? If India creates a Privacy Commissioner, what structure / framework would you suggest for the office?

6. How do you think data should be regulated in India? Do you support the idea of co-regulation or self-regulation?

7. How can India protect its citizens´ data when it is stored in foreign servers?

video

A few days ago, Masashi Crete-Nishihata (research manager) and Jakub Dalek (systems administrator) from the Citizen Lab visited the Centre for Internet and Society (CIS) to share their research with us.

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. The OpenNet Initiative is one of the Citizen Lab's ongoing projects which aims to document patterns of Internet surveillance and censorship around the world. OpenNet.Asia is another ongoing project which focuses on censorship and surveillance in Asia.

The following video entails an interview of both Masashi Crete-Nishihata and Jakub Dalek on the following questions:

1. Why is it important to investigate Internet filtering around the world?

2. How high are the levels of Internet filtering in India, in comparison to the rest of the world?

3. "Censorship and surveillance of the Internet aim at tackling crime and terrorism and in increasing overall security." Please comment.

4. What is Netsweeper and how is it being used in India? What consequences does this have?

5. What is FinFisher and how could it be used in India?

Video

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

1. New Delhi Roundtable: 13 April 2013

2. Bangalore Roundtable: 20 April 2013

3. Chennai Roundtable: 18 May 2013

4. Mumbai Roundtable: 15 June 2013

5. Kolkata Roundtable: 13 July 2013

6. New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.

Discussion of the Draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter 1

The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013.

It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised.

Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection.

The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored.

Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards.

The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over.

The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.

In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts.

Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data.

On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions.

Right to Privacy: Chapter 2

The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill.

Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts.

The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.

Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly.

Protection of Personal Data: Chapter 3

Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data.

Collection of personal data

The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention.

It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill.

Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty.

A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes.

The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill.

In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection.

It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well.

Storage and destruction of personal data

The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data.

In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India.

Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases.

Security of personal data and duty of confidentiality

Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”.

One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India.

Disclosure of personal data

The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to.

It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill.

Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism.

This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided.

Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill.

A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed.

However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed.

Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security.

The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill.

Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner

The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013.

In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation.

There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future.

The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers.

Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a competitive disadvantage in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security.

As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so.

The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control.

On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations.

When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported.

Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data.

The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on accountability. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached.

On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated.

Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights.

Meeting conclusion

The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

This letter is with regards to the installation of Radio Frequency Identification Tags (RFID) in vehicles in India.

On behalf of the Centre for Internet and Society, we urge you to prevent the installation of RFID tags in vehicles in India, as the legality, necessity and utility of RFID tags have not been adequately proven. Such technologies raise major ethical concerns, since India lacks privacy legislation which could safeguard individuals' data.

The proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India. However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.

The installation of RFID tags in vehicles is not only currently illegal, but it also raises majors privacy concerns. RFID tags yield locational information, and thus reveal information as to an individual’s whereabouts. This could lead to a serious invasion of the right to privacy, which is at the core of personal liberty, and constitutionally protected in India. Moreover, the installation of RFID tags in vehicles is not in compliance with the privacy principles of the Report of the Group of Experts on Privacy, as, among other things, the architecture of RFID tags does not allow for consent to be taken from individuals for the collection, use, disclosure, and storage of information generated by the technology.[1]

The Centre for Internet and Society recently drafted the Privacy (Protection) Bill 2013 – a citizen's version of a possible privacy legislation for India.[2] The Bill defines and establishes the right to privacy and regulates the interception of communications and surveillance, and would include the regulation of technologies like RFID tags. As this Bill has not been enacted into law and India lacks a privacy legislation which could safeguard individuals' data, we strongly urge you to not require the mandatory installation of RFID tags in vehicles, as this could potentially violate individuals' right to privacy and other human rights.

As the proposed rule 138A, which mandates the installation of RFID tags in vehicles, is currently illegal and India lacks privacy legislation which would regulate the collection, use, sharing of, disclosure and retention of data, we strongly urge you to ensure that RFID tags are not installed in vehicles in India and to play a decisive role in protecting individuals' right to privacy and other human rights.

Thank you for your time and for considering our request.

Sincerely,

Centre for Internet and Society (CIS)

[1]. Report of the Group of Experts on Privacy: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2].Draft Privacy (Protection) Bill 2013: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf

The Snowden Leaks have made it amply clear that the covert surveillance conducted by governments is no longer covert. Information by its very nature is prone to leaks. The discretion lies completely in the hands of the personnel handling your data or information. Whether it is through knowledge obtained by an intelligence analyst about the US Government conducting indiscriminate surveillance, or hackers infiltrating a secure system and leaking personal information, stored information has a tendency to come out in the open sooner or later.

This raises the question whether, with the advancement of technologies, we should trust our personal information and data with computers. Should we have more stringent laws and procedural safeguards to protect our personal information? Of course, the broader question that remains is whether we have a ‘Right to be Forgotten’.

Similar to PRISM in the US, India is also implementing a Centralized Monitoring System (CMS) which would have the capabilities to conduct multiple privacy-intrusive activities, ranging from call data record analysis to location based monitoring. Given the circumstances and the current revelations by a whistleblower in the US, it is more than imperative to take a closer look at the surveillance technologies which are being deployed by India and question what implications it might have in the future.

Technological shift and procedural safeguards
The need for procedural safeguards was brought to light in the Supreme Court case, when news reports surfaced about the tapping of politicians' phones by the CBI. The Court while deciding on the issue of phone tapping in the case of People’s Union of Civil Liberties v. Union of India (1996), observed that the Indian Telegraph Act, 1885 is an ancient legislation and does not address the issue of telephone tapping. Thereafter, the court issued guidelines, which were implemented by the Government by amending and inserting Rule 419A of the Indian Telegraph Rules, 1951. These procedural safeguards ensure that due process will be followed by any law enforcement agency, while conducting surveillance.

Section 5(2) of the Indian Telegraph Act, 1885 grants the power to the Government to conduct surveillance provided that there is an occurrence of any public emergency or public safety. If and only if the conditions of public safety and public emergency are compromised, and if the concerned authority is convinced that it is expedient to issue such an order for interception in the interest of “the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence” is surveillance legitimized. The same was reaffirmed by the Supreme Court in the 1996 judgment on wire tapping.

Now, as the Government of India is planning to launch a new technology, the Centralized Monitoring System (CMS) which would snoop, track and monitor communication data flowing through telecom and data networks, the question arises: can we have procedural safeguards which would protect our right to privacy against technologies such as the CMS?

The key component of a procedural safeguard is human discretion; either a court authorization or an order from a high ranking government official is necessary to conduct targeted surveillance and the reasons for conducting surveillance have to be recorded in writing. This is the procedure which is ordinarily followed by law enforcement agencies before conducting any form of surveillance. However, with the computational turn, governments have resorted to practices which would do away with the human discretion. Dragnet surveillance allows for blanket surveillance. Before getting to the problems in evolving a due process for systems like CMS, it is imperative to examine the capabilities of the system.

Centralized Monitoring System and death of due process
Setting up of a CMS was conceptualized in India after the 2008 Mumbai attacks. It was further consolidated and found a place in the Report of the Telecom Working Group on the Telecom Sector for the Twelfth Five Year Plan (2012-2017). The Report was published in August, 2011 and goes into the details of the CMS.

When machines and robots are deployed to conduct blanket surveillance and impinge on the most fundamental right to life and liberty, and also violate the basic tenets of due process, then much cannot be done by way of procedures. What then do we resort to, is the primary question. Can there be a compromise between the right to privacy and security?

The Report indicates that the technology will cater to “the requirements of security management for law enforcement agencies for interception, monitoring, data analysis/mining, anti‐social‐networking using the country’s telecom infrastructure for unlawful activities.”

The CMS will also be capable of running algorithms for interception of connection oriented networks, algorithms for interception of voice over internet protocol (VoIP), video over IP and GPS based monitoring systems. These algorithms would be able to intercept any communication without any intervention from the telecom or internet service provider. It would also have the capability to intercept and analyze data on any communication network as well as to conduct location based monitoring by tracking GPS locations. Given such capabilities, it is clear that a computer system will be sifting through the internet/communication data and will conduct surveillance as instructed through algorithms. This would include identifying patterns, profiling and also storing data for posterity. Moreover, the CMS will have direct access to the telecommunication infrastructure and would be monitoring all forms of communication.

With the introduction of CMS, state surveillance will shift to blanket surveillance from the current practice of targeted surveillance which can be carried out under specific circumstances that are well defined in the law and in judgments. Moreover, when it comes to current means of surveillance, there are well-defined procedures under the law which have the ability to prevent misuse of the surveillance systems. This is not to say that the current procedural safeguards under the laws are not prone to abuse, but if implemented properly, there is less chance of them being misused. Furthermore, with strong privacy and data protection laws, unlawful and illegal surveillance can be minimized.

In the current legal framework, with respect to surveillance, if CMS is implemented then it will be in violation of the fundamental right to privacy and freedom of speech as guaranteed under our Constitution. It will be also in contravention of the procedural safeguards laid down in the Supreme Court judgement and the Rule 419A of Indian Telegraph Rules, thereof. Strong privacy laws and data protection laws may be put in place, which are completely absent now. But at the end of the day, a machine will be spying on every citizen of India or anyone using any communication services, without any specific targets or suspects.

In the People’s Union of Civil Liberties v. Union of India (1996), the Supreme Court laid down that “the substantive law as laid down in Section 5(2) of the [Indian Telegraph Act, 1885] must have procedural backing so that the exercise of power is fair and reasonable.” But with technologies such as CMS, it will be very difficult to have any form of procedural backing because the system would do away with human discretion which happens to be a key ingredient of any legal procedure.

The argument which can be made in favour of CMS, if any, is that a machine will be going through personal data and it will not be available to any personnel or law enforcement agency without authorization and therefore, it will adhere to the due process. However, such a system will be keeping track of all personal information. Right to privacy is the right to be left alone and any incursion on this fundamental right can only be allowed in special cases, in cases of public emergency or threat of public safety. So, electronic blanket surveillance without human intervention also amounts to violation of the substantive law, which specifically allows surveillance only to be conducted under certain conditions, and not through a system such as CMS that is designed to keep a constant watch on everyone, irrespective of the fact whether there is a need to do so.

Additionally, there exists a strong, pre-established notion that whatever comes out of a computer is bound to be true and authentic and there cannot be any mistakes. We have witnessed this in the past where an IT professional from Bangalore was arrested and detained by the Maharashtra Police for posting derogatory content on Orkut about Shivaji. Later, it was found that the records acquired from the Internet Service Provider were incorrect and the individual had been arrested and detained illegally.

Telephone bills, credit card bills coming out from a computer system are often held to be authentic and error-free. With UID, our identity has been reduced to a number and biometrics stored in a database corresponding to that number. It is this trust in anything which comes out of a computer or a machine that can lead to massive abuse of the system in the absence of any form of checks and balance in place. Artificial things taking control over human lives and our almost unflinching trust in technology will not only cause gross violations of privacy but will also be the death of due process and basic human rights as we know it.

In this regard, due emphasis should be given to the landmark Supreme Court judgment in the case of Maneka Gandhi v. Union of India (1978) which deals with issues related to due process and privacy. It states that "procedure which deals with the modalities of regulating, restricting or even rejecting a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, ‘procedure’ must rule out anything arbitrary, freakish or bizarre. A valuable constitutional right can be canalised only by canalised processes".

When machines and robots are deployed to conduct blanket surveillance and impinge on the most fundamental right to life and liberty and also violate the basic tenets of due process, then much cannot be done by way of procedures. What then do we resort to, is the primary question. Can there be a compromise between the right to privacy and security?

A no-win situation
In reality, dragnet surveillance or blanket surveillance is not very useful for gathering valuable intelligence to prevent instances of threat to national security, public safety and public emergency. For example, if the CMS is used to mine data, analyse content related to anti-social activities and even if the system is 99 per cent accurate, the remaining 1 per cent which is a false positive happens to be a large set. So, 1 out of every 100 individuals identified as an anti-social element by CMS may actually be an innocent citizen. Given the possibility of false positives and which may be more than 1 per cent, the number of innocent citizens caught in the terrorist net would be much higher.

Even though blanket surveillance or dragnet surveillance can keep a tab on everyone, it is nearly impossible for an algorithm to separate the terrorists from the rest. Moreover, the data set collected by the machine is too big for any human analyst, to actually analyze and identify the terrorist in the midst of a deluge of information. Therefore, the argument that a system like CMS will ensure security in lieu of minor intrusions of privacy is a flawed one. Implementation of CMS will not really ensure security but will be a case of blatant violation of individual’s right to privacy anyway.

What is perhaps more shocking is that not only will CMS be futile in preventing security breaches or neutralizing security threats, it will on the contrary expose individual Indian citizens to breach of personal security. If personal data and information are stored for future reference through a centralized mechanism, which is also the case with UID, it will be highly susceptible to attacks and security threats. It will be a Pandora’s Box with a potential to create havoc the moment someone is able to gain access to the information with intention to misuse that. Leaking of personal information and data on a large scale can be detrimental to society and give rise to instances of public emergency.

The ‘Right to be Forgotten’

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Introduction

The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.

SEBI’s Authority (Until Now)

Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."[1] Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."[2] Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”[3] SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.

But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.

What is the Importance of CDR Access?

Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."[4] Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.

One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.[5] Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.[6] Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.[7] It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."[7] With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.[8] But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.

Significance and Responsibility in this Decision

Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.

[1]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).

[2]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).

[3]. “Sebi Finalising new Anti-money laundering guidelines,” The Times of India, June 16, 2013

http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms

[4]. International Principles on the Application of Human Rights to Communications Surveillance -http://www.necessaryandproportionate.net/#_edn1

[5]. “Sebi to soon to get Powers to Access Call Records,” Business Today, June 13, 2013

http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html

[6]. 1973 Criminal Procedure Code, Section 92 http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf

“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013

http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary

[7]. 1992 Securities and Exchange Board of India Act, section 11C, part 8

[8]. 2002 Prevention of Money-Laundering Act, section 12

Chinmayi Arun's column was published in the Indian Express on June 26, 2013.

A petition has just been filed in the Indian Supreme Court, seeking safeguards for our right to privacy against US surveillance, in view of the PRISM controversy. However, we should also look closer home, at the Indian government's Central Monitoring System (CMS) and other related programmes. The CMS facilitates direct government interception of phone calls and data, doing away with the need to justify interception requests to a third party private operator. The Indian government, like the US government, has offered the national security argument to defend its increasing intrusion into citizens' privacy. While this argument serves the limited purpose of explaining why surveillance cannot be eliminated altogether, it does not explain the absence of any reasonably effective safeguards.

Instead of protecting our privacy rights from the domestic and international intrusions made possible by technological development, our government is working on leveraging technology to violate privacy with greater efficiency. The CMS infrastructure facilitates large-scale state surveillance of private communication, with very little accountability. The dangers of this have been illustrated throughout history. Although we do have a constitutional right to privacy in India, the procedural safeguards created by our lawmakers thus far offer us very little effective protection of this right.

We owe the few safeguards that we have to the intervention of the Supreme Court of India, in PUCL vs Union of India and Another. In the context of phone tapping under the Telegraph Act, the court made it clear that the right to privacy is protected under the right to life and personal liberty under Article 21 of the Constitution of India, and that telephone tapping would also intrude on the right to freedom of speech and expression under Article 19. The court therefore ruled that there must be appropriate procedural safeguards to ensure that the interception of messages and conversation is fair, just and reasonable. Since lawmakers had failed to create appropriate safeguards, the Supreme Court suggested detailed safeguards in the interim. We must bear in mind that these were suggested in the absence of any existing safeguards, and that they were framed in 1996, after which both communication technology and good governance principles have evolved considerably.

The safeguards suggested by the Supreme Court focus on internal executive oversight and proper record-keeping as the means to achieving some accountability. For example, interception orders are to be issued by the home secretary, and to later be reviewed by a committee consisting of the cabinet secretary, the law secretary and the secretary of telecommunications (at the Central or state level, as the case may be). Records are to be kept of details such as the communications intercepted and all the persons to whom the material has been disclosed. Both the Telegraph Act and the more recent Information Technology Act have largely adopted this framework to safeguard privacy. It is, however, far from adequate in contemporary times. It disempowers citizens by relying heavily on the executive to safeguard individuals' constitutional rights. Additionally, it burdens senior civil servants with the responsibility of evaluating thousands of interception requests without considering whether they will be left with sufficient time to properly consider each interception order.

The extreme inadequacy of this framework becomes apparent when it is measured against the safeguards recommended in the recent report on the surveillance of communication by Frank La Rue, the United Nations special rapporteur on the promotion and protection of the right to freedom of speech and expression. These safeguards include the following: individuals should have the legal right to be notified that they have been subjected to surveillance or that their data has been accessed by the state; states should be transparent about the use and scope of communication surveillance powers, and should release figures about the aggregate surveillance requests, including a break-up by service provider, investigation and purpose; the collection of communications data by the state, must be monitored by an independent authority.

The safeguards recommended by the special rapporteur would not undermine any legitimate surveillance by the state in the interests of national security. They would, however, offer far better means to ensure that the right to privacy is not unreasonably violated. The emphasis placed by the special rapporteur on transparency, accountability and independent oversight is important, because our state has failed to recognise that in a democracy, citizens must be empowered as far as possible to demand and enforce their rights. Their rights cannot rest completely in the hands of civil servants, however senior. There is no excuse for refusing to put these safeguards in place, and making our domestic surveillance regime transparent and accountable, in compliance with our constitutional and international obligations.

Click to read the original published in the Indian Express here

Book: The New Digital Age
Author: Eric Schmidt & Jared Cohen
Publisher: Hachette
Price: Rs 650
Pages: 315

When I first heard that Eric Schmidt the chairman of Google and Jared Cohen, the director of the techno-political think-tank Google Ideas, are co-authoring a book about our future and how it is going to be re-shaped with the emergence of digital technologies, I must confess I was sceptical. When people who do things that you like start writing about those things, it is not always a pretty picture. Or an easy read. However, like all sceptics, I am only a romantic waiting to be validated. So, when I picked up The New Digital Age I was hoping to be entertained, informed and shaken out of my socks as the gurus of the interwebz spin science fiction futures for our times. Sadly, I have been taught my lesson and have slid back into hardened scepticism.

Here is the short version of the book: Technology is good. Technology is going to be exciting. There are loads of people who haven't had it yet. There are not enough people who have figured out how things work. Everybody needs to go online because no matter what, technologies are here to stay and they are going to be the biggest corpus of power. They write, "There is a canyon dividing people who understand technology and people charged with addressing the world's toughest geopolitical issues, and no one has built a bridge…As global connectivity continues its unprecedented advance, many old institutions and hierarchies will have to adapt or risk becoming obsolete, irrelevant to modern society." So the handful who hold the reigns of the digital (states, corporates, artificial intelligence clusters) are either going to rule the world, or, well, write books about it.

The long version is slightly more nuanced, even though it fails to give us what we have grown to expect of all things Google — the bleeding edge of back and beyond. For a lay person, observations that Schmidt and Cohen make about the future of the digital age might be mildly interesting in the way title credits to your favourite movie can be. Once they have convinced us, many, many times, that the internet is fast and fluid and that it makes things fast and fluid and hence the future we imagine is going to be fast and fluid, the authors tell us that the internet is spawning a new "caste system" of haves, have-nots, and wants-but-does-not-haves.

Citing the internet as "the largest experiment involving anarchy in history" they look at the new negotiations of power around the digital. Virulent viruses from the "Middle East" make their appearance. Predictably wars of censorship and free information in China get due attention. Telcos get a big hand for building the infrastructure which can sell Google phones to people in Somalia. The book offers a straightforward (read military) reading of drones and less-than-expected biased views on cyberterrorism, which at least escapes the jingoism that the USA has been passing off in the service of a surveillance state. And more than anything else, the book shows politicos and governments around the world, that the future is messy, anarchy is at hand, but as long as they put their trust in Big Internet Brothers, the world will be a manageable place.

So while you can clearly see where my review for the book is heading, I must give it its due credit.

There are three things about this book that make it interesting. The first is how Schmidt and Cohen seem to be in a seesaw dialogue with themselves. They realise that five billion people are going to get connected online. They gush a little about what this net-universality is going to mean. And then immediately, they also realise that we have to prepare ourselves for a "Brave New World," which is going to be infinitely more messy and scary. They recognise that the days of anonymity on the Web are gone, with real life identities becoming our primary digital avatars. However, they also hint at a potential future of pseudonymity that propels free speech in countries with authoritarian regimes. This oscillation between the good, the bad, the plain and the incredible, keeps their writing grounded without erring too much either on the side of techno-euphoria or dystopic visions of the future.

Second, and perhaps justly so, the book doles out a lot of useful information not just for the techno-neophytes but also the amateur savant. There are stories about "Currygate" in Singapore, or of what Vodaphone did in Egypt after the Arab Spring, or of the "Human Flesh Search Engine" in China, which offer a comprehensive, if not critical, view of the way things are. Schmidt and Cohen have been everywhere on the ether and they have cyberjockeyed for decades to tell us stories that might be familiar but are still worth the effort of writing.

Third, it is a readable book. It doesn't require you to Telnet your way into obscure meaning sets in the history of computing. It is written for people who are still mystified not only about the past of the Net but also its future, and treads a surprisingly balanced ground in both directions. It is a book you can give to your grandmother, and she might be inspired to get herself a Facebook (or maybe a Google +) account.

But all said and done, I expected more. It is almost as if Schmidt and Cohen are sitting on a minefield of ideas which they want to hint at but don't yet want to share because they might be able to turn it into a new app for the Nexus instead. It is a book that could have been. It wasn't. It is ironic how silent the book is about the role that big corporations play in shaping our techno-futures, and the fact that it is printed on dead-tree books with closed licensing so I couldn't get a free copy online. For people claiming to build new and political futures, the fact that this wisdom could not come out in more accessible forms and formats, speaks a lot about how seriously we can take their views of the future.

This blog post written by Eduardo Bertoni was published in GlobalVoices on May 28, 2013. CIS has cross-posted this under the Creative Commons Licence.

Consider this scenario:

A public figure, let’s call her Senator X, enters her name into a search engine. The results surprise her — some of them make her angry because they come from Internet sites that she finds offensive. She believes that her reputation has been damaged by certain content within the search results and, consequently, that someone should pay for the personal damages inflicted.

Her lawyer recommends appealing to the search engine – the lawyer believes that the search engine should be held liable for the personal injury caused by the offensive content, even though the search engine did not create the content. The Senator is somewhat doubtful about this approach, as the search engine will also likely serve as a useful tool for her own self-promotion. After all, not all sites that appear in the search results are bothersome or offensive. Her lawyer explains that while results including her name will likely be difficult to find, the author of the offensive content should also be held liable. At that point, one option is to request that the search engine block any offensive sites related to the individual’s name from its searches. Yet the lawyer knows that this cannot be done without an official petition, which will require a judge’s intervention.

“We must go against everyone – authors, search engines – everyone!” the Senator will likely say. “Come on!” says the lawyer, “let's move forward.” However, it does not occur to either the Senator or the lawyer that there may be an alternative approach to that of classic courtroom litigation. The proposal I make here suggests a change to the standard approach – a change that requires technology to play an active role in the solution.

Who is liable?

The “going against everyone” approach poses a critical question: Who is legally liable for content that is available online? Authors of offensive content are typically seen as primarily liable. But should intermediaries such as search engines also be held liable for content created by others?

This last question raises a very specific, procedural question: Which intermediaries will be the subjects of scrutiny and viewed as liable in these types of situations? To answer this question, we must distinguish between intermediaries that provide Internet access (e.g. Internet service providers) and intermediaries that host content or offer content search functions. But what exactly is an ‘intermediary’? And how do we evaluate where an intermediary’s responsibility lies? It is also important to distinguish those intermediaries which simply connect individuals to the Internet from those that offer different services.

What kind of liability might an intermediary carry?

This brings us to the second step in the legal analysis of these situations: How do we determine which model we use in defining the responsibility of an intermediary? Various models have been debated in the past. Leading concepts include:

• strict liability, under which the intermediary must legally respond to all offensive content
• subjective liability, under which the intermediary’s response depends on what it has done and what it was or is aware of
• conditional liability – a variation on subjective liability – under which, if an intermediary was notified or advised that it was promoting or directing users to illegal content and did nothing in response, it is legally required to respond to the offensive content.

These three options for determining liability and responses to offensive online content have been included in certain legislation and have been used in judicial decisions by judges around the world. But not one of these three alternatives provides a perfect standard. As a result, experts continue to search for a definition of liability that will satisfy those who have a legitimate interest in preventing damages that result from offensive content online.

How are victims compensated?

Now let’s return to the example presented earlier. Consider the concept of Senator X’s “satisfaction.” In these types of situations, “satisfaction” is typically economic — the victim will sue for a certain amount of money in “damages”, and she can target anyone involved, including the intermediary.

Interestingly, in the offline world, alternatives have been found for victims of defamation: For example, the “right to reply” aims to aid anyone who feels that his or her reputation or honor has been damaged and allows individuals to explain their point of view.

We must also ask if the right to reply is or is not contradictory to freedom of expression. It is critical to recognize that freedom of expression is a human right recognized by international treaties; technology should be able to achieve a similar solution to issues of online defamation without putting freedom of expression at risk.

Solving the problem with technology

In an increasingly online world, we have unsuccessfully attempted to apply traditional judicial solutions to the problems faced by victims like Senator X. There have been many attempts to apply traditional standards because lawyers are accustomed to using in them in other situations. But why not change the approach and use technology to help “satisfy” the problem?

The idea of including technology as part of the solution, when it is also part of the problem, is not new. If we combine the possibilities that technology offers us today with the older idea of the right to reply, we could change the broader focus of the discussion.

My proposal is simple: some intermediaries (like search engines) should create a tool that allows anyone who feels that he or she is the victim of defamation and offensive online content to denounce and criticize the material on the sites where it appears. I believe that for victims, the ability to say something and to have their voices heard on the sites where others will come across the information in question will be much more satisfactory than a trial against the intermediaries, where the outcome is unknown.

This proposal would also help to limit regulations that impose liability on intermediaries such as search engines. This is important because many of the regulations that have been proposed are technologically impractical. Even when they can be implemented, they often result in censorship; requirements that force intermediaries to filter content regularly infringe on rights such as freedom of expression or access to information.

This proposal may not be easy to implement from a technical standpoint. But I hope it will encourage discussion about the issue, given that a tool like the one I have proposed, although with different characteristics, was once part of Google’s search engine (the tool, “Google Sidewiki” is now discontinued). It should be possible  improve upon this tool, adapt it, or do something completely new with the technology it was based on in order to help victims of defamation clarify their opinions and speak their minds about these issues, instead of relying on courts to impose censorship requirements on search engines. This tool could provide much greater satisfaction for victims and could help prevent the violation of the rights of others online as well.

Critics may argue that people will not read the disclaimers or statements written by “defamed” individuals and that the impact and spread of the offensive content will continue unfettered. But this is a cultural problem that will not be fixed by placing liability on intermediaries. As I explained before, the consequences of doing so can be unpredictable.

If we continue to rely on traditional regulatory means to solve these problems, we’ll continue to struggle with the undesirable results they can produce, chiefly increased controls on information and expression online. We should instead look to a technological solution as a viable alternative that cannot and should not be ignored.

Eduardo Bertoni is the Director of the Center for Studies on Freedom of Expression and Access to Information at Palermo University School of Law in Buenos Aires. He served as the Special Rapporteur for Freedom of Expression to the Organization of American States from 2002-2005.

Pranesh Prakash's column was published in the Economic Times on June 13, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).

Nothing Quite Private

The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.

US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.

Worse, Indian-Style

That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.

To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.

The law we currently have — sections 69 and 69B of the Information Technology Act — is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.

Keeping it Safe

Recent reports reveal India's secretive National Technical Research Organisation (NTRO) — created under an executive order and not accountable to Parliament — often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.

While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.

The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.

Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.

Click to download the Privacy Protection Bill, 2013 with latest amendments (PDF, 196 Kb).

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.

So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”[1]

So we must unpack the idea of transparency.

First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?

Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.[2]

But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.

Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.” [a] Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.[3]

Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook [a], Apple [b], Microsoft[c], and Google [d]) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14^th, “We have not received any national security orders of the type that Verizon was reported to have received.” [c] Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.

Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.

But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS[4] but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.[5]

Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the petition as an Indian agency is not involved.”[5][6]

The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.

For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.[7] India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.[8] It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.

The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.[5] If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.

Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of who citizens prefer spying over them.

Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.[9] Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”[c]

[1]. http://digitaldueprocess.org/

[2]. http://bit.ly/151Ue1H

[3]. http://bit.ly/12XDb1Z

[4]. http://ti.me/11Xh08V

[5]. Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh [attached]

[6]. http://bit.ly/1aXWdbU

[7]. http://1.usa.gov/qafcXe

[8]. http://bit.ly/114hcCX

[9]. http://bit.ly/156wspI

[a]. Facebook Statement: http://bit.ly/ZQDcn6

[b]. Apple Statement: http://bit.ly/1akaBuN

[c]. Microsoft Statement:http://bit.ly/1bFIt31

[d]. Google Statement: http://bit.ly/16QlaqB

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

Note: The original tender document of the Assam Police dated 28.02.2013 along with other several other tender documents for procurement of Internet and Voice Monitoring Systems is attached as a zip folder.

As highlighted in the International Principles on the Application of Human Rights to Communications Surveillance, logistical barriers to surveillance have decreased in recent decades and the application of legal principles in new technological contexts has become unclear. It is often feared that in light of the explosion of digital communications content and information about communications, or "communications metadata," coupled with the decreasing costs of storing and mining large sets of data and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Communications surveillance in the modern environment encompasses the monitoring, interception, collection, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person's communications in the past, present or future.[*] These fears are now turning into a reality with the introduction of mass surveillance systems which penetrate into the lives of every person who uses any form of communications. There is ample evidence in the form of tenders for Internet Monitoring Systems (IMS) and Telecom Interception Systems (TCIS) put out by the Central government and various state governments that the Indian state is steadily turning into an extensive surveillance state.

While surveillance and intelligence gathering is essential for the maintenance of national security, the creation and working of a mass surveillance system as it is envisioned today may not necessarily be in absolute conformity with the existing law. A mass surveillance system like the Central Monitoring System (CMS) not only threatens to completely eradicate any vestige of the right to privacy but in the absence of a concrete set of procedural guidelines creates a tremendous risk of abuse.

Although information regarding the Central Monitoring System is quite limited on the public forum at the moment it can be gathered that a centralized system for monitoring of all communication was first proposed by the Government of India in 2009 as indicated by the press release of the Ministry of Communications & Information. Implementation of the system started subsequently as indicated by another government press release and the Center for Development of Telematics (C-DOT) was entrusted with the responsibility of implementing the system. As per the C-DOT annual report 2011-12, research, development, trials and progressive scaling up of a Central Monitoring System were conducted by the organization in the past 4 years and the requisite hardware and CMS solutions which support voice and data interception have been installed and commissioned at various Telecom Service Providers (TSP) in Delhi and Haryana as part of the pilot project. Media reports indicate that the project will be fully functional by 2014. While an extensive surveillance system is being stealthily introduced by the state, several concerns with regard to its extent of use, functioning, and real world impact have been raised owing to ambiguities and wide gaps in procedure and law. Moreover, the lack of a concrete privacy legislation coupled with the absence of public discourse indicates the lack of interest of the state over the rights of an ordinary citizen. It is under these circumstances that awareness must first be brought regarding the risks of the mass surveillance on civil liberties which in the absence of established procedures protecting the rights of the citizens of the state can result in the abuse of powers by the state or its agencies and lead to the demise of civil freedoms even in democratic states.

The architecture and working of a proposed Internet Monitoring System must be examined in an attempt to better understand the functioning, capabilities and possible impact of a Central Monitoring System on our society and lives. This can perhaps allow more open discourse and a committed effort to preserve the rights of the citizens especially the right to privacy can be made while allowing for the creation of strong procedural guidelines which will help maintain legitimate intelligence gathering and surveillance.

Internet Monitoring System: Setup and Working
Very broadly, The Internet Monitoring System enables an agency of the state to intercept and monitor all content which passes through the Internet Service Provider’s (ISP) server which includes all electronic correspondence (emails, chats or IM’s, transcribed call logs), web forms, video and audio files, and other forms of internet content. The electronic data is stored and also subject to various types of analysis. While Internet Monitoring Systems are installed locally and their function is limited to specific geographic region, the Central Monitoring System will consolidate the data acquired from the different voice and data interception systems located across the country and create a centralized architecture for interception, monitoring and analysis of communications. Although the exact specifications and functions of the central monitoring system still remain unclear and ambiguous, some parallels regarding the functioning of the CMS can be drawn from the the specifications revealed in the Assam Police tender document for the procurement of an Internet Monitoring System.

Setup
The deployment architecture of an Internet Monitoring System (IMS) contains probe servers which are installed at the Internet Service Provider’s (ISP) premises and the probes are installed at various tapping points within the entire ISP network.  A collection server is also installed and hosted at the site of the ISP. The collection server is used to either collect, analyze, filter or simple aggregate the data from the ISP servers and the data is transferred to a master aggregation server located a central data center. The central data center may also contain more servers specifically for analysis and storage. This type of architecture is being referred to as a ‘high availability clustered setup’ which is supposed to provide security in case of a failure or outage.

The Assam Police Internet Monitoring System tender document specifically indicates that the deployment in the state of Assam shall require 8 taps or probes to be installed at different ISPs, out of which 6 taps/probes shall be of 10 GBPS and 2 taps are of 1 GBPS. The document however mentions that the specifications are preliminary and subject to change.

Types of data
The proposed internet monitoring system of the Assam state can provide network traffic interception and a variety of internet protocols including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) can be intercepted and monitored. The system can also support monitoring of Internet Relay Chat and various other messaging applications (such as Google Talk, Yahoo Chat, MSN Messenger, ICQ, etc.).  The system can be equipped to capture and display multiple file types like text (.doc, .pdf), zipped (.zip) and executable applications (.exe). Further, information regarding login details, login pattern, login location, DNS address, routing address can be acquired along with the IP address and other details of the user.

Web crawling capabilities can be installed on the system which can provide data from various data sources like social networking sites, web based communities, wikis, blogs and other forms of web content. Social media websites (such as Twitter, Facebook, Orkut, MySpace etc.), web pages and data on hosted applications can also be intercepted, monitored and analyzed.  The system also allows capture of additional pages if updated; log periodical updates and other changes. This allows the monitoring agencies the capability of gathering internet traffic based on several parameters like Protocols, Keywords, Filters and Watch lists. Keyword matching is achieved by including phonetically similar words in various languages including local languages.

More specific functions of the IMS can include complete email extraction which will disclose the address book, inbox, sent mail folder, drafts folder, personal folders, delete folders, custom folders etc. and can also provide identification of dead drop mails. The system can also be equipped to allow country wise tracking of instant messages, chats and mails.

Regarding retention and storage of data, the tender document specifies that the system shall be technically capable of retaining the metadata of Internet traffic for at least one year and the defined traffic/payload/content is to be retained in the storage server at least for a week.  However, the data may be retained for a longer period if required. The metadata and qualified data after analysis are integrated to a designated main intelligence repository for storage.

Types of Analysis
The Internet Monitoring System apart from intercepting all the data generated through the Internet Service Providers is essentially equipped for various types of data analysis. The solutions that are installed in the internet monitoring system provide the capability for real time as well as historical analysis of network traffic, network perimeter devices and internal sniffers.  The kinds of analysis based on ‘slicing and dicing of data’ range from text mining, sentiment analysis, link analysis, geo-spatial analysis, statistical analysis, social network analysis, transaction analysis, locational analysis and fusion based analysis, CDR analysis, timeline analysis and histogram based analysis from various sources.

The solutions installed in the IMS can enable monitoring of specific words or phrases (in various languages) in blogs, websites, forums, media reports, social media websites, media reports, chat rooms and messaging applications, collaboration applications and deep web applications. Phone numbers, addresses, names, locations, age, gender and other such information from content including comments and such can also be monitored. Specifically with regard to social media, the user’s profile and information related to it can be extracted and a detailed ontology of all the social media profiles of the user can be created.

Based on the information, the analysis supposed to provide the capability to identify suspicious behavior based on existing and new patterns as they emerge and are continuously applied to combine incoming and existing information on people, profiles, transactions, social network, type of websites visited, time spent on websites, type of content download or view and any other type of gatherable information. The solutions on the system are also supposed to create single or multiple or parallel scenario build-ups that may occur in blogs, social media forums, chat rooms, specific web hosting server locations or URL, packet route that may be defined from time to time and such scenario build-ups can be based on parameters like sentiments, language or expressions purporting hatred or anti-national expressions, and even emotions like expression of joy, compassion and anger, which as may be defined by the agency depending on operational and intelligence requirement. Based on these parameters, automated alerts can be generated relating to structured or unstructured data (including metadata of contents), events, pattern discovery, phonetically similar words or phrases or actions from users.

Based on the data analysis, reports or dossiers can be generated and visual analysis allowing a wide variety of views can be created.  Further, real time visualization showing results from real-time data can be generated which allows alerts, alert categories or discoveries to be ranked (high, medium, and low priority, high value asset, low value asset, moderate value asset, verified information, unverified information, primary evidence, secondary evidence, circumstantial evidence, etc.) based on criteria developed by the agency. The IMS solutions can also be capable of offering web-intelligence and open source intelligence and allow capabilities like simultaneous search capabilities which can be automated providing a powerful tool for exploration of the intercepted data.

Another important requirement mentioned in the tender document is the systems capability to integrate with other interception and monitoring systems for 2G, 3G/UMTS and other evolving mobile carrier technologies including fixed line and Blackberry services and encrypted IP services like Skype services.

Conclusion
It is clear that a system like IMS with its extensive interception and analysis capabilities gives complete access to an agency or authority of all information that is accessed or transmitted by a person on the internet including information which is private and confidential such as email and instant messages. Although the state has the power to issue directions for interception or monitoring of information under the Information Technology Act, 2000 and certain rules are prescribed under section 69B, they are wholly inadequate compared to the scope and extent of the Internet Monitoring System and its scale of operations. The interception and monitoring systems that are either proposed or already in place effectively bypass the existing procedures prescribed under the Information Technology Act.

The issues, concerns and risks are only compounded when it comes to the Central Monitoring System. The solutions installed in present day interception and monitoring systems give the state unprecedented powers to intercept, monitor and analyze all the data of any person who access the internet. Tools like deep packet inspection and extensive data mining solutions in the absence of concrete safeguards and when deployed through a centralized system can be misused to censor any content including legitimate discourse. Also, the perception that access to a larger amount of data or all data can help improve intelligence can also be sometimes misleading and it must be asked whether the fundamental rights of the citizens of the state can be traded away under the pretext of national security. Furthermore, it is essential for the state to weigh the costs of such a project both economically and morally and balance it with sufficient internal measures as well as adequate laws so that the democratic values are persevered and not endangered by any act of reckless force.

Reiterating what has been said earlier, while it is important for the state to improve its intelligence gathering tools and mechanisms, it must not be done at the cost of a citizen’s fundamental right. It is the duty of the democratic state to endure and maintain a fine balance between national interest and fundamental rights through timely creation of equitable laws.

[*]. http://necessaryandproportionate.net/#_edn2

This article by Pranesh Prakash was published in the New York Times on July 10, 2013.

After a colleague at the Centre for Internet and Society wrote about the program and it was lambasted by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own government’s surveillance programs.

In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament.

This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies. No intelligence agency in India has been created under an act of Parliament with clearly established roles and limitations on powers, and hence there is no public accountability whatsoever.

The absence of accountability has meant that the government has since 2006 been working on the C.M.S., which will integrate with the Telephone Call Interception System that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion — and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the government direct access to all communications passing through them. However, this currently happens in a decentralized fashion, and the government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the government. Apart from this, the government uses equipment to gain access to vast quantities of raw data traversing the Internet across multiple cities, including the data going through the undersea cables that land in Mumbai.

With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.

You might ask: Why is this a problem when the government already had the same access, albeit in a decentralized fashion? To answer that question, one has to first examine the law.

There are no laws that allow for mass surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.

Interestingly, the colonial government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety.  If either of those two preconditions is satisfied, then the government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping.

Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such.

Unauthorized access to communications data is not punishable per se, which is why a private detective who gained access to the cellphone records of Arun Jaitley, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).

To put the ridiculousness of the penalty in Sections 69 and 69B of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secrets may be imprisoned up to three years. And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be up to one month’s imprisonment. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her constitutional right against self-incrimination. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.

As bad as the IT Act is, legally the government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the government — can use off-the-air interception techniques to listen to your calls.)

Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.”

Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)

In a landmark 1996 judgment, the Indian Supreme Court  held that telephone tapping is a serious invasion of an individual’s privacy and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the government has surreptitiously granted itself powers — powers that Parliament hasn’t authorized it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.

Pranesh Prakash's article was published in the New York Times on July 11, 2013.

In fact, they will argue that the program, known as C.M.S., will better safeguard citizens’ privacy: it will cut out the telecommunications companies, which can be sources of privacy leaks; it will ensure that each interception request is tracked and the recorded content duly destroyed within six months as is required under the law; and it will enable quicker interception, which will save more lives. But there are a host of reasons why the citizens of India should be skeptical of those official claims.

Cutting out telecoms will not help protect citizens from electronic snooping since these companies still have the requisite infrastructure to conduct surveillance. As long as the infrastructure exists, telecom employees will misuse it. In a 2010 report, the journalist M.A. Arun noted that “alarmingly, this correspondent also came across several instances of service providers’ employees accessing personal communication of subscribers without authorization.” Some years back, K.K. Paul, a top Delhi Police officer and now the Governor of Meghalaya, drafted a memo in which he noted mobile operators’ complaints that private individuals were misusing police contacts to tap phone calls of “opponents in trade or estranged spouses.”

India does not need to have centralized interception facilities to have centralized tracking of interception requests. To prevent unauthorized access to communications content that has been intercepted, at all points of time, the files should be encrypted using public key infrastructure. Mechanisms also exist to securely allow a chain of custody to be tracked, and to ensure the timely destruction of intercepted material after six months, as required by the law. Such technological means need to be made mandatory to prevent unauthorized access, rather than centralizing all interception capabilities.

At the moment, interception orders are given by the federal Home Secretary of India and by state home secretaries without adequate consideration. Every month at the federal level 7,000 to 9,000 phone taps are authorized or re-authorized. Even if it took just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests. The numbers in Indian states could be worse, but one can’t be certain as statistics on surveillance across India are not available. It indicates bureaucratic callousness and indifference toward following the procedure laid down in the Telegraph Act.

In a 1975 case, the Supreme Court held that an “economic emergency” may not amount to a “public emergency.” Yet we find that of the nine central government agencies empowered to conduct interception in India, according to press reports — Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency — three are exclusively dedicated to economic offenses.

Suspicion of tax evasion cannot legally justify a wiretap, which is why the government said it had believed that Nira Radia, a corporate lobbyist, was a spy when it defended putting a wiretap on her phone in 2008 and 2009. A 2011 report by the cabinet secretary pointed out that economic offenses might not be counted as “public emergencies,” and that the Central Board of Direct Taxes should not be empowered to intercept communications. Yet the tax department continues to be on the list of agencies empowered to conduct interceptions.

India has arrived at a scary juncture, where the multiple departments of the Indian government don’t even trust each other. India’s Department of Information Technology recently complained to the National Security Advisor that the National Technical Research Organization had hacked into National Informatics Center infrastructure and extracted sensitive data connected to various ministries. The National Technical Research Organization denied it had hacked into the servers but said hundreds of e-mail accounts of top government officials were compromised in 2012, including those of “the home secretary, the naval attaché to Tehran, several Indian missions abroad, top investigators of the Central Bureau of Investigation and the armed forces,” The Mint newspaper reported. Such incidents aggravate the fear that the Indian government might not be willing and able to protect the enormous amounts of information it is about to collect through the C.M.S.

Simply put, government entities have engaged in unofficial and illegal surveillance, and the C.M.S. is not likely to change this. In a 2010 article in Outlook, the journalist Saikat Datta described how various central and state intelligence organizations across India are illegally using off-the-air interception devices. “These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad,” Mr. Datta wrote. “The systems, mounted inside cars, are sent on ‘fishing expeditions,’ randomly tuning into conversations of citizens in a bid to track down terrorists.”

The National Technical Research Organization, which is not even on the list of entities authorized to conduct interception, is one of the largest surveillance organizations in India. The Mint reported last year that the organization’s surveillance devices, “contrary to norms, were deployed more often in the national capital than in border areas” and that under new standard operating procedures issued in early 2012, the organization can only intercept signals at the international borders. The organization runs multiple facilities in Mumbai, Bangalore, Delhi, Hyderabad, Lucknow and Kolkata, in which monumental amounts of Internet traffic are captured. In Mumbai, all the traffic passing through the undersea cables there is captured, Mr. Datta found.

In the western state of Gujarat, a recent investigation by Amitabh Pathak, the director general of police, revealed that in a period of less than six months, more than 90,000 requests were made for call detail records, including for the phones of senior police and civil service officers. This high a number could not possibly have been generated from criminal investigations alone. Again, these do not seem to have led to any criminal charges against any of the people whose records were obtained. The information seems to have been collected for purposes other than national security.

India is struggling to keep track of the location of its proliferating interception devices. More than 73,000 devices to intercept mobile phone calls have been imported into India since 2005. In 2011, the federal government asked various state governments, private corporations, the army and intelligence agencies to surrender these to the government, noting that usage of any such equipment for surveillance was illegal. We don’t know how many devices were actually turned in.

These kinds of violations of privacy can have very dangerous consequences. According to the former Intelligence Bureau head in the western state of Gujarat, R.B. Sreekumar, the call records of a mobile number used by Haren Pandya, the former Gujarat home minister, were used to confirm that it was he who had provided secret testimony to the Citizens’ Tribunal, which was conducting an independent investigation of the 2002 sectarian riots in the state. Mr. Pandya was murdered in 2003.

The limited efforts to make India’s intelligence agencies more accountable have gone nowhere. In 2012, the Planning Commission of India formed a group of experts under Justice A.P. Shah, a retired Chief Justice of the Delhi High Court, to look into existing projects of the government and to suggest principles to guide a privacy law in light of international experience. (Centre for Internet and Society, where I work was part of the group). However, the government has yet to introduce a bill to protect citizens’ privacy, even though the governmental and private sector violations of Indian citizens’ privacy is growing at an alarming rate.

In February, after frequent calls by privacy activists and lawyers for greater accountability and parliamentary oversight of intelligence agencies, the Centre for Public Interest Litigation filed a case in the Supreme Court. This would, one hopes, lead to reform.

Citizens must also demand that a strong Privacy Act be enacted. In 1991, the leak of a Central Bureau of Investigation report titled “Tapping of Politicians’ Phones” prompted the rights groups, People’s Union of Civil Liberties to file a writ petition, which eventually led to a Supreme Court of India ruling that recognized the right to privacy of communications for all citizens as part of the fundamental rights of freedom of speech and of life and personal liberty. However, through the 2008 amendments to the Information Technology Act, the IT Rules framed in 2011 and the telecom licenses, the government has greatly weakened the right to privacy as recognized by the Supreme Court. The damage must be undone through a strong privacy law that safeguards the privacy of Indian citizens against both the state and corporations. The law should not only provide legal procedures, but also ensure that the government should not employ technologies that erode legal procedures.

A strong privacy law should provide strong grounds on which to hold the National Security Advisor’s mass surveillance of Indians (over 12.1 billion pieces of intelligence in one month) as unlawful. The law should ensure that Parliament, and Indian citizens, are regularly provided information on the scale of surveillance across India, and the convictions resulting from that surveillance. Individuals whose communications metadata or content is monitored or intercepted should be told about it after the passage of a reasonable amount of time. After all, the data should only be gathered if it is to charge a person of committing a crime. If such charges are not being brought, the person should be told of the incursion into his or her privacy.

The privacy law should ensure that all surveillance follows the following principles: legitimacy (is the surveillance for a legitimate, democratic purpose?), necessity (is this necessary to further that purpose? does a less invasive means exist?), proportionality and harm minimization (is this the minimum level of intrusion into privacy?), specificity (is this surveillance order limited to a specific case?) transparency (is this intrusion into privacy recorded and also eventually revealed to the data subject?), purpose limitation (is the data collected only used for the stated purpose?), and independent oversight (is the surveillance reported to a legislative committee or a privacy commissioner, and are statistics kept on surveillance conducted and criminal prosecution filings?). Constitutional courts such as the Supreme Court of India or the High Courts in the Indian states should make such determinations. Citizens should have a right to civil and criminal remedies for violations of surveillance laws.

Indian citizens should also take greater care of their own privacy and safeguard the security of their communications. The solution is to minimize usage of mobile phones and to use anonymizing technologies and end-to-end encryption while communicating on the Internet. Free and open-source software like OpenPGP can make e-mails secure. Technologies like off-the-record messaging used in apps like ChatSecure and Pidgin chat conversations, TextSecure for text messages, HTTPS Everywhere and Virtual Private Networks can prevent Internet service providers from being able to snoop, and make Internet communications anonymous.

Indian government, and especially our intelligence agencies, violate Indian citizens’ privacy without legal authority on a routine basis. It is time India stops itself from sleepwalking into a surveillance state.

"The basic principle that I think we must continue to embrace is that rights online are the same as rights offline... The amount of information that is available online is so enormous that it would be easy for governments to abuse that information for all kinds of purposes... And we are at a stage right now where we are really experimenting with how much information the govt or law enforcement can take to ensure the rule of law." - Jochem de Groot

Centre for Internet and Society presents its seventh installment of the CIS Cybersecurity Series. 

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS interviews Jochem de Groot. Jochem has worked on the Netherlands government’s agenda to promote Internet freedom globally since 2009. He initiated and coordinated the founding conference of the Freedom Online Coalition in The Hague in December 2011, and advised the Kenyan government on the second Freedom Online event in Nairobi in 2012. Jochem represents the Dutch government in the EU, UN, OSCE and other multilateral fora, and oversees a project portfolio for promoting internet freedom globally.  

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Last year’s annual Best Practices Meet, sponsored by the Data Security Council of India (DSCI), was held in here in Bangalore, and featured CIS associates as panelists for an agenda focused mostly around mobility in technology. This year, the event was continued in nearby Chennai, where many of India’s top stakeholders in Cyber Security came together at the Hyatt hotel to discuss the modern cyber security landscape. Several of the key points of the day emphasized how the industry realm needed to be especially keen on Cyber Security today. Early speakers explained how many Cyber-Attacks occur as opportunistic attacks on financial institutions, and that these breaches often take months to be discovered, with the discovery usually being made by a third-party. For those reasons, it was repeatedly mentioned throughout the day that modern entities must anticipate attacks as inevitable, and prepare themselves to be able to respond and successfully bounce-back.

Several panelists of the event expanded upon the evolving challenges facing industries, and explained why service based industry continually grows more susceptible to Cyber-Attack. There were representatives from Microsoft, Flextronics, MyEasyDoc, and others, who explained how technological demands of modern consumers resulted inadvertently in weaker security. For example, with customers expecting real-time access to data rather than periodic data reports, i.e financial data reports, industries must now keep their data open, which weakens database security. Overall, the primary challenge faced by the industry was effectively summarized by Microsoft India CSO Ganapathi Subramaniam, stating that within web services, “Security and usability are inversely proportional.” Essentially, the more convenient a product, the less secure its infrastructure.

Despite discussion of the difficulties facing modern producers and consumers, there were undoubtedly highlights of optimism at the conference. A presentation by event sponsor Juniper Networks shed light on practices which combat Cyber-Attackers, including rerouting perceived Distributed Denial of Service (DDoS) attacks and finger-printing suspected hackers through a series of characteristics rather than just IP addresses (these characteristics include browser version, fonts, Add-Ons, time zone, and more). Notably, there was a call for cooperation on all fronts in combatting Cyber-crime, for public-private partnerships (PPP), and many citizens stood and spoke on the behalf of civil society’s incorporation in the process as well. One speaker, Retired Brig. Abhimanyu Ghosh admirably tore down sector divisions in the face of Cyber-Security threats, saying “We all want to secure ourselves. It is not a question of industry versus government, government versus industry. Government needs industry, and industry needs government.”

Finally, a few speakers used their opportunity at the conference to highlight issues related to rights and responsibilities of both citizens and government in internet. Nikhil Moro, a scholar at the Hindu Center for Politics and Public Policy, spoke at length about the urgent condition of laws which undermine freedom of speech and freedom of expression in India, especially within while online. His talk, which occurred near the end of the event, stirred the crowd to discussion, and helped remind the attendees of the comprehensiveness of issues which demand attention in the realm of a growing internet presence.

Mr. Reijo Aarnio - the Finnish Data Protection Ombudsman - was interviewed on the following questions:

1. What activities and functions does the Finnish data commissioner's office undertake?

2. What powers does the Finnish Data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

3. How is the office of the Finnish data protection commissioner funded?

4. What is the organizational structure at the Office of the Finnish Data Protection Commissioner and the responsibilities of the key executives?

5. If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?

6. What challenges has your office faced?

7. What is the most common type of privacy violation that your office is faced with?

8. Does your office differ from other EU data protection commissioner offices?

9. How do you think data should be regulated in India?

10. Do you support the idea of co-regulation or self-regulation?

11. How can India protect its citizens' data when it is stored in foreign servers?

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The conference hosted by CII in the Hotel Hilton, was well attended, and featured a range of industry experts, researches and developers, and members of the Indian armed forces.

Participants focused on the importance of Indian entities reaching new, adequate levels of cyber security. It was stated early in the event that India is one of the world's most targeted areas for cyber-attacks, and its number of domestic internet users is known to be rapidly increasing in an age which many view as a new era of international information warfare. Despite this, the speakers considered India to be too far behind other countries in its understanding of cyber security. In the opening remarks, CII Chairman Santhanam implored "We need hard core techies in this field… we are not producing them." Another speaker, Savitha Kesav Jagadeesan, a practicing lawyer in Chennai, asked if India would wait until the "9/11 of cyberspace" occurrence before we establish the same level of precautionary measures online as it exists now in transportation security.

With the presence of both the government’s executive forces and the private industries, the aura circulating the conference room was that of a collective Indian defense, a secure nation only achieved through both secure governmental and industrial aspects. Similar to the previous day’s DSCI cyber security conference, many speakers discussed security issues pertinent to the financial and banking industries, and other cyber crimes which had pecuniary goals. For people seeking to avoid the array of scams and frauds online, some talks shared some of the most basic advice, like safe password practices. "Passwords are like toothbrushes," said A.S. Murthy of the CDAC, "use them often, never share them with anyone, change them often." Other talks went into the intricacies of various hacking schemes, including tab-nabbing and Designated Denial of Service (DDoS) attacks, describing their tactics and how to moderate them.

In the end, the conference had certainly informed the attendees of the goals, and the challenges, that India will face in the coming months and years. The speakers (all of them) showed how the world of cyber security was quickly evolving, and demonstrated the imperative in government and industry entities evolving their own practices and defenses in stride. The ambitions of several presentations matched the well-publicized "5 lakh cyber professionals in 5 years" plan, placing a strong emphasis in the current and future training of young students in cyber security. Ultimately, I think, the conference helped convince that cyber security is neither a futile, nor completely infallible concept. As CISCO Vice President Col. K.P.M. Das said towards the end of the evening, the most ideal form of cyber security is truly "all about trust, the ability to recover, and transparency/visibility."

Chinmayi Arun's article was published in the Hoot on July 13, 2013 and later cross-posted in the Free Speech Initiative the same day.

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymous, which carried out a series of attacks, including the website run by Computer Emergency Response Team India (CERT-In) which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of  its real impact will be ascertainable only after the language to be used in the law is available. Nevertheless, the scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

Nishant Shah's column was published in Down to Earth on July 17, 2013.

It took less than a day for narendramodiplans.com, a political satire website that had more than 60,000 hits in the 20 hours of its existence, to be taken down. A simple webpage that showed a smiling picture of Narendra Modi, the touted candidate for India’s next Prime Ministerial campaign, flashing his now trademark ‘V’ for Vengeance Victory sign. At the first glimpse it looked like another smart media campaign by the net-savvy minister who has already made use of the social web quite effectively, to connect with his constituencies and influence the younger voting population in the country. Below the image of Mr. Modi was a text that said, "For a detailed explanation of how Mr. Narendra Modi plans to run the nation if elected to the house as a Prime Minister and also for his view/perspective on 2002 riots please click the link below." The button, reminiscent of 'sale' signs on shops that offer permanent discounts, promised to reveal, for once and for all, the puppy plight of Mr. Modi's politics and his plans for the country that he seeks to lead.

However, when one tried to click on the button, hoping, at least for a manifesto that combined the powers of Machiavelli with the sinister beauty of Kafka, it proved to be an impossible task. The button wiggled, and jiggled, and slithered all over the page, running away from the mouse following it. Referencing the layers of evasive answers, the engineered Public Relations campaigns that try to obfuscate the history to some of the most pointed questions that have been posited to the Modi government through judicial and public forums, the button never stayed still enough to actually reveal the promised answers. For people who are familiar with the history of such political satire and protest online would immediately recognise that this wasn’t the most original of ideas. In fact, it was borrowed from another website - http://www.thepmlnvision.com/ that levelled similar accusations of lack of transparency and accountability on the part of Nawaz Sharif of Pakistan. Another instance, which is now also shut down, had a similar deployment where the webpage claimed to give a comprehensive view into Rahul Gandhi’s achievements, to question his proclaimed intentions of being the next prime-minister. In short, this is an internet meme, where a simple web page and a java script allowed for a critical commentary on the future of the next elections and the strengthening battle between #feku and #pappu that has already taken epic proportions on Twitter.

The early demise of these two websites (please do note, when you click on the links that the Nawaz Sharif website is still working) warns us of the tightening noose around freedom of speech and expression that politicos are responsible for in India. It has been a dreary last couple of years already, with the passing of the Intermediaries Liabilities Rules as an amendment to the IT Act of India, Dr. Sibal proposing to pre-censor the social web in a quest to save the face of erring political figures, teenagers being arrested for voicing political dissent, and artists being prosecuted for exercising their rights to question the state of governance in our country. Despite battles to keep the web an open space that embodies the democratic potentials and the constitutional rights of freedom of speech and expression in the country, it has been a losing fight to keep up with the ad hoc and dictatorial mandates that seem to govern the web.

Above is a screen shot from narendramodiplans.com website

We have no indication of why this latest piece of satirical expression, which should be granted immunity as a work of art, if not as an individual’s right to free speech, was suddenly taken down. The website now has a message that says, “I quit. In a country with freedom of speech, I assumed that I was allowed to make decent satire on any politician more particularly if it is constructive. Clearly, I was wrong.” The web is already abuzz with conspiracy theories, each sounding scarier than the other because they seem so plausible and possible in a country that has easily sacrificed our right to free speech and expression at the altar of political egos. And whether you subscribe to any of the theories or not, whether your sympathies lie with the BJP or with the UPA, whether or not you approve of the political directions that the country seems to be headed in, there is no doubt that you should be as agitated as I am, about the fact that we are in a fast-car to blanket censorship, and we are going there in style.

What happens online is not just about this one website or the one person or the one political party – it is a reflection on the rising surveillance and bully state that presumes that making voices (and sometimes people) invisible, is enough to resolve the problems that they create. And what happens on the web is soon going to also affect the ways in which we live our everyday lives. So the next time, you call some friends over for dinner, and then sit arguing about the state of politics in the country, make sure your windows are all shut, you are wearing tin-foil hats and if possible, direct all conversations to the task of finally finding Mamta Kulkarni. Because anything else that you say might either be censored or land you in a soup, and the only recourse you might have would be a website that shows the glorious political figures of the country, with a sign that says “To defend your right to free speech and expression, please click here”. And you know that you are never going to be able to click on that sign. Ever.

"Most consumers don't understand the privacy trade offs when they browse the web... the data that is being collected about them, the analytics that is being run against their buying behaviour, it is invisible... it is behind the scenes... and so it is very difficult for the consumer to make an informed decision." - Jeff Moss, Chief Security Officer, ICANN.

Centre for Internet and Society presents its eighth installment of the CIS Cybersecurity Series. 

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS interviews Jeff Moss. Jeff is the chief security officer for ICANN. He founded Black Hat Briefings and DEF CON, two of the most influential information security conferences in the world. In 2009, Jeff was sworn in as a member of the U.S. Department of Homeland Security Advisory Council (DHS HSAC), providing advice and recommendations to the Secretary of the Department of Homeland Security on matters related to domestic security.   

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of seven multi-stakeholder round table meetings on “privacy” from April 2013 to October 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the seven Privacy Round Table meetings are enlisted below:

1. New Delhi Roundtable: 13 April 2013

2. Bangalore Roundtable: 20 April 2013

3. Chennai Roundtable: 18 May 2013

4. Mumbai Roundtable: 15 June 2013

5. Kolkata Roundtable: 13 July 2013

6. New Delhi Roundtable: 24 August 2013

7. New Delhi Final Roundtable and National Meeting: 19 October 2013

Following the first four Privacy Round Tables in Delhi, Bangalore, Chennai and Mumbai, this report entails an overview of the discussions and recommendations of the fifth Privacy Round Table meeting in Kolkata, on 13th July 2013.

Presentation by Mr. Reijo Aarnio – Finnish Data Protection Ombudsman

The fifth Privacy Round Table meeting began with a presentation by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman. In particular, Mr. Aarnio initiated his presentation by distinguishing privacy and data protection and by emphasizing the need to protect both equally within a legal framework. Mr. Aarnio proceeded by highlighting that 96 percent of the Finnish community believes that data protection is necessary, especially since it is considered to play an essential role in the enhancement of the self-determination of the individual. Fuerthermore, Mr. Aarnio pointed out that the right to privacy in Finland in guaranteed under section 10 of the Finnish constitution.

The Finnish Data Protection Ombudsman argued that in order for India to gain European data protection adequacy, the implementation of a regulation for data protection in the country is a necessary prerequisite. Mr. Aarnio argued that although the draft Privacy (Protection) Bill 2013 provides a decisive step in regulating the use of data, the interception of communications and surveillance in India, it lacks in defining the data controller and the data subject, both of which should be legally specified.

In order to support his argument that India needs privacy legislation, the Ombudsman clarified the term “data protection” by stating that it relates to the following:

• individual autonomy

• the right to know

• the right to live without undue interference

• the right to be evaluated on the basis of correct and relevant information

• the right to know the criteria automatic decision-making systems are based on

• the right to trust data security

• the right to receive assistance from independent authorities

• the right to be treated in accordance with all other basic rights in a democracy

• the right to have access to public documents

• the freedom of speech

In addition to the above, Mr. Aarnio argued that the reason why data protection is important is because it ensures the respect for human dignity, individual autonomy and honor.

The Finnish Data Protection Ombudsman gave a brief overview of the development and history of data protection, by citing the oathe of Hippokrates, the Great Revolutions and World War II, all throughout which data protection has gained increased significance. Mr. Aarnio pointed out that as a result of the development and proliferation of technology, societies have evolved and that data protection is a major component of the contemporary Information Society. The Ombudsman stated that in the Information Society, information is money and open data and big data are products which are being commercialised and commodified. Hence, in order to ensure that human rights are not commericalised and commodified in the process, it is necessary to establish legal safeguards which can prevent potential abuse.

Article 8 of the European Charter of Fundamental Rights guarantees the protection of personal data. Mr. Aarnio argued that the Parliament is the most important data protection authority in Europe and that privacy is legally guaranteed on three levels:

• Protection of personal life: The Criminal Code (chapter 24) addresses and protects freedom of speech and secrecy regulations

• Communication: Protection of content and traffic data

• Data Protection: The Personal Data Act creates Right to Know and to affect/impact, the right to organise one's personal life, automatic processing of personal data and maintenance of register

The Ombudsman also referred to the Directive 95/46/EC of the European Parliament of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Mr. Aarnio argued that in the contemporary ecosystem of the Information Society, countries need “Privacy by Design”, which entails the description of the processing of personal data and the evaluation of its lawfulness. In particular, the purpose for the collection and processing of data should be legally defined, as well as whether such data will be shared with third parties, disclosed and/or retained. The Ombudsman argued that India needs to define its data controllers and to legally specify their roles, in order to ensure that the management of data does not result in the infringement upon the right to privacy and other human rights.

The Finnish Data Protection Ombudsman concluded his presentation by stating that data security is not only a technological matter, but also – and in some cases, mostly – a legal issue, which is why India should enact the draft Privacy (Protection) Bill 2013.

Discussion of the draft Privacy (Protection) Bill 2013

Chapter I: Definitions

The discussion of the draft Privacy (Protection) Bill 2013 commenced with a debate on whether such a Bill is necessary at all, given that section 43 of the IT Act is considered (by participants at the round table) to regulate the protection of data. It was pointed out that although section 43 of the Information Technology Act provides some rules for data protection, the Committee has stated that these rules are inadequate. In particular, India currently lacks statutory provisions dealing with data protection and rules are inadequate because they are subject to parliamentary debate, and the Parliament does not have the right to vote on rules. The Parliament does not have the right to amend rules, which means that it does not have the right to amend the rules on data protection under the IT Act. Since the rules under section 43 of the IT Act are not subject to parliamentary review, India needs a seperate privacy statutue. Hence, the round table reached a consensus on the discussion of the draft Privacy (Protection) Bill 2013.

Personal data is defined in the draft Privacy (Protection) Bill 2013 as any data which relates to a natural person, while sensitive personal data is defined as a subset of personal data, such as biometric data, medical history, sexual preference, political affiliation and criminal history. It was pointed out that race, religion and caste are not included in the Bill's definition for sensitive personal data because the Government of India refuses to acknowledge these types of information as personal data. According to the Government, the collection of such data is routine and there have been no cases when such data has been breached, which is why race, religion and caste should not be included in the definition for sensitive personal information. However, the last caste sensus took place in 1931 and since then there has been no caste sensus, because it is considered to be a sensitive issue. This contradictory fact to the government's position was pointed out during the round table meeting.

A participant argued that financial information should be included within the definition for sensitive personal data. This was countered by a participant who argued that India has the Credit Information Companies Act which covers credit information and sets out specific information for the protection of credit data by banks and relevant companies. Yet the question of whether general financial information should be included in the definition for sensitive personal data was further discussed, and many participants supported its inclusion in the definition.

The question of whether IP addresses should be included in the definition for personal data was raised. The response to this question was that IP addresses should be included in the definition since they relate to the identification of a natural person. However, the question of whether a specific IP address is considered personal data, as many individuals use the Web through the same IP address, remained unclear. Other participants raised the question of whether unborn humans and deceased persons should have privacy rights. The response to this was that in India, only the court can decide if a deceased person can have the right to privacy.

The controversy between the UID project and the protection of biometric data under the definition for sensitive personal information was discussed in the round table. In particular, it was pointed out that because the UID scheme requires the mass biometric collection in India is contradictory to the protection of such data under the Bill. As the UID scheme remains unregulated, it is unclear who will have access to the biometric data, who it will be shared with, whether it will be disclosed and retained and if so, for how long. All the questions which revolve around the implementation of the UID scheme and the use of the biometric data collected raise concerns in regards to what extent such data can realistically be protected under privacy legislation.

On this note, a participant mentioned that under EU regulation, an ID number is included in the definition for sensitive personal information and it was recommended that the same is added in India's draft Privacy (Protection) Bill 2013. Furthermore, a participant recommended that fingerprints are also included in the definition for sensitive personal data, especially in light of the NPR and UID scheme.

A participant argued that passwords should also be included in the definition for sensitive personal data, as well as private keys which are used for encryption and decryption. It was pointed out that section 69 of the IT Act requires the disclosure of encryption keys upon the request from authorities, which potentially can lead to the violation of privacy and other human rights. Hence the significance of protecting passwords and encryption keys which can safeguard data was highly emphasized and it was argued that they should definitely be included in the definition for sensitive personal data. This position was countered by a participant who argued that the Government of India should have access to private encyrption keys for national security purposes.

On the definition of sensitive personal data, it was emphasized that this term should relate to all data which can be used for discrimination, which is why it needs to be protected. It was further emphasized that it took Europe twelve years to reach a definition for personal data, which is why India still needs to look at the issue in depth and encounter all the possible violations which may potentially occur from the non-regulation of various types of data. Most participants agreed that financial information, passwords and private encryption keys should be added in the definition for sensitive personal data.

The fifth round table entailed a debate on whether political affiliation should be included in the definition for sensitive personal data. In particular, one participant argued that political parties disclose the names of their members and that in many cases they are required to do in order to show their source of income. Hence, it was argued that political affiliation should not be included in the definition for sensitive personal data, since it is not realistic to expect political parties to protect their members' privacy. This was countered by other participants who argued that anonymity in political communications is important, especially when an individual is in a minority position, which is why the term political affiliation should be included in the definition for sensitive personal data.

The discussion on the definitions in the draft Privacy (Protection) Bill 2013 concluded with comments that the definiton for surveillance is very exclusive of many types of surveillance. In particular, it was argued that the definition for surveillance does not appear to cover artificial intelligence, screen shots and various other forms of surveillance, all of which should be regulated.

Chapter II: Right to Privacy

Section 4 of the draft Privacy (Protection) Bill 2013 states that all natural persons have a right to privacy. Section 5 of the Bill includes exemptions to the right to privacy. On this note, it was pointed out that during the round table that there is no universal definition of privacy and thus it is challenging to define the term and to regulate it. Furthermore, the rapid pace at which technology is proliferating was emphasized, along with its impact on the right to privacy. For example, it was mentioned that emails were not covered by privacy legislation in the past, but this needs to be amended accordingly. The European Data Protection Directive was established in 1995 and does not regulate many privacy issues which arise through the Internet, which is why it is currently being reviewed. Similarily, it was argued that privacy legislation in India should encompass provisions for potential data breaches which may occur through the Internet and various forms of technology.

A participant argued that the draft Privacy (Protection) Bill 2013 should include provisions for data subjects, which enable them to address their rights. In particular, it was argued that data subjects should have the right to access information collected and retained about them and that they should have the right to make corrections. The reponse to this comment was that the Bill may be split into two seperate Bills, where the one would regulate data protection and the other would regulate the interception of communications and surveillance, while the data subject would be addressed extensively. Furthermore, participants raised questions of how to define the data controller and the data subjects within the Indian context.

Other questions which were raised during the round table included whether spam should be addressed by the Bill. Several participants argued that spam should not be regulated, as it is not necessarily harmful to data subjects. Other participants argued that the isse of access to data should be addressed prior to the definition of privacy. Another argument was that commerical surveillance should not be conducted within restrictions, which is why it should not be inlcuded in the exemptions to the right to privacy. It was also pointed out that residential surveillance should be allowed, as long as the cameras are pointed inwards and do not capture footage of third parties outside of a residence. On this note, it was argued that surveillance in the work place should also be exempted from the right to privacy, as that too can be considered the private property of the owner. Moreover, it was emphasized that the surveillance of specific categories of people should also be excluded from the exemptions to the right to privacy.

A participant argued that in some cases, NGOs may be collecting information for some “beneficial purpose” and that such cases should be excluded from the exemptions to the right to privacy. Other participants argued that in many cases, data needs to be collected for market research and that the Bill should regulate what applies in such cases. All such arguments were countered by a participant, who argued that Section 5 of the Bill on the exemptions to the right to privacy should be deleted, as it creates to many complications. This recommendation was backed up by the example of a husband capturing a photograph of his wife and then publishing the image without her consent.

During this discussion, a participant raised the question of to what extent the right to privacy applies to minors. This question was supported by the example of Facebook, where many minors have profiles but the extent to which this data is protected remains ambiguous. Furthermore, it was pointed out that it remains unclear whether privacy legislation can practically safeguard minors who choose to share their data online. A participant responded to these concerns by stating that Facebook is a data controller and has to comply with privacy law to protect its customers' data. It was pointed out that it does not matter if the data controller is a company or an NGO; in every case, the data controller is obliged to comply with data protection law and regulations.

Furthermore, it was pointed out that Facebook allows for minors aged 13 to create a profile, while it remains unclear how minors can enforce their privacy rights. In particular, it remains unclear how the mediated collection of minors' data can be regulated and it was recommended that this is addressed by the Bill. A participant replied to this by stating that Indian laws rule in favour of minors, but that this simultaneously remains a grey area. In particular, it was pointed out that rules under section 43 of the Information Technology (IT) Act cover Internet access by minors, but this still remains an unclear area which needs further debate and analysis.

The question which prevailed at the end of the discussion of Chapter 2 of the Bill was on the social media and minors, and on how minors' data can be protected when it is being published immediately through the social media, such as Facebook. Furthermore, it was recommended that the Bill addresses the practical operationalisation of the right to privacy within the Indian context.

Chapter III: Protection of Personal Data

The discussion of Chapter 3 of the draft Privacy (Protection) Bill 2013 on the protection of personal data commenced with a reference to the nine privacy principles of the Justice AP Shah Justice Committee. The significance of the principles of notice and consent were outlined, as it was argued that individuals should have the right to be informed about the data collected about them, as well as to have the rigt to access such data and make possible corrections.

Collection of Personal Data

The discussion on the collection of personal data (as outlined in Section 6 of Chapter 3 of the Bill) commenced with a participant arguing that a company seeking to collect personal data should always have a stated function. In particular, a company selling technological products or services should not collect biometric data, for example, unless it serves a specified function. It was pointed out that data collection should be restricted to the specified purposes. For example, a hospital should be able to collect medical data because it relates to its stated function, but an online company which provides services should not be eligible to collect such data, as it deviates from its stated function.

During the discussion, it was emphasized that individuals should have the right to be informed when their data is being collected, which data is being collected, the conditions for the disclosure of such data and everything else that revolves around the use of their data once it has been collected. However, a participant questioned whether it is practically feasible for individuals to provide consent to the collection of their data every time it is being collected, especially since the privacy policies of companies keep changing. Moreover, it was questioned whether companies can or should resume the consent of their customers once their privacy policy has changed. On this note, a participant argued that companies should be obliged to notify their customers every time their privacy policy changes and every time the purpose behind their data collection changes.

On the issue of consent for data collection, a participant argued that individuals should have the right to withdraw their consent, even after their data has been collected and in such cases, such data should be destroyed. This was countered by another participant who argued that it is not realistic to expect companies to acquire individual consent every time the purpose behind data collection changes, nor is it feasible to allow for the withdrawal of consent without probable cause.

The issue of indirect consent to the collection of personal data was raised and, in particular, several participants argued that the Bill should have provisions which would regulate circumstances where indirect consent can be obtained for the collection of personal data. Furthermore, it was emphasized that the Bill should also include a notice for all potential purposes of data collection which may arise in the future; if the purpose for data collection changes based on conditions specified, then companies should not be mandated to notify individuals. Moreover, a participant argued that the Bill should include provisions which would enable individuals to opt-in and/or opt-out from data collection.

On the issue of consent, it was further outlined that consent provides a legitimate purpose to process data and that the data subject should have the right to be informed prior to the collection of his or her data. However, it was emphasized that the draft Privacy (Protection) Bill 2013 is a very strict regulation, as consent cannot always be acquired prior to data collection, because there are many cases where this is not practically feasible. It was pointed out that in the European Data Protection Directive, it is clear that consent cannot always be acquired prior to data collection. The example of medical cases was mentioned, as patients may not always be capable to provide consent to data collection which may be necessary.

In particular, it was highlighted that the European Data Protection Directive includes provisions for the processing of personal data, as well as exceptions for when consent is not required prior to data collection. The Directive guarantees the legitimate interest of the data controller and data processing is based upon the provisions of privacy legislation. The outsourcing of data is regulated in the European Union, and it was recommended that India regulates it too. Following this comment, it was stated that the recent leaks on the NSA's surveillance raise the issue of non-consentual state collection of data and non-consentual private disclosure of data and a brief debate revolved around these issues in the round table.

On the issue of mediated data collection, the situations in which collected data is mediated by third parties was analysed. It was recommended that the law is flexible to address the various types of cases when collected data is mediated, such as when a guardian needs to handle and take decisions for data of a mentally disabled person being collected. However, it was pointed out that mediated data collection should be addressed sectorally, as a doctor, for example, would address mediated data in a different manner than a company. It was emphasized that specific cases – such a parent taking a mediated decision on the data collection of his or her child – should be enabled, whereas all other cases should be prohibited. Thus it was recommended that language to address the mediated collection of data should be included in the Bill.

A participant raised the question of whether there should be seperate laws for the private collection of data and state collection of data. It was mentioned that this is the case in Canada. Another question which was raised was what happens when state collectors hire private contractors. The UID was brought as an example of state collection of data, while private contractors have been hired and are involved in the process of data collection. This could potentially enable the collection and access of data by unauthorised third parties, to which individuals may have not given their consent to. Thus it was strongly recommended that the Bill addresses such cases and prevents unauthorised collection and access of data.

The discussion on the collection of personal data ended with an interesting test case study for privacy: should the media have the right to disclose individuals' personal data? A debate revolved around this question and participants recommended that the Bill regulates the collection, processing, sharing, disclosure and retention of personal data by the media.

Retention of Personal Data

The discussion on the retention of personal data commenced with the statement that there are various exceptions to the retention of data in India, which are outlined in various court cases. It was pointed out that data should be retained in compliance with the law, but this is problematic as, in various occasions, a verbal order by a policeman can be considered adequate, but this can potentially increase the probability for abuse. A question which was raised was whether an Act of Parliament should allow for the long term storage of data, especially when there is inadequate data to support its long-term retention. It was pointed out that in some cases there are laws which allow for the storage of data for up to ten years, without the knowledge – let alone the consent – of the individual. Thus, the issue of data retention in India remains vague and should be addressed by the draft Privacy (Protection) Bill 2013.

Questions were raised on the duration of data retention periods and on whether there should be one general data retention law or several sectoral data retention laws. The participants disagreed on whether an Act of Parliament should regulate data retention or whether data retention should be regulated by sectoral authorities. A participant recommended “privacy by design” and stated that the question of data retention should be addressed by data controllers. Other participants raised the question of purpose limitation, especially for cases when data is being re-retained after the end of its retention period. A participant recommended that requirements for the anonymisation of data once it has exceeed its retention period should be established. However, this proposal was countered by participants who argued that the pracitcal enforcement of the anonymisation of retained data is not feasible within India.

Destruction of Personal Data

The retention of personal data can be prevented once data has been destroyed. However, participants argued that various types of data are being collected through surveillance products which are controlled by private parties. In such cases, it was argued that it remains unclear how it will be verified that data has indeed being destroyed.

A participant argued that the main problem with data destruction is that even if data has been deleted, it can be retrieved up to seven times; thus the question which arises is how can individuals know if their data has been permanently destroyed, or if it is being secretly retrieved. Questions were raised on how the permanent retention of data can be prevented, especially when even deleted data can be retrieved. Hence it was recommended that information security experts cooperate with data controllers and the Privacy Commissioner, to ensure that data is permanently destroyed and/or that data is not being accessed after the end of its retention period. Such experts would ensure that data is actually being destroyed.

Another participant pointed out the difference between the wiping of data and the deletion of data. In particular, the participant argued that data is being deleted when it is being overwritten by other data, and can potentially be recovered. Wiping of data, on the other hand, involves the wiping out of data which can never be recovered. The participant recommended that the Bill explicitly states that data is wiped out in order to ensure that data is not being indirectly retained.

Processing of Personal Data

The dicsussion on the processing of personal data began with the question of national archives. In particular, participants argued that if the processing of data is strictly regulated, that would restrict access to national archives and the draft Privacy (Protection) Bill 2013 should address this issue.

Questions were raised on the non-consentual processing of personal data and on how individual consent should be acquired prior to the processing of personal data. It was pointed out that the Article 29 Working Party has published an Opinion on purpose limitation with regards to data processing and it was recommended that a similar approach is adopted in India.

Furthermore, it was stated that IT companies are processing data from the EU and the U.S., but it remains unclear how individual consent can be obtained in such cases. A debate evolved on how to bind foreign data processors to meet the data requirements of India, as a minimum prerequisite to ensure that outsourced data is not breached. In light of the Edward Snowden leaks of NSA surveillance, many questions were raised on how Indian data outsourced and stored abroad can be protected.

It was highlighted during the round table that all data processing in India requires certification, but since the enforceability of the contracts relies on individuals, this raises issues of data security. Moreover, questions were raised on how Indian companies can protect the data of their foreign data subjects. Thus, it was recommended that the processing of data is strictly regulated through the draft Privacy (Protection) Bill 2013 to ensure that outsourced data and data processed in the country is not breached.

Security of Personal Data

On the issue of data security, the participants argued that the data subject should always be informed in cases when the confidentiality of their personal data is violated. Confidentiality is usually contractually limited, whereas secrecy is not, which is why both terms are included in the draft Privacy (Protection) Bill 2013. In particular, secrecy is usually used for public information, whereas confidentiality is not.

Participants argued that the Bill should include restrictions on the media, in order to ensure that the confidentiality and integrity of their sources' data is preserved. Several participants stated that the Bill should also include provisions for whistleblowers which would provide security and confidentiality for their data. The participants of the round table engaged in a debate on whether the media should be strictly regulated in order to ensure the confidentiality of their sources' data. On the one hand, it was argued that numerous data breaches have occured as a result of the media mishandling their sources' data. On the other hand, it was stated that all duties of secrecy are subject to the public interest, which is why the media reports on them and which is why the media should not be restricted.

Disclosure of Personal Data

The discussion on the disclosure of personal data commenced with participants pointing out that the draft Privacy (Protection) Bill 2013 does not include requirements for consent prior to the disclosure of personal data, which may potentially lead to abuse. Questions were raised on the outsourcing of Indian data abroad and on the consequences of its foreign disclosure. Once data is outsourced, it remains unclear how the lawful disclosure or non-disclosure of data can be preserved, which is why it was recommended that the Bill addresses such issues.

A participant argued that there is a binding relationship between the data controller and the data subject and that disclosure should be regulated on a contractual level. Another participant raised the question of enforcement: How can regulations on the disclosure of personal data be enforced? The response to this question was that the law should focus on the data controller and that when Indian data is being outsourced abroad, the Indian data controller should ensure that the data subjects' data is not breached. However, other participants raised the question of how data can be protected when it is outsourced to countries where the rule of law is not strong and when the country is considered inadequate in terms of data protection.

With an increased transnational flow of information, questions arise on how individuals can protect their information. A participant recommended that it should be mandatory for companies to state in their contracts who they are outsourcing data to and whether such data will be disclosed to third parties. However, this proposal as countered by a participant who argued that even if this was inforced, it is still not possible to enforce the rights of an Indian data subject in a country which does not have a strong rule of law or which generally has weak legislation. A specific example was mentioned, where E.G. Infosys and Wipro Singapore have a contractual agreement and Indian data is outsourced. It was pointed out that if such data is breached, it remains unclear if the individual should address this issue to Wipro India, as well as which law should apply in this case and whether companies should be liable.

A participant suggested that the data controller discloses data without having acquired prior consent, if the Government of India requests it. However, this was countered by a participant who argued that even in such a case, the question of regulating access to data still remains. Other participants argued that the Right to Information Act has been misused and that too much information is currently being disclosed. It was recommended that the Right to Information Act is amended and that the Bill includes strict regulations for the disclosure of personal data.

Meeting Conclusion

The fifth Privacy Round Table meeting commenced with a presentation on privacy and data protection by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, and proceeded with a discussion of the draft Privacy (Protection) Bill 2013. The participants engaged in a heated debate and provided recommendations for the definitions used in the Bill, as well as for the regulation of data protection. The recommendations for the improvement of the draft Privacy (Protection) Bill 2013 will be considered and incorporated in the final draft.