On November 26, 2013, the United Nations adopted a non-binding resolution on The Right to Privacy in the Digital Age. The resolution was drafted by Brazil and Germany and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to privacy extending equally to citizens and non-citizens of a country. The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.

The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the Central Monitoring System, should take cognizance of, including in short:

1. Privacy is a human right: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence.
2. Privacy is integral to the right to free expression: an integral component in recognizing the right to freedom of expression.
3. Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression.
4. Exceptions to privacy and freedom of expression should be in compliance with human rights law: Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law.
5. Mass surveillance may have negative implications for human rights: Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights.
6. Equal protection for online and offline privacy: The right to privacy must be equally protected online and offline.

The resolution further called upon states to:

1. Respect and protect the right to privacy, particularly in the context of digital communications.
2. To ensure that relevant legislation is in compliance with international human rights law
3. To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.
4. To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.

The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.

The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.

Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the Necessary and Proportionate principles that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles.  The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access.  A petition to sign onto the principles and demand an end to mass surveillance is currently underway.

Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.

 

Dr. Nishant Shah's article was originally published in the Indian Express on October 27.

---

If you are a part of any social networking site, then you know that privacy is something to be concerned about. We put out an incredible amount of personal data on our social networks. Pictures with family and friends, intimate details about our ongoing drama with the people around us, medical histories, and our spur-of-the-moment thoughts of what inspires, peeves or aggravates us. In all this, the more savvy use filters and group settings which give them some semblance of control about who has access to this information and what can be done with it.

But it is now a given that in the world of the worldwide web, privacy is more or less a thing of the past. Data transmits. Information flows. What you share with one person immediately gets shared with thousands. Even though you might make your stuff accessible to a handful of people, the social networks work through a "friend-of-a-friend effect", where others in your networks use, like, share and spread your information around so that there is an almost unimaginable audience to the private drama of our lives. Which is why there is a need for a growing conversation about what being private in the world of big data means.

Privacy is about having control over the data and some ownership about who can use it and for what purpose. Interface designs and filters that allow limited access help this process. The legal structures are catching up with regulations that control what individuals, entities, governments and corporations can do with the data we provide. However, most people think of privacy as a private matter. Just look at last month's conversations around Facebook's new privacy policies, which no longer allow you to hide. If you are on Facebook, people can find you using all kinds of parameters — meta data — other than just your name. They might find you through hobbies, pages you like, schools you have studied in, etc. This can be scary because it means that based on particular activities, people can profile and follow you. Especially for people in precarious communities — the young adults, queer people who might not be ready to be out of the closet, women who already face increased misogyny and hostility online. This means they are officially entering a stalkers' paradise.

While those concerns need to be addressed, there is something that seems to be missing from the debate. Almost all of these privacy alarms are about what people can do to people. That we need to protect ourselves from people, when we are in public — digital or otherwise. We are reminded that the world is filled with predators, crackers and scamsters, who can prey on our personal data and create physical, emotional, social and financial havoc. But this is the world we already know. We live in a universe filled with perils and we have learned and coped with the fact that we navigate through dangerous spaces, times and people all the time. The digital is no different than the physical when it comes to the possible perils that we live in, though digital might facilitate some kinds of behaviour and make data-stalking easier.

What is different with the individualised, just-for-you crafted world of the social web is that there are things which are not human, which are interacting with you in unprecedented ways. Make a list of the top five people you interact with on Facebook. And you will be wrong. Because the thing that you interact with the most on Facebook, is Facebook. Look at the amount of chatter it creates — How are you feeling today?; Your friend has updated their status; Somebody liked your comment… the list goes on. In fact, much as we would like to imagine a world that revolves around us, we know that there are a very few people who have the energy and resources to keep track of everything we do. However, no matter how boring your status message or how pedestrian your activity, deep down in a server somewhere, an artificial algorithm is keeping track of everything that you do. Facebook is always listening, and watching, and creating a profile of you. People might forget, skip, miss or move on, but Facebook will listen, and remember long after you have forgotten.

If this is indeed the case, we need to think of privacy in different ways — not only as something that happens between people, but between people and other entities like corporations. The next time there is a change in the policy that makes us more accessible to others, we should pay attention. But what we need to be more concerned about are the private corporations, data miners and information gatherers, who make themselves invisible and collect our personal data as we get into the habit of talking to platforms, gadgets and technologies.

Dr. Nishant Shah's article was published in the Indian Express on November 24, 2013.

---

I am making a list of all the platforms that I use to connect with the large networks that I belong to. Here goes: I use Yahoo! Messenger to talk to my friends in east Asia. Most of my work meetings happen on Skype and Google Hangout. A lot of friendly chatter fills up my Facebook Messenger. Twitter is always available for a little back-chat and bitching. On the phone, I use Viber to make VoIP calls and WhatsApp is the space for unending conversations spread across days. And these are just the spaces for real-time conversation. Across all these platforms, something strange is happening. As I stay connected all the time, I am facing a phenomenon where we have run out of things to say, but not the desire to talk.

I had these three conversations today on three different instant-messaging platforms:

Person 1 (on WhatsApp): Hi.

Me: Hey, good to hear from you. How are you doing?

Person 1: Good.

Me (after considerable silence): So what's up?

Person 1: Nothing.

End of conversation.

Person 2 (On an incoming video call on Skype): Hey, you there?

Me: Yeah. What time is it for you right now?

Person 2: It is 10 at night.

Me: Oh! That is late. How come you are calling me so late?

Person 2: Oh, I saw you online.

Me: Ok….. *eyes raised in question mark*

Person 2: So, that's it. I am going to sleep soon.

Me: Ok…. Er…goodnight.

Person2: Goodnight.

We hang up.

Person 3 (pinging me on Facebook): Hey, you are in the US right now?

Me: Yes. I am attending a conference here.

Person 3: Cool!

Me: Umm… yeah, it is.

Person 3: emoticon of a Facebook 'like'. Have fun. Bye.

Initially I was irritated at the futility of these pings that are bewildering in their lack of content. I dismissed it as one of those things, but I realise that there is a pattern here. Our lives are so particularly open and documented, such minute details of what we do, where we are and who we are with, is now available for the rest of the world to consume, making most of the conversations seeking information, redundant. If you know me on my social media networks, you already know most of the basic things that you would want to know about me. And it goes without saying that no matter how close and connected we are, we are not necessarily in a state where we want to talk all the time. The more distributed our lives are, the more diminished is the need for personal communication.

And yet, the habit or the urge to ping, buzz, DM or chat has not caught up with this interaction deficit. So, we still seem to reach out, using a variety of platforms just to say hello, even when there is nothing to say. I call this the 'Always On' syndrome. We live in a world where being online all the time has become a ubiquitous reality. Even when we are asleep, or busy in a meeting, or just mentally disconnected from the online spaces, our avatars are still awake. They interact with others. And when they feel too lonely, they reach out and send that empty ping — just to confirm that they are not alone. That on the other side of the glowing screen is somebody else who is going to connect back, and to reassure you that we are all together in this state of being alone.

This empty ping has now become a signifier, loaded with meaning. The need for human connection has been distributed, but it does not compensate our need for one-on-one contact. In the early days of the cell phone, when incoming calls were still being charged, the missed call, without any content, was a code between friends and lovers. It had messages about where to meet, when to meet, or sometimes, just that you were missing somebody. The empty ping is the latest avatar of the missed call — in a world where we are always online but not always connected, when we are constantly together, but also spatially and emotionally alone, the ping remains that human touch in the digital space that reassures us that on the other side of that seductive interface and the buzzing gadget, is somebody we can say hello to.

 

Case 1: Unlawful Phone-tapping in Himachal Pradesh

In December 2012, the government changed in Himachal Pradesh. The Bharatiya Janata Party (BJP) went out of power, and the Indian National Congress (INC) came into power. One of the first things that Chief Minister Virbhadra Singh did, within hours of taking his oath as Chief Minister on December 25, 2012, was to get a Special Investigation Team (SIT) to investigate phone tapping during the BJP government’s tenure.

On December 25th and 26th, 12 hard disk drives were seized from the offices of the Crime Investigation Department (CID) and the Vigilance Department (which is supposed to be an oversight mechanism over the rest of the police). These hard disks showed that 1371¹ phone numbers were targetted and hundreds of thousands of phone conversations were recorded. These included conversations of prominent leaders “mainly of” the INC but also from the BJP, including three former cabinet ministers and close relatives of multiple chief ministers, a journalist, and many senior police officials, including the Director General of Police.

Violations of the Law

While the law required the state’s Home Secretary to grant permission for each person that was being tapped, the Home Secretary had legitimately only granted permission in 34² cases. This leaves over a thousand cases where phones were tapped illegally, in direct violation of the law. The oversight mechanism provided in the law, namely the Review Committee under Rule 419A of the Indian Telegraph Rules, was utterly powerless to check this. Indeed, the internal checks for the police, namely the Vigilance Department, also seems to have failed spectacularly.

Every private telecom company cooperated in this unlawful surveillance, even though the people who were conducting it did so without proper legal authority. Clearly we need to revise our interception rules to ensure that these telecom companies do not cooperate unless they are served with an order digitally signed by the Home Secretary.

While all interception recordings are required to be destroyed within 6 months as per Rule 419A of the Indian Telegraph Rules, that rule was also evidently ignored and conversations going back to 2009 were being stored.

Concluding Concerns

What should concern us is not merely that such a large number of politicians/police officers were tapped, but that no criminal charges were brought about on the basis of these phone taps, indicating that much of it was being used for political purposes.

What should concern us is that the requirement under Section 5 of the Indian Telegraph Act, which covers phone taps, of the existence of a “public emergency” or endangerment of “public safety”, which is a prerequisite of phone taps as per the law and as emphasised by the Supreme Court in 1996 in the PUCL judgment, were blatantly ignored.

What should concern us is that it took a change in government to actually uncover this sordid tale.

In Pragati Maidan, New Delhi, many companies from India and abroad gathered to exhibit their products at the following expos which were organised by Electronics Today (India's first electronic exhibition organiser) on 16-18 October 2013:

• SmartCards Expo 2013
• e-Security Expo 2013
• RFID Expo 2013
• Biometrics Expo 2013

The Centre for Internet and Society (CIS) attended these exhibitions for research purposes and is sharing the publicly available brochures it gathered through the attached zip file. The use of these brochures constitutes Fair Use.

---

The article by Chinmayi Arun was published in the Hindu on January 3, 2014.

---

The Gujarat telephone tapping controversy is just one of many kinds of abuse that surveillance systems enable. If a relatively primitive surveillance system can be misused so flagrantly despite safeguards that the government claims are adequate, imagine what is to come with the Central Monitoring System (CMS) and Netra in place.

News reports indicate Netra — a “NEtwork TRaffic Analysis system” — will intercept and examine communication over the Internet for keywords like “attack,” “bomb,” “blast” or “kill.” While phone tapping and the CMS monitor specific targets, Netra is vast and indiscriminate. It appears to be the Indian government’s first attempt at mass surveillance rather than surveillance of predetermined targets. It will scan tweets, status updates, emails, chat transcripts and even voice traffic over the Internet (including from platforms like Skype and Google Talk) in addition to scanning blogs and more public parts of the Internet. Whistle-blower Edward Snowden said of mass-surveillance dragnets that “they were never about terrorism: they’re about economic spying, social control, and diplomatic manipulation. They’re about power.”

So far, our jurisprudence has dealt with only targeted surveillance; and even that in a woefully inadequate manner. This article discusses the slow evolution of the right to privacy in India, highlighting the context and manner in which it is protected. It then discusses international jurisprudence to demonstrate how the right to privacy might be protected more effectively.

Privacy and the Constitution

A proposal to include the right to privacy in the Constitution was rejected by the Constituent Assembly with very little debate. Separately, a proposal to give citizens an explicit fundamental right against unreasonable governmental search and seizure was also put before the Constituent Assembly. This proposal was supported by Dr. B.R. Ambedkar. If accepted, it would have included within our Constitution the principles from which the United States derives its protection against state surveillance. However, the proposed amendment was rejected by the Constituent Assembly.

Fortunately, the Supreme Court has gradually been reading the right to privacy into the fundamental rights explicitly listed in the Constitution. After its initial reluctance to affirm the right to privacy in the 1954 case of M.P. Sharma vs. Satish Chandra, the court came around to the view that other rights and liberties guaranteed in the Constitution would be seriously affected if the right to privacy was not protected. In Kharak Singh vs. The State of U.P., the court recognised “the right of the people to be secure in their persons, houses, papers, and effects” and declared that their right against unreasonable searches and seizures was not to be violated. The right to privacy here was conceived around the home, and unauthorised intrusions into homes were seen as interference with the right to personal liberty.

If the Kharak Singh judgment was progressive in its recognition of the right to privacy, it was conservative about the circumstances in which the right applies. The majority of judges held that shadowing a person could not be seen to interfere with that person’s liberty. Dissenting with the majority, Justice Subba Rao maintained that broad surveillance powers put innocent citizens at risk, and that the right to privacy is an integral part of personal liberty. He recognised that when a person is shadowed, her movements will be constricted, and will certainly not be free movements. His dissenting judgment showed remarkable foresight and his reasoning is consistent with what is now a universally acknowledged principle that there is a “chilling effect” on expression and action when people think that they are being watched.

The right to privacy as defined by the Supreme Court now extends beyond government intrusion into private homes. After Govind vs. State of M.P., and Dist. Registrar and Collector of Hyderabad vs. Canara Bank, this right is seen to protect persons and not places. Any inroads into this right for surveillance of communication must be for permissible reasons and according to just, fair and reasonable procedure. State action in violation of this procedure is open to a constitutional challenge.

Our meagre procedural safeguards against phone tapping were introduced in PUCL vs. Union of India (1997) after the Supreme Court was confronted with extensive, undocumented phone tapping by the government. The apex court found itself compelled to lay down what it saw as bare minimum safeguards, consisting mostly of proper record-keeping and internal executive oversight by senior officers such as the home secretary, the cabinet secretary, the law secretary and the telecommunications secretary. These safeguards are of little use since they are opaque and rely solely on members of the executive to review surveillance requests.

Right and safeguards

There is a difference between targeted surveillance in which reasons have to be given for surveillance of particular people, and the mass-surveillance which Netra sets up. The question of mass surveillance and its attendant safeguards has been considered by the European Court of Human Rights in Liberty and Others vs. the United Kingdom. Drawing upon its own past jurisprudence, the European Court insisted on reasonable procedural safeguards. It stated quite clearly that there are significant risks of arbitrariness when executive power is exercised in secret and that the law should be sufficiently clear to give citizens an adequate indication of the circumstances in which interception might take place. Additionally, the extent of discretion conferred and the manner of its exercise must be clear enough to protect individuals from arbitrary interference. The principles laid down by the European Court in relation to phone-tapping also require that the nature of the offences which may give rise to an interception order, the procedure to be followed for examining, using and storing the data obtained, the precautions to be taken when communicating the data to other parties, and the circumstances in which recordings may or must be erased or the tapes destroyed be made clear.

Opaque and ineffective

Our safeguards apply only to targeted surveillance, and require written requests to be provided and reviewed before telephone tapping or Internet interception is carried out. CMS makes the process of tapping more prone to misuse by the state, by making it even more opaque: if the state can intercept communication directly, without making requests to a private telecommunication service provider, then it is one less layer of scrutiny through which the abuse of power can reach the public. There is no one to ask whether the requisite paperwork is in place or to notice a dramatic increase in interception requests.

India has no requirements of transparency whether in the form of disclosing the quantum of interception taking place each year, or in the form of subsequent notification to people whose communication was intercepted. It does not even have external oversight in the form of an independent regulatory body or the judiciary to ensure that no abuse of surveillance systems takes place. Given these structural flaws, the Amit Shah controversy is just the beginning of what is to come. Unfettered mass surveillance does not bode well for democracy.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

January 3, 2014

Shri Kapil Sibal,
Honourable Minister for Communication and Information Technology
Ministry of Communication and Information Technology,
Government of India

Subject: Public consultation at the domestic level on the position of Government of India at WGEC

Dear Sir,

We at the Centre for Internet and Society, Bangalore (“CIS”) commend, Government of India’s participation at the Working Group on Enhanced Cooperation (WGEC), working under the aegis of United Nations Commission on Science and Technology and Development (CSTD). The Working Group was set up in pursuance of General Assembly Resolution A/Res/67/195, to identify a shared understanding of enhanced cooperation on public policy issues pertaining to the internet. The WGEC after its first meeting circulated a questionnaire to collect the views and positions of the stakeholders on various aspects of enhanced cooperation. The Government of India responded to the questionnaire and also represented its position at the second meeting of WGEC held in Geneva from November 6-8, 2013. We would like the Government to take cognizance of representations from concerned stakeholders before finalizing its position.

In this regard, we would like to note, Government of India’s commitment towards multi-stakeholder approach in formulation of public policy pertaining to the internet. At the Internet Governance Forum, 2012 held in Baku, the Honourable Minister for Communications and Information Technology noted that the “issues of public policy related to the internet have to be dealt with, by adopting a multi-stakeholder, democratic and transparent approach”. Furthermore, the Government of India’s stand at the World Conference on International Telecommunications, 2012 in Dubai supported and recognized the multi-stakeholder nature of the internet.

However, it seems that the Government has digressed from its previous stand on internet governance whereas it fell short of having a multi-stakeholder public consultation on India’s position on enhanced cooperation at the WGEC. We earnestly urge you to hold domestic public consultation before the next WGEC meeting.

Thank you.
Sincerely,

Snehashish Ghosh,
Policy Associate,
Centre for Internet and Society, Bangalore

Copied to: Dr. Ajay Kumar, Joint Secretary, DietY, MOCIT and Shri. J. Satyanarayana, Secretary, DietY, MOCIT

---

Download a copy of the letter here

India’s Unique Identity (UID) project is already the world’s largest biometrics identity program, and it is still growing. Almost 530 million people have been registered in the project database, which collects all ten fingerprints, iris scans of both eyes, a photograph, and demographic information for each registrant. Supporters of the project tout the UID as a societal game changer. The extensive biometric information collected, they argue, will establish the uniqueness of each individual, eliminate fraud, and provide the identity infrastructure needed to develop solutions for a range of problems. Despite these potential benefits, however, critical concerns remain about the UID’s legal and physical architecture as well as about unforeseen risks associated with the linking and analysis of personal data.

The most basic concerns regarding the UID project stem from the fact that biometric technologies have never been tested on such a large population. As a result, well-founded concerns exist around scalability, false acceptance and rejection rates, and the project’s core premise that biometrics can uniquely and unambiguously identify people in a foolproof manner. Some of these concerns are based on technical issues—collecting fingerprints and iris scans “in the field,” for instance, can be complicated when a registrant’s fingerprints are eroded by manual labor or her irises are affected by malnutrition and cataracts. Other concerns relate to the project’s federated implementation architecture, which, by outsourcing collection to a massive group of private and public registrars and operators, increases the chance for data breaches, error, and fraud.

Perhaps even more vexing are concerns regarding how the UID, which promises financial inclusion (by reducing the identification barriers to opening bank accounts, for example), might in fact lead to new types of exclusion for already marginalized groups. Members of the LGBT community, for instance, question whether the inclusion of the transgender category within the UID scheme is a laudable attempt at inclusion, or a new means of listing and targeting members of their community for exclusion. More fundamentally, as more and more services and benefits are linked to the UID, the project threatens to exclude all those who cannot or will not participate in the scheme due to logistical failures or philosophical objections.

It is worth noting that the UID is not the only large data project in India. A slew of “Big Brother” projects exist: the Centralised Monitoring System (CMS), the Telephone Call Interception System (TCIS), the National Population Register (NPR), the Crime and Criminal Tracking Network and Systems (CCTNS), and the National Intelligence Grid (NATGRID), which is working to aggregate up to 21 different databases relating to tax, rail and air travel, credit card transactions, immigration, and other domains. The UID is intended to serve as a common identifier across these databases, creating a massive surveillance state. It also facilitates an ecosystem where access to goods and services, from government subsidies to drivers’ licenses to mobile phones to cooking gas, increasingly requires biometric authentication.

The UID project was originally vaunted as voluntary, but the inexorable slippery slope toward compulsory participation has triggered a series of lawsuits challenging the legality of forced enrollment and the constitutionality of the entire project. Most recently, in September 2013, India’s federal Supreme Court affirmed by way of an interim decision that the UID was not mandatory, that not possessing a UID should not disadvantage anybody, and that citizenship should be ascertained as a criteria for registering in order to ensure that UIDs are not issued to illegal immigrants. This last stipulation is particularly thorny given that the Unique Identification Authority of India (UIDAI, the body in charge of the UID project) has consistently distanced the UID from questions of citizenship under the justification that it is a matter beyond their remit (i.e., the UID is open to residents, and is not linked to citizenship). The government moved quickly to urge a modification of the order, but the Supreme Court declined to do so and will instead release its final decision after it reviews a batch of petitions from activists and others. The UIDAI approached the court, arguing that not making the UID mandatory has serious consequences for welfare schemes, but the court recently ordered the federal government, the Reserve Bank of India, and the Election Commission to delink the LPG cooking gas scheme from the UID. This is a considerable setback for the project, given that this was one of the most hyped linkages for the UID. It remains to be seen whether the court will similarly halt other attempts to make the UID mandatory.

In the meantime, the UID project is effectively being implemented in a legal vacuum without support from the Supreme Court or Parliament. The Cabinet is seeking to rectify this and has cleared a bill that would finally provide legal backing for the UID program—its previous attempt was rejected by the Standing Committee on Finance in 2010. This bill is scheduled to come up for debate during the winter session of Parliament. The bill’s progress, along with the final decision of the Supreme Court, will have far reaching consequences for the UID project’s implementation and longevity, as well as for the relationship between India’s citizens and the state.

If fully implemented, the UID system will fundamentally alter the way in which citizens interact with the government by creating a centrally controlled, technology-based standard that mediates access to social services and benefits, financial systems, telecommunications, and governance. It will undoubtedly also have implications for how citizens relate to private sector entities, on which the UID rests and which have their own vested interests in the data. The success or failure of the UID represents a critical moment for India. Whatever course the country takes, its decision to travel further toward or turn away from becoming a “database nation” will have implications for democracy, free speech, and economic justice within its own borders and also in the many neighboring countries that look to it as a technological standard bearer.

The Indian government seems to envision “big data” as a panacea for fraud, corruption, and abuse, but it has given little attention to understanding and addressing the fraud, corruption, and abuse that massive databases can themselves engender. The government’s actions have yet to demonstrate an appreciation for the fact that the matrix of identity and surveillance schemes it has implemented can create a privacy-invading technology layer that is not only a barrier to online activity but also to social participation writ large.

The lack of identification documents for a large portion of the Indian population does need to be addressed. Whether the UID project is the best means to do this—whether it has the right architecture and design, whether it can succeed without an overhaul of several other failures of governmental institutions, and whether fixing the identity piece alone causes more harm than good—should be the subject of intense debate and scrutiny. Only through rigorous threat modeling and analysis of the risks arising out of this burgeoning “data industrial complex” can steps be taken to stem the potential repercussions of the project not just for identity management, fraud, corruption, distributive justice, and welfare generally, but also for autonomy, openness, and democracy.

---

Click to download the article published in the annual report of Berkman's Center for Internet and Society (PDF 7223 Kb)

Note: This was originally posted on the Indian Constitutional Law and Philosophy blog.

---

On previous occasions, we have discussed the ongoing litigation in ACLU v. Clapper in the United States, a challenge to the constitutionality of the National Security Agency’s (NSA) bulk surveillance program. Recall that a short while after the initial Edward Snowden disclosures, The Hindu revealed the extent of domestic surveillance in India, under the aegis of the Central Monitoring System (CMS). The CMS (and what it does) is excellently summarized here. To put thing starkly and briefly:

“With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.”

The CMS is not sanctioned by parliamentary legislation. It also raises serious privacy concerns. In order to understand the constitutional implications, therefore, we need to investigate Indian privacy jurisprudence. In a series of posts, we plan to discuss that.

Privacy is not mentioned in the Constitution. It plays no part in the Constituent Assembly Debates. The place of the right – if it exists – must therefore be located within the structure of the Constitution, as fleshed out by judicial decisions. The first case to address the issue was M. P. Sharma v. Satish Chandra, in 1954. In that case, the Court upheld search and seizure in the following terms:

"A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right. by some process of strained construction."

The right in question was 19(1)(f) – the right to property. Notice here that the Court did not reject a right to privacy altogether – it only rejected it in the context of searches and seizures for documents, the specific prohibition of the American Fourth Amendment (that has no analogue in India). This specific position, however, would not last too long, and was undermined by the very next case to consider this question, Kharak Singh.

In Kharak Singh v. State of UP, the UP Police Regulations conferred surveillance power upon certain “history sheeters” – that is, those charged (though not necessarily convicted) of a crime. These surveillance powers included secret picketing of the suspect’s house, domiciliary visits at night, enquiries into his habits and associations, and reporting and verifying his movements. These were challenged on Article 19(1)(d) (freedom of movement) and Article 21 (personal liberty) grounds. It is the second ground that particularly concerns us.

As a preliminary matter, we may observe that the Regulations in question were administrative – that is, they did not constitute a “law”, passed by the legislature. This automatically ruled out a 19(2) – 19(6) defence, and a 21 “procedure established by law” defence – which were only applicable when the State made a law. The reason for this is obvious: fundamental rights are extremely important. If one is to limit them, then that judgment must be made by a competent legislature, acting through the proper, deliberative channels of lawmaking – and not by mere administrative or executive action. Consequently – and this is quite apart from the question of administrative/executive competence - if the Police Regulations were found to violate Article 19 or Article 21, that made them ipso facto void, without the exceptions kicking in. (Paragraph 5)

It is also important to note one other thing: as a defence, it was expressly argued by the State that the police action was reasonable and in the interests of maintaining public order precisely because it was “directed only against those who were on proper grounds suspected to be of proved anti-social habits and tendencies and on whom it was necessary to impose some restraints for the protection of society.” The Court agreed, observing that this would have “an overwhelming and even decisive weight in establishing that the classification was rational and that the restrictions were reasonable and designed to preserve public order by suitable preventive action” – if there had been a law in the first place, which there wasn’t. Thus, this issue itself was hypothetical, but what is crucial to note is that the State argued – and the Court endorsed – the basic idea that what makes surveillance reasonable under Article 19 is the very fact that it is targeted – targeted at individuals who are specifically suspected of being a threat to society because of a history of criminality.

Let us now move to the merits. The Court upheld secret picketing on the ground that it could not affect the petitioner’s freedom of movement since it was, well secret – and what you don’t know, apparently, cannot hurt you. What the Court found fault with was the intrusion into the petitioner’s dwelling, and knocking at his door late at night to wake him up. The finding required the Court to interpret the meaning of the term “personal liberty” in Article 21. By contrasting the very specific rights listed in Article 21, the Court held that:

“Is then the word “personal liberty” to be construed as excluding from its purview an invasion on the part of the police of the sanctity of a man’s home and an intrusion into his personal security and his right to sleep which is the normal comfort and a dire necessity for human existence even as an animal? It might not be inappropriate to refer here to the words of the preamble to the Constitution that it is designed to “assure the dignity of the individual” and therefore of those cherished human value as the means of ensuring his full development and evolution. We are referring to these objectives of the framers merely to draw attention to the concepts underlying the constitution which would point to such vital words as “personal liberty” having to be construed in a reasonable manner and to be attributed that these which would promote and achieve those objectives and by no means to stretch the meaning of the phrase to square with any preconceived notions or doctrinaire constitutional theories.” (Paragraph 16)

A few important observations need to be made about this paragraph. The first is that it immediately follows the Court’s examination of the American Fifth and Fourteenth Amendments, with their guarantees of “life, liberty and property…” and is, in turn, followed by the Court’s examination of the American Fourth Amendment, which guarantees the protection of a person’s houses, papers, effects etc from unreasonable searches and seizures. The Court’s engagement with the Fourth Amendment is ambiguous. It admits that “our Constitution contains no like guarantee…”, but holds that nonetheless “these extracts [from the 1949 case, Wolf v Colorado] would show that an unauthorised intrusion into a person’s home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man – an ultimate essential of ordered liberty”, thus tying its own holding in some way to the American Fourth Amendment jurisprudence. But here’s the crucial thing: at this point, American Fourth Amendment jurisprudence was propertarian based – that is, the Fourth Amendment was understood to codify – with added protection – the common law of trespass, whereby a man’s property was held sacrosanct, and not open to be trespassed against. Four years later, in 1967, in Katz, the Supreme Court would shift its own jurisprudence, to holding that the Fourth Amendment protected zones where persons had a “reasonable expectation of privacy”, as opposed to simply protecting listed items of property (homes, papers, effects etc). Kharak Singh was handed down before Katz. Yet the quoted paragraph expressly shows that the Court anticipated Katz, and in expressly grounding the Article 21 personal liberty right within the meaning of dignity, utterly rejected the propertarian-tresspass foundations that it might have had. To use a phrase invoked by later Courts – in this proto-privacy case, the Court already set the tone by holding it to attach to persons, not places.

While effectively finding a right to privacy in the Constitution, the Court expressly declined to frame it that way. In examining police action which involved tracking a person’s location, association and movements, the Court upheld it, holding that “the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

The “therefore” is crucial. Although not expressly, the Court virtually holds, in terms, that tracking location, association and movements does violate privacy, and only finds that constitutional because there is no guaranteed right to privacy within the Constitution. Yet.

In his partly concurring and partly dissenting opinion, Subba Rao J. went one further, by holding that the idea of privacy was, in fact, contained within the meaning of Article 21: “it is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” Privacy he defined as the right to “be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures.” On this ground, he held all the surveillance measures unconstitutional.

Justice Subba Rao’s opinion also explored a proto-version of the chilling effect. Placing specific attention upon the word “freely” contained within 19(1)(d)’s guarantee of free movment, Justice Subba Rao went specifically against the majority, and observed:

“The freedom of movement in clause (d) therefore must be a movement in a free country, i.e., in a country where he can do whatever he likes, speak to whomsoever he wants, meet people of his own choice without any apprehension, subject of course to the law of social control. The petitioner under the shadow of surveillance is certainly deprived of this freedom. He can move physically, but he cannot do so freely, for all his activities are watched and noted. The shroud of surveillance cast upon him perforce engender inhibitions in him and he cannot act freely as he would like to do. We would, therefore, hold that the entire Regulation 236 offends also Art. 19(1)(d) of the Constitution.”

This early case, therefore, has all the aspects that plague the CMS today. What to do with administrative action that does not have the sanction of law? What role does targeting play in reasonableness – assuming there is a law? What is the philosophical basis for the implicit right to privacy within the meaning of Article 21’s guarantee of personal liberty? And is the chilling effect a valid constitutional concern?

We shall continue with the development of the jurisprudence in the next post.

---

You can follow Gautam Bhatia on Twitter

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website.  Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been  able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach.  It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

Introduction

In January 2014, the Global Network Initiative (GNI) published the Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo. GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.

Overview of the Public Report

The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the GNI principles on freedom of expression and privacy. The principles lay out broad guidelines that member companies  should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with Implementation Guidelines to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.

Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments  on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.

The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.

A number of findings came out of the assessments undertaken for the Report including:

1. As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.
2. The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights.
3. Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles.

The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:

• Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies.
• Consider the impact of hardware on freedom of expression and privacy.
• Improve external and internal reporting.
• Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations.
• Review executive management training.
• Improve stakeholder engagement.
• Improve communication with users.
• Increase sharing of best practices.
• The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights.

NSA leaks, global push for governmental surveillance reform, and the Public Report

With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government  and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five Principles on Global Government Surveillance Reform.  Similar to other efforts to end mass and disproportionate surveillance, such as the Necessary and Proportionate principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.

Along these lines, on January 14^th, GNI released the statement “Surveillance Reforms to Protect Rights and Restore Trust”, urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.

Conclusion and way forward

Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.

The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.

Hi Mathew! We've heard that you've been in court a lot over the last few years with regards to the UID scheme. Could you please tell us about the UID case you have filed?

In early 2012, I filed a civil suit at the Bangalore Court to declare the UID scheme illegal and to stop further biometric enrollments. I alleged that foreign agencies are involved in the process of biometric enrollment, and that cases of corruption have occurred with regards to the companies contracted by the UID Authority of India (UIDAI). Many dubious companies have been empanelled for biometric enrollments by the UIDAI and many cases of corruption have been noted, especially with regards to the preparation of biometric databases for below poverty line (BPL) ration cards in Karnataka.

In 2010, according to a government audit report, COMAT Technologies Private Limited had a contract with the Karnataka Government and was required to undertake a door-to-door survey and to set up biometric devices. COMAT Technologies Private Limited was paid ₹ 542.3 million for this purpose, but it turns out that the company did not comply with the terms of the contract and did not fullfill its obligations under the contract. Even though COMAT Technologies Private Limited had been contracted and had been paid ₹ 542.3 million, the company did not hand over any biometric device to the Karnataka Government. Instead, when the company got questioned, it walked away from the contract in 2010, even though it had been paid for a service it did not deliver.

In the same year, 2010, COMAT Technologies was empanelled as an Enrolling Agency of the UIDAI. COMAT Technologies also carries out enrollments in Mysore and a TV channel sting operation revealed that fake IDs were being issued in the Mysore enrollment center. After much persuasion, the e-Government department of Karnataka informed me that they have filed an FIR. And this is just one case of a corrupt company empanelled as an enrollement agency with the UIDAI. Many similar cases with other companies have occurred in other cities in India, such as Mumbai, where the empanelled agencies have committed fraud and police complaints have been filed. But unfortunately, there is no publicly available information on the state of the investigations.

As such, I filed a case at the Bangalore Court and stated that the whole UID system is insecure, that it will not achieve the objective of preventing leakages of welfare subsidies and that, therefore, it is a waste of public funds, which also affects individuals' right to privacy and right to life. In my complaint in the civil court I made allegations of corruption and dangers to national security backed by documentary evidence. According to Order 8 of the Civil Procedure Code (CPC), defendants are required to specifically deny each of the allegations against them and if they don't, the court is required to accept the allegations as accurate. According to law, vague, bald denials are not acceptable in courts. Interestingly enough, the defendants in this court case did not deny any of the allegations, but instead stated that they (allegations) are “trivial” and requested the judge to dismiss the case without a trial. The judge requested the defendants to file a written application, asking for the suit to be dismissed under Order 7, Rule 11, of the Civil Procedure Code. Nonetheless, in May 2012, the judge observed that this is a serious case which should not be dismissed and that he would like to have a daily hearing of the case, especially since the case was grounded on the allegation that thousands of crores of rupees of public money are spent every day.

However, one month later in June 2012, the judge dismissed the case by stating that I did not have a “cause of action” and that the case is not of civil nature under Section 9 of the Code of Civil Procedure. I argued that tax payers have a right to know where their money is going and that we all have a right to privacy and that therefore, I did have a cause for action. I quoted the Supreme Court case setting out the law relating to the meaning of “civil nature”. The Apex court said, “Anything which is not of criminal nature is of civil nature”. I also quoted several court precedents which explained conditions under which complaints could be dismissed under Order VII Rule 11. Unfortunately though, the judge dismissed all of this and suggested that I should take this case to the High Court or to the Supreme Court, since the Bangalore Court did not have the authority to address the violation of fundamental human rights. In my opinion, the fallacy in this judgement was that, on the one hand, the judge stated in his order that there was “no cause for action”, but on the other hand, he said that I should take the case to the High Court or to the Supreme Court! And on top of that, the judge stated that my case was frivolous and levied on me a Rs. 25, 000 fine, because apparently I was “wasting the court's time” !

In addition to all of this, the judge made a very intriguing statement in his order: he claimed that the biometric enrollment with the UIDAI is voluntary and that therefore I need not enrol. I argued that although the UID is voluntary in theory, it is actually mandatory on many levels, especially since access to many governmental services require enrollment with the UIDAI. Nonetheless, the judge insisted that the UID is purely voluntary and that if I am not happy with the UID, then I should just “stay at home”.

And how did the case continue thereafter?

In October 2012 I appealed against this to the High Court by stating that there was a misapplication of Order 7, Rule 11, of the Civil Procedure Code and requested the High Court to send the suit back for trial at the Bangalore Court.

Now, when you appeal in India, the Court has to issue notices to the opposite party, which are usually sent by registered post. However, nothing was happening, so I filed a number of applications to hear the case. The registrar’s office filed a number of trivial “objections” with which I needed to comply and this took three months, until January 2013. For example, one “objection” was that the lower court order stated the date of the order as "03-07-12", whereas I had mentioned the date as 3 July 2012. Then they would argue that the acknowledgement of the receipt of the notice from the respondents was not received. The High Court is located next to the head post office (GPO) in Bangalore and normally it would be sent there, then directly to the GPO in Delhi and from there to the Planning Commission or to the UIDAI. Yet, the procedure was delayed because apparently the notices weren't sent. In one hearing, the court clerk said that the address of the defendant was wrong and that the address of the Planning Commission should also be included. All in all, it seemed to me like there was some deliberate attempt to delay the procedure and the dismissal of the case by the Bangalore Court seemed very questionable. As a result, in January 2013, I asked the High Court to permit me to personally hand over my appeal to the Government Council. And finally, on 17th December 2013, my appeal was heard by the Bangalore High Court!

Over the last three months, the defendants have not filed any counter affidavit. Instead, the Government Council came to the High Court and stated that I have not filed a “paper book” (which includes depositions and evidence, among other things). However, the judge stated that this is not a case which requires a “paper book”, since my appeal was about the misapplication of Order 7, Rule 11, of the Civil Procedure Code. Then the Government Council asked for more time to review the appeal and it is has been postponed.

Have there been any other recent court cases against the UID?

Yes. While all of this was going on, retired judge, Justice Puttaswamy, filed a petition in the Supreme Court, stating that the UID scheme is illegal, since it violates article 73 of the Constitution. Aruna Roy, who is an activist at the National Council for People’s Right to Information, has also filed a petition where she has questioned the UID because it violates privacy rights and the rights of the poor.

Furthermore, petitions have been filed in the Madras High Court and in the Mumbai High Court. In 2012, it was argued in the Madras High Court that the only legal provision for taking fingerprints exists under the Prisoners Act, whereas the UIDAI is taking the fingerprints of people who are not prisoners and therefore it is illegal. In 2013, Vikram Crishna, Kamayani Bahl and a few others argued in the Mumbai High Court that the right to privacy is being violated through the UID scheme. It is noteworthy that in most of these cases, the defendants have not filed any counter-arguments. The only exceptions were in the Aruna Roy and Puttaswamy cases, where the defendants claimed that the UID is secure and supported it in general. In the end, the Supreme Court directed that the cases in Mumbai and Madras should be clubbed together and addressed by it. As such, the cases filed in the Madras and Mumbai High Courts have been sent to the Supreme Court of India.

Major General Vombathakere also filed a petition in the Supreme Court, arguing that the UID scheme violates individuals' right to privacy. When the counsel for the General commenced his arguments the judge pointed to the possibility of the Government passing the NIA Bill soon, which will contain provisions for privacy, as stated by the Government. As such, the judge implied that if the Government passes such a law the argument, that the Government is implementing the scheme in a legal vacuum, may not be valid.

So what is the status of your pending court cases?

Well, I impleaded myself in Aruna Roy's petition and brought my arguments with regards to corruption in the case of companies contracted with the UIDAI and the danger to national security through the involvement of persons linked to US intelligence agencies. The last hearing in the Supreme Court was on 10th December 2013, but it was postponed to 28 January 2014. So in short, in the Supreme Court I am currently filing a case for investigation with regards to corruption and links with foreign intelligence agencies by companies contracted with the UIDAI, while in the Bangalore High Court, I have appealed a civil trial with regards to the misplacement of Order 7, Rule 11, of the Civil Procedure Code.

After its judgment in Kharak Singh, the Court was not concerned with the privacy question for a while. The next case that dealt – peripherally – with the issue came eleven years later. In R.M. Malkani v State of Maharashtra, the Court held that attaching a recording device to a person’s telephone did not violate S. 25 of the Telegraph Act, because

"where a person talking on the telephone allows another person to record it or to hear it, it can-not be said that the other person who is allowed to do so is damaging, removing, tampering, touching machinery battery line or post for intercepting or acquainting himself with the contents of any message. There was no element of coercion or compulsion in attaching the tape recorder to the telephone."

Although this case was primarily about the admissibility of evidence, the Court also took time out to consider – and reject – a privacy-based Article 21 argument, holding that:

"Article 21 was invoked by submitting that the privacy of the appellant’s conversation was invaded. Article 21 contemplates procedure established by law with regard to deprivation of life or personal liberty. The telephonic conversation of an innocent citizen will be protected by Courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants. It must not be understood that the Courts will tolerate safeguards for the protection of the citizen to be imperiled by permitting the police to proceed by unlawful or irregular methods."

Apart from the fact that it joined Kharak Singh in refusing to expressly find a privacy right within the contours of Article 21, there is something else that unites Kharak Singh and R.M. Malkani: they hypothetical in Kharak Singh became a reality in Malkani – what saved the telephone tapping precisely because it was directed at "… a guilty person", with the Court specifically holding that the laws were not for targeting innocent people. Once again, then, the targeted  and specific nature of interception became a crucial – and in this case, a decisive – factor. One year later, in another search and seizure case, Pooran Mal v Inspector, the Court cited M.P. Sharma and stuck to its guns, refusing to incorporate the Fourth Amendment into Indian Constitutional law.

It is Gobind v State of MP, decided in 1975, that marks the watershed moment for Indian privacy law in the Constitution. Like Kharak Singh, Gobind also involved domiciliary visits to the house of a history-sheeter. Unlike Kharak Singh, however, in Gobind the Court found that the Regulations did have statutory backing – S. 46(2)(c) of the Police Act, which allowed State Government to make notifications giving effect to the provisions of the Act, one of which was the prevention of commission of offences. The surveillance provisions in the impugned regulations, according to the Court, were indeed for the purpose of preventing offences, since they were specifically aimed at repeat offenders. To that extent, then, the Court found that there existed a valid “law” for the purposes of Articles 19 and 21.

By this time, of course, American constitutional law had moved forward significantly from eleven years ago, when Kharak Singh had been decided. The Court was able to invoke Griswold v Connecticut and Roe v Wade, both of which had found a "privacy" as an "interstitial" or "penumbral" right in the American Constitution – that is, not reducible to any one provision, but implicit in a number of separate provisions taken together. The Court ran together a number of American authorities, referred to Locke and Kant, to dignity, to liberty and to autonomy, and ended by holding, somewhat confusingly:

“the right to privacy must encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing. This catalogue approach to the question is obviously not as instructive as it does not give analytical picture of that distinctive characteristics of the right of privacy. Perhaps, the only suggestion that can be offered as unifying principle underlying the concept has been the assertion that a claimed right must be a fundamental right implicit in the concept of ordered liberty… there are two possible theories for protecting privacy of home. The first is that activities in the home harm others only to the extent that they cause offence resulting from the mere thought that individuals might he engaging in such activities and that such ‘harm’ is not Constitutionally protective by the state. The second is that individuals need a place of sanctuary where they can be free from societal control. The importance of such a sanctuary is that individuals can drop the mask, desist for a while from projecting on the world the image they want to be accepted as themselves, an image that may reflect the values of their peers rather than the realities of their natures… the right to privacy in any event will necessarily have to go through a process of case-by-case development."

But if no clear principle emerges out of the Court’s elucidation of the right, it was fairly unambiguous in stressing the importance of the right itself. Interestingly, it grounded the right within the context of the freedom struggle. "Our founding fathers," it observed, "were thoroughly opposed to a Police Raj even as our history of the struggle for freedom has borne eloquent testimony to it." (Para 30) The parallels to the American Fourth Amendment are striking here: in his historical analysis Akhil Amar tells us that the Fourth Amendment was meant precisely to avoid the various abuses of unreasonable searches and seizures that were common in England at the time.

The parallels with the United States become even more pronounced, however, when the Court examined the grounds for limiting the right to privacy. "Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral zones and that the right to privacy is itself a fundamental right, that fundamental right must be subject to restriction on the basis of compelling public interest." "Compelling public interest" is an interesting phrase, for two reasons. First, “public interest” is a ground for fundamental rights restrictions under Article 19 (see, e.g., Article 19(6)), but the text of the Article 19 restrictions do not use – and the Court, in interpreting them, has not held – that the public interest must be “compelling”. This suggests a stricter standard of review for an Article 21 privacy right violation than Article 19 violations. This is buttressed by the fact that in the same paragraph, the Court ended by observing: “even if it be assumed that Article 19(5) [restrictions upon the freedom of movement] does not apply in terms, as the right to privacy of movement cannot be absolute, a law imposing reasonable restriction upon it for compelling interest of State must be upheld as valid.” The Court echoes the language of 19(5), and adds the word “compelling”. This surely cannot be an oversight.

More importantly – the compelling State interest is an American test, used often in equal protection cases and cases of discrimination, where “suspect classes” (such as race) are at issue. Because of the importance of the right at issue, the compelling state interest test goes hand-in-hand with another test: narrow tailoring. Narrow tailoring places a burden upon the State to demonstrate that its restriction is tailored in a manner that infringes the right as narrowest manner that is possible to achieve its goals. The statement of the rule may be found in the American Supreme Court case of Grutter v Bollinger:

"Even in the limited circumstance when drawing racial distinctions is permissible to further a compelling state interest, government is still constrained under equal protection clause in how it may pursue that end: the means chosen to accomplish the government’s asserted purpose must be specifically and narrowly framed to accomplish that purpose."

To take an extremely trivial example that will illustrate the point: the State wants to ban hate speech against Dalits. It passes legislation that bans “all speech that disrespects Dalits.” This is not narrowly tailored, because while all hate speech against Dalits necessarily disrespects them, all speech that disrespects Dalits is not necessarily hate speech. It was possible for the government to pass legislation banning only hate speech against Dalits, one that would have infringed upon free speech more narrowly than the “disrespect law”, and still achieved its goals. The law is not narrowly tailored.

Crucially, then, the Court in Gobind seemed to implicitly accept the narrow-tailoring flip side of the compelling state interest coin. On the constitutionality of the Police Regulations itself, it upheld their constitutionality by reading them narrowly. Here is what the Court said:

“Regulation 855, in our view, empowers surveillance only of persons against whom reasonable materials exist to induce the opinion that they show a determination, to lead a life of crime – crime in this context being confined to such as involve public peace or security only and if they are dangerous security risks. Mere convictions in criminal cases where nothing gravely imperiling safety of society cannot be regarded as warranting surveillance under this Regulation. Similarly, domiciliary visits and picketing by the police should be reduced to the clearest cases of danger to community security and not routine follow-up at the end of a conviction or release from prison or at the whim of a police officer.”

But Regulation 855 did not refer to the gravity of the crime at all. Thus, the Court was able to uphold its constitutionality only by narrowing its scope in a manner that the State’s objective of securing public safety was met in a way that minimally infringed the right to privacy.

Therefore, whether the Gobind bench was aware of it or not, its holding incorporates into Indian constitutional law and the right to privacy, not just the compelling State interest test, but narrow tailoring as well. The implications for the CMS are obvious. Because with narrow tailoring, the State must demonstrate that bulk surveillance of all individuals, whether guilty or innocent, suspected of crimes or not suspected of crimes (whether reasonably or otherwise), possessing a past criminal record or not, speaking to each other of breaking up the government or breaking up a relationship – every bit of data must be collected to achieve the goal of maintaining public security, and that nothing narrower will suffice. Can the State demonstrate this? I do not think it can, but at the very least, it should be made to do so in open Court.

---

Chinmayi Arun's Op-ed was published in the Hindu on January 29, 2014.

---

It is odd indeed that the Delhi High Court seems to believe that sensational media coverage can sway the Supreme Court into prejudice against one of its own retired judges. Justice Manmohan Singh of the Delhi High Court has said in Swatanter Kumar v. Indian Express and others that the pervasive sensational media coverage of the sexual harassment allegations against the retired Supreme Court judge 'may also result in creating an atmosphere in the form of public opinion wherein a person may not be able to put forward his defence properly and his likelihood of getting fair trial would be seriously impaired.'  This Delhi High court judgment has drawn upon the controversial 2011 Supreme Court judgment in Sahara India Real Estate Corp. Ltd v. SEBI (referred to as the Gag Order case here) to prohibit the media from publishing headlines connecting retired Justice Swatanter Kumar with the intern's allegations, and from publishing his photograph in connection with the allegations.

Although the Gag Order judgment was criticised at the time that it was delivered Swatanter Kumar v. Indian Express illustrates its detractors' argument more vividly that anyone could have imagined.

Sukumar Muralidharan wrote of Gag Order case that the postponement (of media coverage) order remedy that it created, could become an "instrument in the hands of wealthy and influential litigants, to subvert the course of open justice".

Here we find that although a former Supreme Court judge is pitted against a very young former intern within a system over which he once presided, Justice Manmohan Singh seems to think that it is the judge who is danger of being victimised.

The Swatanter Kumar judgment was enabled by both the Gag Order case as well as the 1966 Supreme Court judgment in Naresh Sridhar Mirajkar v. State of Maharashtra, which in combination created a process for veiling court proceedings. Naresh Mirajkar stated that courts' inherent powers extend to barring media reports and comments on ongoing trials in the interests of justice, and that such powers do not violate the right to freedom of speech; and the Gag Order case created an instrument - the 'postponement order' - for litigants, such that they can have media reports of a pending case restricted. The manner in which this is used in the Swatanter Kumar judgment raises very worrying questions about how the judiciary views the boundaries of the right to freedom of expression, particularly in the context of reporting court proceedings.

Broad power to restrict reporting

The Gag Order case was problematic: it used arguments for legitimate restraints on media reporting in exceptional circumstances, to permit restrictions on media reporting of court proceedings under circumstances 'where there is a real and substantial risk of prejudice to fairness of the trial or to proper administration of justice'.  The Supreme Court refused to narrow this or clarify what publications would fall within this category. It merely stated that this would depend on the content and context of the offending publication, and that no 'straightjacket formula' could be created to enumerate these categories. This leaves higher judiciary with a broad discretionary power to decide what amounts to
legitimate restraints on media reporting, using an ambiguous standard. Exercise of this power to veil proceedings involving powerful public figures whose actions have public implications, imperils openness and transparency when they are most critical.

Court proceedings are usually open to the public. This openness serves as a check on the judiciary, and ensures public faith in the judiciary. In countries as large as ours, media coverage of important cases ensures actual openness of court proceedings - we are able to follow the arguments made by petitioners who ask that homosexuality be decriminalised, the trial of suspected terrorists and alleged murderers, and the manner in which our legal system handles sexual harassment complaints filed by young women.

When court proceedings are closed to the public (known as 'in-camera' trials) or when media dissemination of information about them is restricted, the openness and transparency of court proceedings is compromised. Such compromise of transparency does take place in many countries, to protect the rights of the parties involved, or prevent miscarriage of justice. For example, child-participants are protected by holding trials in-camera; names of parties to court proceedings are withheld to protect their privacy sometimes; and in countries where juries determine guilt, news coverage that may prejudice the jury is also restricted.

The damage done

Although the Supreme Court stated in principle that the openness of court proceedings should only be restricted where strictly necessary, this appears to lend itself to very varied interpretation. For example, it is very difficult for some of us to understand why it was strictly necessary to restrict media coverage of sexual harassment proceedings in the Swatanter Kumar case. J. Manmohan Singh on the other hand seems to believe that the adverse public opinion will affect the retired judge's chance of getting a fair trial. His judgment also seems to indicate his concern that the sensational headlines will impact the public confidence in the Supreme Court.

The Delhi High Court's apprehension about the effects of the newspaper coverage on the reputation of the judge did not need to translate into a prior restraint on media coverage. They may better have been addressed later, by evaluating a defamation claim pertaining to published material. The larger concerns about the reputation of the judiciary are better addressed by openness: if powerful public figures, especially those with as much influence as a former Supreme Court judge are not subjected to transparent court proceedings, the opacity in the face of such a critical issue is likely to undermine public faith in the judiciary as an institution.Such opacity undermines the purpose of open courts. It is much worse for the reputation of the judiciary than publicised complaints about individual judges.

Since the Delhi High Court ruling, there has been little media coverage of the sexual harassment case. Suppression of media coverage leaves the young woman comparatively isolated. Wide coverage of the harassment complaint involving Justice Ganguly, helped the intern in that case find support. The circulation of information enabled other former interns as well as a larger network of lawyers and activists, reach out to her. This is apart from the general pressure to be fair that arises when a case is being followed closely by the public. Media coverage is often critical to whether someone relatively powerless is able to assert her rights against a very powerful person. This is why media freedom is sacred to democracies.

If the Supreme Court was confident that the high courts in India would use their broad discretionary power under the Gag Order case sparingly and only in the interests of justice, the Swatanter Kumar case should offer it grounds to reconsider.  Openness and freedom of expression are not meant to be diluted to protect the powerful - they exist precisely to ensure that even the powerful are held accountable by state systems that they might otherwise be able to sway.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as a project run by the Centre for Communication Security Research and Monitoring (CCSRM), along with the Telecom Testing and Security Certification (TTSC) project.

The Central Monitoring System (CMS), which was largely covered by the media in 2013, was actually approved by the Cabinet Committee on Security (CCS) on 16th June 2011 and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, government funding of the CMS has reached at least Rs. 450 crore (around $72 million).

In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, clause 41.10 of the Unified Access Services (UAS) License Agreement was amended in June 2013. In particular, the amended clause includes the following:

“But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”

Furthermore, draft Rule 419B under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. Call Data Records, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to draft Rule 419B, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.

Other than this draft Rule and the amendment to clause 41.10 of the UAS License Agreement, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the Indian Telegraph Act, 1885, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:

• the interests of the sovereignty and integrity of India

• the security of the State

• friendly relations with foreign states

• public order

• for preventing incitement to the commission of an offense

However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.

So how does the Central Monitoring System (CMS) actually work?

We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized access to the country's telecommunications network. The question, though, is how.

Well, prior to the CMS, all service providers in India were required to have Lawful Interception Systems installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.

In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that the authority can also bypass service providers in gaining such access. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.

The above is illustrated in the following chart:

The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, 70 ISF servers have been purchased for six License Service Areas and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.

The Centre for Development of Telematics plans to integrate ISF servers which connect with the CMS in the premises of service providers in the following regions:

• Delhi

• Maharashtra

• Kolkata

• Uttar Pradesh (West)

• Andhra Pradesh

• Uttar Pradesh (East)

• Kerala

• Gujarat

• Madhya Pradesh

• Punjab

• Haryana

With regards to the UAS License Agreement that TSPs are required to comply with, amended clause 41.10 specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a Memorandum of Understanding (MoU) for MPLS connectivity has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, Rs. 4.8 crore have been given to BSNL for interconnecting 81 CMS locations of the following License Service Areas:

• Delhi

• Mumbai

• Haryana

• Rajasthan

• Kolkata

• Karnataka

• Chennai

• Punjab

Clause 41.10 of the UAS License Agreement also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor at least 30 simultaneous calls for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:

• Called/calling party mobile/PSTN numbers

• Time/date and duration of interception

• Location of target subscribers (Cell ID & GPS)

• Data records for failed call attempts

• CDR (Call Data Records) of Roaming Subscriber

• Forwarded telephone numbers by target subscriber

Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, 80% of the CMS Physical Data Centre has been built so far.

In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. Training has been imparted to the following law enforcement agencies:

• Intelligence Bureau (IB)

• Central Bureau of Investigation (CBI)

• Directorate of Revenue Intelligence (DRI)

• Research & Analysis Wing (RAW)

• National Investigation Agency (NIA)

• Delhi Police

And should we even be worried about the Central Monitoring System?

Well, according to the brief material for the Honourable MOC and IT Press Briefing on 16th July 2013, we should not be worried about the Central Monitoring System. Over the last year, media reports have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However, Indian authorities have argued that the Central Monitoring System will better protect the privacy of individuals and maintain their security due to the following reasons:

1. The CMS will just automate the existing process of interception and monitoring, and all the existing safeguards will continue to exist

2. The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A

3. The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted

4. The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data

5. A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard

While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.

The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will “just” be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the Information Technology (Amendment) Act, 2008, and the Indian Telegraph Act, 1885, potentially infringe upon individual's right to privacy and other human rights.

May I remind you of Section 69 of the Information Technology (Amendment) Act, 2008, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an ambiguous matter. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”

The second argument appears inadequate too. Section 5(2) of the Indian Telegraph Act, 1885, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates targeted surveillance, while the Central Monitoring System could potentially undertake mass surveillance. Since the process of interception is automated and, under clause 41.16 of the Unified License (Access Services) Agreement, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.

As for the third argument, it is not clear how bypassing the nodal officers of TSPs will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?

While the fourth argument makes a point about differentiating the provisioning and requesting entities with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.

Furthermore, this argument states that the CMS authority will not have access to content data, but does not specify if it will have access to metadata. What's concerning is that metadata can potentially be more useful for tracking individuals than content data, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.

The final argument appears to provide some promise, since the maintenance of a command log of all provisioning activities could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.

In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it protects individuals from abuse by those in power and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.

If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.

After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.

How can we not be worried about the Central Monitoring System?

 

 

The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.

This was published in a book on Palestinian art.

---

The rise of mobile media is heralding new forms of networked visualities. These visualities see place, politics and images entangled in new ways: what can be called ‘emplaced visuality’. In the images disseminated globally of citizen uprising such as the Arab Spring, it was mobile phones that provided the frame and context for new forms of networked visual politics. In the growth in networked photo apps such as Instagram and Hipstamic, how, when and why we are representing a relationship between place and co-presence is changing. No longer the poorer cousin to professional cameras, camera phones have lead the rise of do-it-yourself (DIY) aesthetics flooding mainstream and subcultural media cultures. In networked visuality contexts such as YouTube and Flickr, the aesthetic of what Burgess has called ‘vernacular creativity’[1] has become all-pervasive—so much so that even mainstream media borrows the DIY style.

Now, with locative media added into the equation, these visualities are not only networked but also emplaced—that is, entangled within the temporal and spatial movements of everyday life.[2]

Emplaced visualities represent a new relationship between place (as a series of what Doreen Massey calls ‘stories so far’)[3] co-presence, subjectivity and visuality. This phenomenon is impacting upon video art. In this chapter we reflect upon how mobile media visualities are impacting upon a sense of place and displacement. With the added dimension of Big Data and location-based services (like Google Maps and Facebook Places) now becoming part of the everyday informational circuits, how a sense of place and privacy is experienced and represented is changing. This phenomenon is apparent in the Palestinian cross-cultural video project called Al Jaar Qabla al Daar (The Neighbour before the House) as we will discuss in detail later in this chapter.

With its history of displacement and disapora, Palestinine’s role in contemporary art is increasingly becoming pivotal. This is especially the case with video art as a key medium for reflecting upon representations of place and movement. When we think of Palestinan video art the first artist we think of is Mona Hatoum. Hatoum was a poineer in so many ways. In particular, she gave voice to Arab women. Her work unsetttled the poetics of the everyday by evoking a sense of displacement and entanglement. While born in Beirut of Palestinan parents and then moving to London, she never identified as Lebanese. Despite never living in Palestinian, Hatoum was like a number of Palestinian refugees in Lebanon post 1948 who were never able to gain Lebanese identity cards. Unsurprisingly, Hatoum’s experiences of exile permulate her work. In particular, exile, politics and the body have played a key role. This is epitomised in her iconic Measures of Distance (1988) whereby Hatoum superimposes images of her mother having a shower with letters by her mum written in Arabian.

However, Hatoum is not the only artist representing the oevre of Palestinian video art. Over the last two decades—with the rise of mobile media affording easy accessibility to new media tools and networked contexts like YouTube—a new breed of video artists has arisen. An example is Navigations: Palestinian Video Art, 1988 to 2011 (curated as part of the Palestine Film Festival) that explored artists working in Palestine and the diaspora over nearly a quarter of a century. Unsurprisingly, motifs of diaspora and displacement feature throughout the fifteen works by Hatoum, Taysir Batniji, Manar Zoabi, Larissa Sansour and Khaled Jarrar to name a few. In Navigations: Palestinian Video Art key themes include ‘mobility and fluidity: the virtual and the real, the past and the future, the spectacular and the quotidian, the near and the far’.

Another example of an event promoting Palestinian video art is the /si:n/ Festival of Video Art & Performance. Consisting of performances, video installations, lectures, talks, and workshops in various venues all over the West Bank and includes artists from all over the world. The name /si:n/ is meant to linked the words ‘scene’ with ‘seen’ and has been seen as making an innovative context for video artists to share and collaborate in public venue. With themes such as ‘poetical revolution comes before political revolution’, the /si:n/ Festival provides a context that reflects upon exile and place in one of the most contested and politucal spaces, the West Bank. Beginning in 2009, the /si:n/ Festival became the first festival of video art in Palestine.

Given this rich tapestry of video art emerging in Palestine, in this chapter we explore the relationship between emergent mobile visualities, diaspora and place through a specific project called The Neighbour before the House. A cross-cultural video collaboration between Indian artists Shaina Anand, Ashok Sukumaran and Nida Ghouse, with Palestinian and Israeli artists Mahmoud Jiddah, Shereen Brakat and Mahasen Nasser-Eldin, The Neighbour before the House is a video art project that explores quotidian practices of life in a ‘post-surveillance society’. The Neighbour before the House is set in the context of the much contested territories and the relentless re-occupation and re-appropriation of East Jerusalem. Working with cheap surveillance technologies which have become such a ubiquitous part of the landscape of East Jerusalem, the artists use a PTZ (pan-tilt-zoom) security camera to inquire into the affective dimensions of ‘mobile’ life in the time of turbulent politics. The images that they capture look at jest, memory, desire and doubt, as fragile conditions of trust and life shape the everyday experiences of the region. The camera is given to the residents of a neighbourhood torn asunder by political strife and conflicts, asking them to search for the nugget of truth or morsel of thickness in the otherwise familiar flatness of walls and closed doors, which have been completely depleted of all depth because of the increased distance in the social relations.

The images eschew the tropes of traditional documentary making by and adopting the grainy, lo-res, digital non-frame, DIY aesthetics constantly in search of an image that might become the site of meaning making, but increasingly only capturing the mundane, the inane, the opaque and the evanescent. The image leads the commentary. The live camera operator’s interest and experience shape the image, rendering the familiar or the insignificant as hugely affective and evocative. The project further initiates a dialogue between the neighbours—both from across the contested zones, but also from across picket fences and walls of surveillance—by introducing the images to them, by inviting them to capture the images, and instil in them, the narratives of hope, despair, nostalgia, memory, loss, love, and longing.

The Neighbour before the House reflects upon the relationship between between art, technologies of visual reproduction and political strife. Moving away from the documentary style that has been popular in capturing the ‘real’, The Neighbour before the House refigures the temporality and spatiality through new affective and metaphorical tropes, playing with the tension between the presence of surveillance technologies and the familiarity of these images that breeds new conditions of life and living, trust and belonging, safety and threat, for people in Palestine. In the process, it introduces key questions to the role of the artist, the function of art, the form of video art practice, and the new negotiations that digital video apparatus introduce to the art worlds, beyond the now main-stream ideas of morphing, digitization, remixing etc.

Moreover, The Neighbour before the House reflects upon a shift away from the dominant network society paradigm and towards more contingent and ambivalent mirconarratives of camera phone practices. It toys with the DIY ‘banality’ aesthetics of camera phones in order to consider the ways in which place is overlaid with different types of information—electronic, geographic, psychological and metaphoric. On the one hand, The Neighbour before the House evokes network society metaphors. On the other hand, it suggests a move away from this paradigm and towards a politics of both ‘emplaced’ and displaced visuality. In order to discuss this transformation of the relationship between image, place and information from network society metaphors towards ‘emplaced’ visualities we firstly describe The Neighbour before the House before then reflecting upon a few key themes the project explores: that is, the movement of the networked society to emplaced visualities and the rise of the politics of the phoneur.

The Neighbour before the House 2012): A case study

As aforementioned, The Neighbor before the House is a collaborative video project between Indian, Israeli and Palestenian artists that appropriates, critically responds and insightfully rearranges the notion of art, politics and digital video technologies in its exploration of everyday practices of life in critical times in a networked post-surveillance society. The Neighbor before the House equips eight Palestenian families from East Jerusalem to be in control of PTZ (Pan Tilt Zoom) surveillance cameras mounted at strategic locations in the city, to observe the live feed on their TV sets, recording their reactions and live commentaries at what they see. Here the Big Brother, and its contemporary Big Data, is inverted through everyday citizens being given the omnipresent eye. It plays on the idea of the neighbour being both a friendly eye and when this watching shifts from being benevolent to malevolent.

As the artists write, ‘this footage shot with a security camera, takes us beyond the instrumental aspects of surveillance imaging, introducing us to the architecture of a deliberate and accelerated occupation of a city.’ Here the city is rendered into a cartography of informational circuits. Exploiting the conditions of networked spectacle, the project attempts to remap the real and the everyday through ‘inquisitiveness, jest, memory, fear, desire and doubt’. They use the surveillance cameras—symbols of suspicion and fear—to catalyse stories from Palestenians in different neighbourhoods about what can be seen: ‘messianic archeological digs; Israeli settlement activities; takeovers of Palestenian properties; the Old City, the Wall and the West Bank,’ among other mundane and marvellous details of living life in those precarious conditions.

Through the inversion of the politics of survellience from the Big Brother to the ubiquitous neighbour, The Neighbor before the House provides a rich, evocative and non-representational history of living in East Jerusalem. The networked media spectacles which have come to stand-in for the complex geo-political struggles of the region are displaced. As the low-res cameras reduce the deep geography into an alien flatness on the TV screens, as the camera captures glimpses of what could have been, records traces of blurred movements which require discussions and debates about their possible meaning, and engages the families to communicate their hopes, fears, desires and doubts, the art project also signals us to the new forms, functions and role of video art. Rather than the media event or spectacle,
The Neighbor before the House provides the micronarrative gestures of the everyday. The ways in which the place is a tapestery of subjectivities and experiences, not just a media spectacle.

As artist Shaina Anand mentions in an interview with Shah, this is a new kind of storytelling, where,

… a lot of the practice actually removes the filmmaker, the director, the auteur, and also therefore the cameraman, and also the lens... and offers these possibilities and privileges— of this look and gaze and all—to the subjects themselves[4]

And as the lens makes itself invisible, it also gives new importance to the apparatus of surveillance, seeing and its incorporation in our lives. As Florian Schenider mentions in the introduction to the project, the house upon which the camera is mounted, itself becomes a tripod made of stones. Instead of thinking of the video apparatus as out there, the private conditions of the home, the histories of the family, their relationships with neighbours and communities that they have lost, and strangers that they have inherited, all become the defining circumstances of this new crisis.

Borrowing from a Quranic saying, Al Jaar Qabla Al Daar, which is close to the idea of ‘loving they neighbour’ it explores how the presence of new digital video technologies establishes difference, distance, alienation, proximity, curiosity and surveillance which is not merely a function of governmental structures but also a condition of gamification and everyday engagement for the families in East Jerusalem. For the artists, this also takes up another connotation of ‘checking out your neighbour before you buy the house’ suggesting establishing bounded similarities to seek comfort. The edited footage of the video shows how and when the users got in control of the keyboard and a joy-stick, panning, tilting and zooming the camera, watching the live feeds on their Television sets as they speak live over the footage. These commentaries are personal as they are affective. Sometimes the commentary leads the person to probe the image, deeper, trying to find a meaning that can no longer be supported by the hyper-pixelated image on their screen, but becoming a site through which memories and interpretations

get generated. What begins as a playful probe soon takes up sinister shades, as some generate narratives of loss and death. Others take the opportunity to spy on the new settlers who have sometimes taken over their older houses, wondering what changes they are making to what was their own. There is a sense of rawness and urgency, as they look back, with fear, and anger, but also with resignation at the houses that they were evicted from, and the semblance of life that they can spot from their remote presence.

The final 5 cuts that the artist produce, give us a deep and evocative insight into geography, temporality, and the ways in which we can re-appropriate the network spectacle to look at things that are often forgotten, dropped out of, or rendered invisible in the neat and clean lines of network models and diagrams. The ‘footage’ quality of the probes, the long dwellings on insignificant images, and the panoptican nature of video as witness, video as spy, and video as affective engagement with territories and times that are lost, all give a new idea of what the future of video art would be like. Instead of looking at a tired old Foucauldian critique of surveillance, The Neighbor before the House posits the question of ‘Who watches the watchman?’ in ways that are both startling and assuring.

Visualising the Politics of the Network

One of the key themes of The Neighbour before the House is the changing role of the network society—especially in an age of Big Data and locative-based services (LBS)—whereby privacy and surveillance come to the forefront. The network society has often been cited as one of the defining frameworks of our heavily mediated times. From theorists such as Barry Wellman and Manuel Castells, the network metaphor has burgeoned in parallel with the all-pervasive rise of Information and Communication Technologies (ICTs) globally. According to Lee Raine and Wellman in Networked, the ‘new social operating systems of networked individualism liberates us from the restrictions of tightly knit groups.’[5]

Raine and Wellman argue that there has been a ‘triple revolution’: the rise of social networking, the capacity of the internet to empower individuals, and the always-on connectivity of mobile devices’.[6]

The ability of networks to explain a range of human personal and social relationships has afforded it great explanatory power, where everything (and hence, by association, everybody) can be understood and explained by the indexicalities and visual cartographies that networks produce. The network is simultaneously, and without any sense of irony, committed to both, examining sketchiness and producing clarity of any phenomena or relationality. The network presumes an externality which can be rich, chaotic and complex and proposes tools and models through which that diverse and discrete reality can be rendered intelligible by producing visualisations.

These visualisations are artefacts—in as much as all mapping exercises produce artefacts—and operate under the presumption of a benignity devoid of political interventions or intentions. The visualisations are non-representational, in terms that they do not seek to reproduce reality but actually understand it, and thereby shaping the lenses and tools to unravel the real nature of the Real. In this function, the network visualisations are akin to art, attaining symbolic value and attempting to decode a depth that the network itself defies and disowns, simulating conditions of knowing and exploring, emerging as surrogate structures that stand in for the real. Thus the rich set of actions, emotions, impulses, traces, inspirations, catalysts, memories, etc. get reified as transactions which can be sorted in indices, arranged in databases, and presented as an abstract, symbolic and hyper-visual reality which can now be consumed, accessed and archived within the network, thus obfuscating the reality that it was premised upon.

This phenomenon is what Shah calls the spectacle imperative of the network. Especially with the proliferation of ubiquitous image and video recording digital devices, this ability to create subjective, multiple, fractured spectacles that feed into the network’s own understanding of itself (rather than an engagement with a reality outside) has become the dominant aesthetic that travels from Reality TV programming to user generated content production on video distribution channels on the internet. This networked spectacle, without a single auteur or a concentrated intention—so the videos from the Arab Spring on YouTube, for example, range from small babies in prams to women forming barricades against a marching army, and from people giving out free food and water to acts of vandalism and petty thefts—has become the new aesthetic of video interaction, consumption and circulation. It invites an engagement, divesting our energies and attentions from the physical and the political, to the aesthetic and the discursive. Which is to say that when we consume these spectacles (or indeed, produce them, not necessarily only through the images but also through texts), we produce a parallel universe that demands that we understand the world ‘out there’ through these cultural artefacts which require an immense amount of decoding and meaning making. The network, in its turn, offers us better and more exhaustive tools of mining and sifting through this information, sorting and arranging it, curating and managing it, so that we build more efficient networks without essentially contributing to the on-the-ground action.

This peculiar self-sustaining selfish nature of the network, to become the only reality, under the guise of attempting to explain reality, is perhaps the most evident in times and geographies of crises. Where (and when) the conditions of politics, circumstances of everyday survival, and the algebra of quotidian life becomes too precarious, too wearisome, too unimaginable to cope with, the network spectacle appears as both the tool for governance as well as the site of protest. Hence, the same technologies are often used by people on different sides of the crises, to form negotiations and get a sense of control, on a reality that is quickly eluding their lived experiences. Surveillance cameras storing an incredible amount of visual data, forming banal narratives of the everyday, appear in critical times and geographies as symbols of control and containment, by authorities that seek to establish their sovereignty over unpredictable zones of public life and dwelling. The gaze of the authority is often criss-crossed by the cell-phone, the webcam, the tiny recording devices of everyday life that people on the streets and in their houses use, to record the nothingness of the crisis, the assurance of normalcy and the need to look over the shoulder and beyond the house, to know that whether or not god is in the heavens, all is well with the world.

The Place of the Visual: Towards a theory of emplaced visuality

However, with the rise of mobile media and its micronarrative capacity, the politics of network, and its relationship to a sense of place changes. Far from eroding a sense of place in the growing unboundness of home, mobile technologies reinforce the significance locality.[7] Mobile media also signal a move away from earlier depictions of the network society. Through the growth in camera phone practices overlaid with location-based services, we see new forms of visuality that reflect changing relations between place and information. With the rise of technologies in an increasingly mobile—physically and technologically—place has become progressively more contested. As Rowan Wilken and Gerard Goggin note in Mobile Technologies and Place, place is one of the most contested, ambiguous and complex terms today.[8] Viewing it as unbounded and relational, Wilken and Goggin observe, ‘place can be understood as all-pervasive in the way that it informs and shapes everyday lived experience—including how it is filtered and experienced via the use of mobile technologies’.[9] As social geographer Doreen Massey notes, maps provide little understanding into the complex elusiveness of place as a collection of ‘stories-so-far’:

One way of seeing ‘places’ is as on the surface of maps… But to escape from an imagination of space as surface is to abandon also that view of place. If space is rather a simultaneity of stories-so-far, then places are collections of those stories, articulations within the wider power-geometries of space. Their character will be a product of these intersections within that wider setting, and of what is made of them… And, too, of the non-meetings-up, the disconnections and the relations not established, the exclusions. All this contributes to the specificity of place.[10]

For anthropologist Sarah Pink, place is increasingly being mapped by practices of emplacement.[11] With location based media like Google Maps and geotagging becoming progressively part of everyday media practice, how place is imagined and experienced across geographic, psychological, online and offline spaces is changing. This impacts upon the role of ethnography and its relationship to geography and place. As Anne Beaulieu notes, ethnography has moved from co-location to co-presence.[12] In this shift, we see the role of ethnography to address the complex negotiations between online and offline spaces growing.

In The Neighbour before the House, we are made to consider the changing role of visuality in how place is experienced and practiced. By deploying a surveillant and multivalent gaze, The Neighbour before the House asks us to reconsider privacy and surviellance in an age of locative media. The rise of the network society has witnessed numerous tensions and ambivalence, especially around the the relationship between agency, information and place. This is epitomised by the second generation camera phones practices whereby with the added layer of LBS—where and when images were taken—becomes automatic by default. Whereas first generation of camera phone practices noted gendered differences.[13] through LBS, these differences take on new dimensions—particularly in terms of its potential ‘stalker’ elements.[14] While notions of privacy differ subject to socio-cultural context, LBS do provide more details about users and thus allow them to be victims of stalking (Cincotta, Ashford, & Michael 2011).

The shift towards second generation camera phone images sees a movement away from networked towards emplaced visualities (Pink & Hjorth 2012; Hjorth 2013; Hjorth & Arnold 2013). On the one hand, this overlaying of the geographic with the social highlights that place has always mattered to mobile media (Ito 2002; Hjorth 2005). Far from eroding place, mobile media amplify the complexities of place as something lived and imagined, geographic and yet psychological. LBS enable mobile media users to create and convey more complex details about a locality. On the other hand, LBS create new motivations for narrating a sense of place and the role of amateur and vernacular photography.

Shifts in contemporary amateur photography highlight the changes in how place, co-presence and information is navigated, performed and represented. This issues are particularly prevalent in contested location like Palestine. Last century it was the Kodak camera that epitomized amateur photography and played an important role in normalizing notions of the family as well as ritualizing events such as holidays.[15]

As Lisa Gye notes, personal photography is central to the process of identity formation and memorialization.[16] The shift towards camera phones not only changes how we capture, store, and disseminate images but also has ‘important repercussions for how we understand who we are and how we remember the past’.[17]

Moreover, with the rise in possibilities for sharing via social media like microblogs and Twitter, camera phone photography not only magnifies UCC, but also provides filters and lenses to enhance the “professional” and “artistic” dimensions of the photographic experience.[18]

For Daniel Palmer, smartphone photography is distinctive in various ways, with one key feature being the relationship between touch and the image in what he calls an ”embodied visual intimacy” (2012: 88). With the rise of high quality camera phones, along with the growth in distribution services via social and locative media, new forms of visuality are emerging (Pink & Hjorth 2012). The added dimensions of movement and touch becoming important features of the camera phone with the emphasis on networked is shifting to “emplaced” visuality. Images as emplaced in relation to what human geographer Tim Ingold has called a “meshwork” and entanglement of lines (2008). Images themselves are part of such lines as they are inextricable from the camera and person who took them. In this sense camera phone images are not simply about what they represent (although they are also about that) but are additionally about what is behind, above, below, and to either side.

By using different smartphone photo apps, respondents tried to inscribe a sense of place with emotion. This practice is what anthropologist Sarah Pink identifies as the “multisensorality of images.” That is, they are located in “the production and consumption of images as happening in movement, and consider them as components of configurations of place” (Pink 2011: 4). Drawing on Tim Ingold’s conceptualization of place as “entanglement” (Ingold 2008), Pink notes, “Thus, the ‘event’ where photographs are produced and consumed becomes not a meeting point in a network of connections but an intensity of entangled lines in movement… a meshwork of moving things” (Pink 2011: 8).

While the surveillant eye of Big Brother now takes the form of Big Data, the emplaced nature of camera phone images can help to contribute to a changing relationship between performativity, memory and place that is user-orientated. Rather than operating to memorialize place, camera phone practices, especially through LBS networks, are creating playful performances around the movement of co-presence, place and placing (Richardson & Wilken 2012). As noted elsewhere, Pink and Hjorth argue that camera phone practices are highlighting a move away from the network society towards emplaced visualities and socialities (2012). Emplaced visuality means understanding camera phone practices and the socialities that create and emerge through them in ways corresponding with non-representational (Thrift, 2008) or ‘more-than-representational’ approaches in geography which according to Hayden Lorimer encompass:

… how life takes shape and gains expression in shared experiences, everyday routines, fleeting encounters, embodied movements, precognitive triggers, affective intensities, enduring urges, unexceptional interactions and sensuous dispositions (Lorimer, 2005: 84).

Thus we see camera phone photography as a part of the flow of everyday life, an increasingly habitual way of being that is sensed and felt (emotionally and physically). Yet, because camera phone photography involves the production and sharing of images, it also compels us to engage with the relationship between the representational and the non-representational. Emplaced visualities see images as embedded with the movements of everyday life. Tim Cresswell has suggested that we consider ‘three aspects of mobility: the fact of physical movement—getting from one place to another; the representations of movement that give it shared meaning; and, finally, the experienced and embodied practice of movement’ (Cresswell, 2010: 19). These three aspects of mobility are deeply interwoven and entangled. In camera phone photography the experience and representation of camera phone photography is enacted in the ‘flow’ of everyday life at the interface where digital and material realities come together. These emplaced visualities are often abstracted through the mechanics of Big Data mega surveillance. But as The Neighbour before the House demonstrates, the perpetual movement of emplaced visualities is in sharp contrast with the unmoving, omipresent Big Data eye.

This contrast between the moving and unmoving, micro and macro information overlaid onto place can also be reflected as part of the shift from the flâneur to the phoneur. The notion of mobility—as a technology, cultural practice, geography and metaphor—has impacted upon the ways in which twenty-first century cartographies of the urban play out. Through the trope of mobility, and immobility, rather than overcoming all difference and distance, the significance of local is reinforced. While nineteenth-century narrations of the urban were symbolised by the visual economics of the flâneur, the twenty-first century wanderer of the informational city has been rendered what Robert Luke calls the phoneur. [19] The conceptual distance, and yet continuum, between the flâneur and the phoneur is marked by the paradigmatic shift of the urban as once a geospatial image of, and for, the bourgeoisie, as opposed to the phoneur which sees the city transformed into informational circuit in which the person is just a mere node with little agency. Beyond dystopian narrations about the role of technology in maintaining a sense of intimacy, community and place, we can find various ways in which the tenacity of the local retains control. In particular, through the tension between mobile media and Big Data, we can see how the local and the urban can be re-imagined in new ways.

The flâneur (or the wanderer of the modern city), best encapsulated by German philosopher Walter Benjamin’s discussion of Baudelaire’s painting, has been defined as an important symbol of Paris and modernity as it moved into nineteenth century urbanity. Thanks to the restructuring of one third of the small streets into boulevards by Baron Hausmann, Paris of the nineteenth century took a new sense of place and space.

Luke’s phoneur, on the other hand, is the ‘user’ as as part of the informational network flows constituting contemporary urbanity. If the flâneur epitomised modernism and the rise of nineteenth-century urban, then for Luke, the phoneur is the twenty-first-century extension of this tradition as the icon of modernity. As Luke observes, in a networked city one is connected as part of circuit of information in which identity and privacy is at the mercy of system. The picture of the urban city today painted by Luke is one in which the individuals have minimal power in the rise of corporate surveillance.

Neighbour before the House problematises Luke’s dystopian view of the phoneur. The picture painted by Neighbour before the House is much more ambivalent. However it does make the audience reflect upon the changing nature of surveillance in an age of Big Data.[20]

These tensions around the dystopian phoneur and a more embodied and emplaced version can be found running as an undercurrent in the work of Neighbour before the House.

Conclusion

In this chapter we have explored the cross-cultural video collaboration, The Neighbour before the House, to consider the changing relationship between a sense of place, information and the politics of visuality. As we have suggested, with the rise of location-based camera phone practices and Big Data we are seeing new forms of visuality that are best described as emplaced rather than networked. The notion of emplaced reflects some of the tensions around contemporary representations of mobility and movement, particularly prevalent in the often displaced and diasporic experiences of Palestine.

Filmed in Palestine,The Neighbour before the House explores the notion of place as entangled and embedded at the same time as displaced through the rise of ICTs. By providing some of the paradoxes and ambivalences surrounding contemporary media practices and its relationship between information and place, it allows for a space for reflection and contemplation about the surveillence and privacy.

---

[1]. Jean Burgess, Vernacular creativity and new media (Doctoral dissertation), 2007. Retrieved from http://eprints.qut.edu.au/16378/

[2]. Sarah Pink and Larissa Hjorth Emplaced Cartographies: Reconceptualising camera phone practices in an age of locative media’, Media International Australia, 145 (2012): 145-156.

[3]. Doreen Massey

[4]. Shaina Anand interviewed by Nishant Shah, December 2012.

[5]. Raine, L. and B. Wellman 2012, Networked, Cambridge, Mass, MIT Press.

[6]. Ibid.

[7]. Mizuko Ito, ‘Mobiles and the Appropriation of Place’. Receiver 8, 2002, (consulted 5 December 2012) http://academic.evergreen.edu/curricular/evs/readings/itoShort.pdf ; Hjorth, L. (2005) ‘Locating Mobility: Practices of Co-Presence and the Persistence of the Postal Metaphor in SMS/MMS Mobile Phone Customization in Melbourne’, Fibreculture Journal, 6, (consulted 10 December 2006) http://journal.fibreculture.org/issue6/issue6_hjorth.html.

[8]. Rowan Wilken and Gerard Goggin, ‘Mobilizing Place: Conceptual Currents and Controversies’, in R. Wilken and G. Goggin (Eds) Mobile Technology and Place, New York, Routledge, 2012, pp. 3-25 (5).

[9].Ibid 6.

[10]. Doreen Massey,For Space, London, Sage, 2005 (130).

[11]. Sarah Pink, Doing Sensory Ethnography, London, Sage, 2009.

[12]. Anne Beaulieu, ‘From Co-location to Co-presence: Shifts in the Use of Ethnography for the Study of Knowledge’. Social Studies of Science, 40 (3) 2010: June. 453-470.

[13]. Dong-Hoo Lee, ‘Women’s creation of camera phone culture’. Fibreculture Journal 6, 2005, URL (consulted 3 February 2006) http://www.fibreculture.org/journal/issue6/issue6_donghoo_print.html; Larissa Hjorth, ‘Snapshots of almost contact’. Continuum, 21 (2) 2007: 227-238.

[14]. Alison Gazzard, ‘Location, Location, Location: Collecting Space and Place in Mobile Media’. Convergence: The International Journal of Research into New Media Technologies, 17 (4) 2011: 405-417.

[15]. Lisa Gye, ‘Picture this: the impact of mobile camera phones on personal photographic practices,’ Continuum: Journal of Media & Cultural Studies 21(2) 2007: 279–288.

[16]. Ibid 279.

[17]. Ibid 279.

[18]. Søren Mørk Petersen,Common Banality: The Affective Character of Photo Sharing, Everyday Life and Produsage Cultures, PhD Thesis, ITU Copenhagen.

[19]. Robert Luke, ‘The Phoneur: Mobile Commerce and the Digital Pedagogies of the Wireless  Web’, in P. Trifonas (ed.) Communities of Difference: Culture, Language, Technology, pp. 185-204, Palgrave, London, 2006.

[20]. Sites such as www.pleaserobme.com, that seek to raise awareness about over-sharing of personal data, highlight not only the localised nature of privacy but also that privacy is something  we do rather than something we possess.

The expanding scope and extent of massive data collection and surveillance undertaken by bodies like the USA’s National Security Agency compromises our privacy and stifles our freedom of speech and expression in its most vital public spheres, affecting the civil liberties of citizens of countries all across the world.

The previous year has been a watershed year for reclaiming the internet as a free and open space, primarily through the exposure of the unwarranted systems of surveillance that threaten it, by whistle-blowers like Edward Snowden and WikiLeaks. Despite all these efforts, they have only managed a dent in the surveillance regimes, which continue unbridled, with the protection of the state and the surveillance industry. The future of a free internet depends upon the systematic challenge of these programs by the millions of internet users they affect.

February 11, 2014 is the day we fight back against mass surveillance. Organized by the Electronic Frontier Foundation, and supported by thousand of organizations like Mozilla and the Centre for Internet and Society, on this day of action, citizens around the world will demand an end to these programs that threaten the freedom of the internet. You can support this cause by signing and supporting the 13 Principles (International Principles on the Application of Human Rights to Communications Surveillance), and contacting your local media, petitioning your local legislators and telling your friends and colleagues about the topic. Publicizing the movement and creating a buzz around it will help spread the message to many others across the internet. Do anything that will make the fight more visible and viable, such as organizing or attending public lectures, or creating tools or memes or art to spread information. For more ways in which you can contribute, and more information on the event, visit the website.

The users of the internet deserve a free and open internet and deserve and end to mass surveillance. If we can make enough noise, make enough of an impact, we can greatly bolster the movement for reclaiming the internet.

---

Click to download the file (PDF, 2436 Kb). Dr. Nishant Shah's review can be found on page 16.

---

The Age of Amazon’ is not just the title of a book, it is a retrospective on the history of e-commerce as well as a prophecy for the shape of things to come. In his meticulously reported book, Brad Stone takes us through the roller coaster ride of the ‘Everything Store’ that Amazon has become, building a gripping tale of an idea that has become synonymous to the world of online shopping in just over two decades.

The book reads well as a biopic on the visionary lunacy of Jeff Bezos, the founder of Amazon, as well as a gripping tale of how ideas grow and develop in the digital information age. Stone is an expert storyteller, not only because of his eye for the whimsical, the curious and the enchantment of the seemingly banal, but also because of his ability to question his own craft.

At the very outset, Stone warns us that the book has been compiled through workers at employee, but not Bezos himself. This helps Stone separate the maker from the brand — unlike Steve Jobs who became the cult icon for Apple, Bezos himself has never become the poster child of his brand, allowing

Amazon to become not only an everything store but everybody store. But it means that Stone’s task was to weave together the personal biography of Bezos, his dramatic journey through life with the tumultuous and adventurous inception and growth of Amazon, and his skill lies in the meeting of the twines, which he does with style, ease and charm.

One of the easiest accusations to throw at a book like this is to state that it reduces the murky, blurred, messy and incoherent set of events into a narrative that establishes causes and attributes design and intention where none existed. However, Stone was confronted with the idea of ‘Narrative Fallacy’ — a concept coined by Nassim Nicholas Taleb in his Black Swan, referring to the tendency of human beings to reduce complex phenomenon to “soothing but oversimplified stories”. In fact, the challenge to not reduce the book to a series of connected anecdotes was posed by Bezos when Stone pitched the book to him. And what has emerged is a book about accidents, serendipity, risk, redundancy, failure charting the ineffable, inscrutable and inexplicable ways in which digital technologies are shaping the worlds we live in.

With the rigour and journalistic inquiry that Stone has displayed in his regular writings in The Businessweek, The Everything Store has stories which are as memorable as they are unexpected. Stone does a fantastic job of charting Bezos’ life — from tracking down the lost father who had no idea what his son, who he had abandoned at age three, has become, to the chuckleworthy compilation of Bezos’ favourite quotes (Stone calls it his ‘greatest hits’), the book is filled with pointed and poignant observations and stories that give us an idea of the extraordinary life of Jeff Bezos. But unlike the expected character creation of a mad genius, what you get is the image of a man who lived in contradictions: wedded to his internal idea of truth but also ruthless in his business policies which were predatory and competitive to say the least; a businessman who once wrote a memo titled ‘Amazon.love’ about how he wanted a company to be “loved not feared” but also used the metaphor of a “cheetah preying on the gazelles” in its acquisition of smaller businesses; a man who thought of himself as a “missionary rather than a mercenary” and yet built a business empire that embodies some of the most discriminatory, exploitative and stark conditions of adjunct, adhoc, underpaid and contract-based labour of our precariously mobile worlds.

Stone is masterful as he segues from Bezos’ personal life and ambitions into the monomaniacal and turbulent trajectory of Amazon. Amazon is not a simple success story. It tried and failed at many things, but what remains important is how, it failed at the traditional way of doing things and succeeded at the internet way of thinking. So when Amazon failed, it was not a failure to succeed, but a failure that resulted because the infrastructure needed to make it succeed was not yet in place. Stone’s narrative that effortlessly takes us through the economics, trade, policies, regulation, administration and struggles of Amazon, shows how it was a company that had to invent the world it wanted to succeed in, in order to succeed. In many ways, the book becomes not only about Amazon and its ambitions to sell everything from A-Z, but about how it built prototypes for the rest of the world so that it could become relevant and rule.

But the book is not a Martin-Scorsese-type homage to the scoundrel or the villain. While it is imbued up and spit you out. And if you are good, he will jump on your back and ride you into the ground.” Or as Stone himself suggests, that is the way the company is going to grow “until either Jeff Bezos exits the scene or no one is left to stand in his way”. This policy of taking everything from its employees and channelling it to the relentless growth of the company accounts for not only the high attrition rate of top executives but also the growing controversies about work and labour conditions in Amazon warehouses and on-the-ground delivery services.

Stone’s book does not go into great detail about the new work force that companies like Amazon produce — a work force that is reduced to being a cog in a system, performing mechanical tasks, working at minimal wage, and without the protections that are offered to the white collar high-level technology executives that are the popup children of the digital trade. Stone reminds us that behind the incredible platform that Amazon is, is a massive physical infrastructure which almost reminds us of the early industrial days where the labourer was in a state of exploitation and precariousness. And even as we celebrate the rise of these global behemoths, we might forget that behind the seductive interfaces and big data applications, that under the excitement of drone-based delivery systems and artificial intelligence that will start delivering things even before you place the order, is a system that pushes more and more workers in unprotected and exploitative work conditions.

All in all, The Everything Store is a little bit like Amazon itself. It is a love story of a man with his ideas, and how the rest of the world has shifted, tectonically, to accommodate these eruptions. In its historical retrospective, it shows us the full scope of the ideas and possibilities that inform Amazon, and thus the future that it is going to build for us. And with masterful craftsmanship, Brad Stone writes that it is as much about the one man and his company, as it is about the physical and affective infrastructure of our rapidly transforming digital worlds.

In the absence of any law for the protection of whistle-blowers in the country, exposing the rampant corruption in our public institutions has become a hazardous occupation, with reports of threat and intimidation and even incidents of murder of whistle-blowers commonplace.[1] With the Whistle blower’s Protection Bill in abeyance and without any strict laws protecting the identities of the whistle-blowers who challenge such a corrupt system, even the mechanisms like the Right to Information Act which are meant to safeguard against systemic abuse and ensure transparency are being severely undermined.

For this reason, the Calcutta High Court’s affirmation of whistle-blowers’ privacy and identity protection is an important development. Through its order on the 20th of November, 2013, the Calcutta High Court held that for the purposes of section 6(2), which requires an application to the Public Information Officer to provide contact details of the applicant, it is sufficient in such application to disclose only the post-box number of the applicant. The court directed the Government to accept RTI applications without personal details or detailed whereabouts, when a post-box number or sufficient detail has been provided to establish contact between the whistle-blower and the authority. However if a public authority has any difficulty contacting the applicant through the Post Box No. the applicant may be asked to provide other contact details. The court further directed that personal details of applicants are not to be posted on the authorities’ websites.

The order, which was notified by the Government last week, ensures to some extent the protection of a whistle-blowers identity, and reduces the chances of the RTI being undermined by threats or acts of violence by those who are a part of the corrupt system, against persons exercising their right to information. However, its implementation is liable to be contingent on the authorities’ interpretation of when it would be “difficult” to establish contact between the authority and the applicant. Certain practical difficulties could also undermine the actual impact of the order, such as the fact that many applications are sent through registered or speed post, which cannot be mailed to a post-box number, especially since ordinary post cannot be tracked online like speed or registered post.[2]

Developing a system in which ordinary citizens do not have to fear retaliation for exposing corruption requires a comprehensive legislation protecting whistle-blowers identities and ensuring data security. However, the important message this judgement sends out is that the judiciary is still committed to protecting whistle-blowers, in lieu of the government’s actions. This is a particularly important stance taken by the Court, considering the Supreme Court in the past has refused to frame guidelines for whistle-blower protection, citing the imperative in enacting a whistle-blower legislation to be the Parliament’s.[3]

A full text of the judgement is available here.

---

[1].Whistleblower shot dead in Bihar, THE HINDU, available at http://www.thehindu.com/news/national/whistleblower-shot-dead-in-bihar/article4542293.ece; Tamil Nadu Whistleblower alleges death threats; Silence from Government, NDTV, available at http://www.ndtv.com/article/india/tamil-nadu-whistleblower-alleges-death-threats-silence-from-govt-410450.

[2]. Indian Postal Tracking Portal, http://www.indiapost.gov.in/tracking.aspx.

[3]. Supreme Court refuses to frame guidelines for protection of whistleblowers, Daily News and Analysis, available at http://www.dnaindia.com/india/report-supreme-court-refuses-to-frame-guideline-for-protection-of-whistleblowers-1525622.

---

Read the Fifty-Second Report on Cyber Crime, Cyber Security and Right to Privacy released by the Department of Electronics and Information Technology

---

The Report consists of questions on the state of cyber security, cyber crime, and privacy posed by the Standing Committee and briefings and evidence provided by the Department of Electronics and Information Technology (DEITY ) in reply. The Report concludes with recommendations from the Standing Committee on the way forward.

The Report represents an important step forward in the realm of privacy and cyber security in India as the evidence provided by DEITY  clarifies a number of aspects of India’s present and upcoming cyber security policies and practices. Furthermore, the recommendations by the Standing Committee highlight present gaps and inadequacies in India’s policies and practices and needed steps forward– particularly the need for a privacy legislation in India in the context of cyber security, increased transactions of sensitive data, and governmental projects like the Unique Identification Project.

Broadly, the Standing Committee sought input from DEITY  on eight different aspects of cyber crime, cyber security, and privacy in India - namely:  the growing incidents of cyber crime and resulting financial loss, the challenges and constraints of cyber crime,  the role of relevant governmental organizations in India with respect to cyber security, preparedness and policy initiatives, cyber security and the right to privacy, monitoring and grievance redressal mechanism, and education and awareness initiatives. The evidence provided by DEITY  sheds light on the present mindset of the Government at this time, upcoming policies, and capacity and infrastructure gaps in India’s cyber security framework.

The Centre for Internet and Society appreciates the Report and we would like to highlight and emphasize the following aspects:

Need for a privacy legislation and inadequacy of privacy provisions in Information Technology Act: When asked by the Standing Committee about the right to privacy and cyber security, DEITY  highlighted the fact that the Information Technology Act contains sufficient safeguards for privacy, and added that the Department of Personnel and Training (DoPT) is in the process of developing a privacy legislation that will address the general concerns of privacy in the country, and thus the two together will be sufficient. DEITY  also noted that no study on the extent of privacy breach due to cyber crime in India has been conducted. In their recommendations, the Standing Committee noted that it was unhappy that the Government has yet to institute a legal framework on privacy, as the increased transfer of sensitive data and projects like the UID leave citizens vulnerable to privacy violations . Significantly, the Standing Committee recommended that though the DoPT is currently responsible for drafting the Privacy Bill, DEITY  should coordinate with the DoPT and become involved in the process.

As recognized by the Standing Committee, the Centre for Internet and Society would like to  further emphasize the inadequacy of the provisions relating to privacy in the Information Technology Act, and the need for a privacy legislation in India.  Inadequate aspects of the provisions have been pointed out by a number of sources. For example:

1. The Report of the Group of Experts on Privacy: Prepared by the committee chaired by Justice AP Shah
2. First Analysis of the Personal Data Protection Law in India: Prepared by the University of Namur for the Commission of the European Communities Directorate General for Justice, Freedom, and Security
3. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prepared by the Centre for Internet and Society and submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha
4. India’s U-Turns on Data Privacy: Prepared by Graham Greenleaf for the Privacy Laws & Business International Report, Issues 110 -114, 2011

Unclear Enforcement of 43A and associated rules: In evidence provided, DEITY, while discussing section 43A and the associated Rules, noted that the Data Security Council of India and empanelled security auditors through CERT-in are responsible for the ‘auditing of best practice’s (pg 24).  The Standing Committee did not directly respond to this comment.

The Centre for Internet and Society would like to point out that DEITY did not clearly state that DSCI and the auditors through CERT-in were responsible for auditing organizational security practices for compliance with 43A. Furthermore, there is no publicly available information regarding audits ensuring compliance with 43A or information about the number of companies  that have been found to be compliant.  The Centre for Internet and Society would like to encourage that this information be made public, and compliance with 43A be enforced at the organizational level.

UIDAI not in compliance with 43A and associated Rules:  In evidence provided, DEITY  noted that “..Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) In their recommendations the Standing Committee did not directly address this comment, but did emphasize the need for a privacy legislation in light of the UID scheme.

The Centre for Internet and Society appreciates that the Standing Committee raised concern about the privacy implications of the UID project. We would like to highlight that the UIDAI is not a Body Corporate, and is not in compliance with 43A or the subsequent Rules in the Information Technology Act. Furthermore, the UID project involves the handling and processing of data in analogue and digital formats, and thus the privacy protections found under 43A are not sufficient.

The potential harms of metadata: In evidence provided, the Department noted  “...we have been assured that whatever data has been gathered by them for surveillance relates only to the metadata..but we expressed that any incursion into the content will not be tolerated and is not tolerable from the Indian stand and point of view.” (pg.47) The Standing Committee did not respond directly to this comment.

The Centre for Internet and Society would like to thank the Standing Committee for noting that the Government should have taken prior steps to preventing such an interception from taking place and for recommending the Department to take develop a policy to prevent future instances of interception from taking place. The Centre for Internet and Society would like to emphasize the importance and potential sensitive nature of metadata. Metadata can, and often does, disclose more about an individual or an activity than the actual content. For example, metadata can reveal identity, behaviour patterns, associations, and can enable the mapping of location and individual movement. As such, the Centre for Internet and Society would recommend that the Government of India treat access to all information generated by individual and governmental communications as sensitive and confidential.

Inadequacy of the Information Technology Act: When asked by the Standing Committee if the Information Technology Act provided sufficient legal safeguards for cyber security and cyber crime, DEITY  highlighted the fact that the Information Technology Act 2000 addresses all aspects of cyber crime in a comprehensive manner.  DEITY  also pointed out that the National Cyber Security Policy 2013 has provisions to enable the development of a legal framework, and the Department of Personnel and Training  is in the process of drafting a privacy legislation for India that will fill any gaps that exist. In their recommendations, the Standing Committee recognized that the Information Technology Act does contain provisions that address cyber security and cyber crime, but, especially in the recent controversy over section 66A of the Act, Standing Committee emphasized the need for periodical reviews of the IT Act.

The Centre for Internet and Society appreciates the fact that the Committee recognized the need for periodical review of the Information Technology Act, particularly in light of the controversy over 66 A. The Centre for Internet and Society would like to underscore the problems associated with 66A and would like to highlight that with regards to privacy and cyber security, the IT Act is not adequate and falls short in a number of areas. Research that the Centre for Internet and Society has conducted explaining these weaknesses can be found through the below links:

1. Breaking Down Section 66A of the IT Act
2. Short note on IT Amendment Act, 2008

Implications of domestic servers:  In response to questions posed by the Standing Committee about security risks associated with the importation of electronics and IT products, as well as the hosting of servers outside the country, DEITY  noted the security risk of using foreign infrastructure and pointed to the hosting of servers in India as a solution to protecting the security and privacy of Indian data. The Standing Committee supported this initiative, and encouraged DEITY  to take further steps towards securing and protecting the privacy of Indian data through the hosting of servers for critical sectors within India.

The Centre for Internet and Society appreciates the fact that the Standing Committee carefully limited the recommendation of locating servers in India to those in critical sectors, but would caution the Government of potential implications on users ability to freely access content and services, and highlight the fact that localization of servers is not a security solution in itself as a comprehensive solution and hardening of critical assets against cyber attacks is essential.

Incorporation of safeguards into MOU’s for international cooperation: When asked about MOU’s for international cooperation that DEITY  has engaged in with other countries, DEITY  reported that currently CERT-in is entering into a number of MOU’s with other countries to facilitate cooperation for cyber security purposes. Presently there are MOUs with the US, Japan, South Korea, Mauritius, Kasakhstan, Finland, and the Canada Electronics and ICT sector. DEITY  is also seeking MOUs with Malaysia, Israel, Egypt, Canada, and Brazil. The Standing Committee supported  India entering into MOU’s for purposes of international cooperation, and encouraged DEITY  to continue entering into MOU’s to mitigate jurisdictional complications when seeking to address issues related to cyber security.

The Centre for Internet and Society recognizes the importance of international cooperation when handling issues related to cyber security and cyber crime. To ensure that this process is in line with human rights, the Centre for Internet and Society would encourage DEITY  to ensure that all MOU’s and/or  Mutual Legal Assistance Agreements:

• Uphold the principle of dual criminality
• Apply the highest level of protection for individuals in the case where the laws of more than one state could apply to communications surveillance
• Are not used by any party involved to circumvent domestic legal restrictions on communications surveillance.
• Are clearly documented and publicly available
• Contain provisions guaranteeing  procedural fairness.[1]

Hactivism as a benefit to society: In evidence provided on page 14, DEITY, among other elements, referred to Hactivism as a societal challenge to securing cyber security and tackling cyber crime. The Standing Committee did not directly address this comment.

The Centre for Internet and Society would like to point out that hacktivism is a complex topic and consists of methods. Though some methods used by hacktivists are illegal, and some use hacktivism for censorship purposes and to target certain groups, other forms of hacktivism  can benefit society and strengthen cyber security by  finding and revealing vulnerabilities in a system, and bringing attention to illegal or violative practices.

This works towards ensuring that a system is adequately secure. Because of the dynamic nature of hacktivism, the Centre for Internet and Society believes that hacktivism needs to be evaluated on a case by case basis and the Government should not broadly label hacktivism as a challenge to cyber security and cyber crime.[2]

Importance of the anonymous speech: In evidence provided, DEITY noted the threat to cyber security that the anonymous nature of the internet posed. This was reiterated by the Standing Committee in their recommendations.

While recognizing the potential threat to cyber security that the anonymous nature of the internet can pose, the Centre for Internet and Society would like to highlight the importance of anonymous speech online to an individual’s right to free expression.

Conclusion

Recognizing the direct connection between a strong privacy framework and a strong cyber security framework, as security cannot be achieved without privacy, and recognizing the need for a privacy legislation in light of governmental projects like the UID,  the Centre for Internet and Society welcomes the Fifty Second Report on Cyber Crime, Cyber Security, and the Right to Privacy and echoes the Standing Committees recommendation and emphasis on the need for a comprehensive privacy legislation to be passed in India.

---

[1]. These safeguards are reflected in the principle of “safeguards for International Cooperation” found in the International Principles on the Application of Human Rights to Communications Surveillance”  https://en.necessaryandproportionate.org/text

[2]. For more information about hacktivism see: Activism, Hacktivism, and Cyberterrorism. The Internet as a Tool for Influencing Foreign Policy. By Dorothy E. Denning. Georgetown University. Available at: http://www.iwar.org.uk/cyberterror/resources/denning.htm

In early 2013 the Centre for Internet and Society drafted the Privacy (Protection) Bill 2013 as a citizen’s version of privacy legislation for India. The Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

The Centre for Internet and Society has been collecting comments to the Privacy Protection Bill since April 2013 with the intention of submitting the Bill to the Department of Personnel and Training as a citizen’s version of a privacy legislation for India.  If you would like to submit comments on the Privacy Protection Bill to be included as part of the Centre for Internet and Society’s submission to the Department of Personnel and Training, please email comments to [email protected].

---

Download the latest version of the Privacy Protection Bill (February 2014)

In continuance of research around the Draft Human DNA Profiling Bill that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.

Indian Provision

35 (1) “On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely –

(a) As to whether the DNA profile received is already contained in the Data Bank; and

(b) Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.

(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”

Canadian Provision vs. Indian Provision

According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:

1. The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals.
2. The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank.
3. The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including:

1. (a) if the DNA profile is not already contained in the data bank, the fact that it is not;
2. (b) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;
3. (c) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and
4. (d) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (c) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.

While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.

Concerns with 35(1) and Best Practices

The Centre for Internet and Society finds 35(1) problematic because a  DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.”

Though it is common for DNA Banks to communicate responses such as “match”,  “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:

• “The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability.
• Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations.
• The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made.
• The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large.
• Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”

Recommendations

Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The  Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:

• Response to Law enforcement agency and DNA Laboratory: The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .
• Response to Court and tribunal: When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:

1. The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random.
2. The frequency with which the matching DNA characteristics are likely to be found in the population at large.
3. The probability of contamination.

The Bill should also provide for the database upon which the calculations were based to be made available when requested.  In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.

---

[]. http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx

[2]. http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf

This article by Maria Xynou was published by OpenDemocracy on 10 February 2014.

Worried about the secret, mass surveillance schemes being carried out by the NSA? While we should be, some of the surveillance schemes in the world's largest democracy, India, are arguably in the same league.

Surveillance is being globalised to the extent that even India, a country with huge poverty issues, is investing millions of dollars in creating an expansive surveillance regime. However, why would communications monitoring interest Indian authorities, when the majority of the population lives below the line of poverty and only 17% of the population has access to the Internet?

The official political motivation behind surveillance in India appears to be the government's determination to tackle terrorism in the country. The 2008 Mumbai terrorist attacks were arguably a similar landmark to the 9/11 terrorist attacks in the US, and both governments officially announced their intention to carry out surveillance as a counter-terrorism measure. However, unlike in the west, terrorist attacks in India are much more common, and the National Security Adviser reported in 2008 that 800 terrorist cells were operational in the country. With India’s history of major terror attacks in India over the last 25 years, it's easy for one to be persuaded that terrorism is actually a major threat to national security.

India's surveillance schemes

India’s surveillance programs mostly started following the 2008 Mumbai terror attacks. That was when the Ministry of Home Affairs first proposed the creation of a National Intelligence Grid (NATGRID), which will give 11 intelligence and investigative agencies real-time access to 21 citizen data sources to track terror activities. These citizen data sources will be provided by various ministries and departments, otherwise called “provider agencies”, and will include bank account details, telephone records, passport data and vehicle registration details, among other types of data.

The Ministry of Home Affairs has sought over Rs. 3,400 crore (around USD 540 million!) for the implementation of NATGRID, which aims to create comprehensive patterns of intelligence by collecting sensitive information from databases of departments like the police, banks, tax and telecoms to supposedly track any terror suspect and incident.

But NATGRID is far from India's only data sharing scheme. In 2009 the Cabinet Committee on Economic Affairs approved the creation and implementation of the Crime and Criminal Tracking Network & Systems (CCTNS), which would facilitate the sharing of databases among 14,000 police stations across all 35 states and Union Territories of India, excluding 6,000 police offices which are high in the police hierarchy. Rs. 2,000 crore (around USD 320 million) have been allocated for the CCTNS, which is being implemented by the National Crime Records Bureau under the national e-governance scheme. The CCTNS not only increases transparency by automating the function of police stations, but also provides the civil police with tools, technology and information to facilitate the investigation of crime and detection of criminals.

But apparently, sharing data and linking databases is not enough to track criminals and terrorists. As such, in the aftermath of the 2008 Mumbai terror attacks, the Indian government also implemented various interception systems. In September 2013 it was reported that the Indian government has been operating Lawful Intercept & Monitoring (LIM) systems, widely in secret. In particular, mobile operators in India have deployed their own LIM systems allowing for the so-called “lawful interception” of calls by the government. And possibly to enable this, mobile operators are required to provide subscriber verification to the Telecom Enforcement, Resource and Monitoring (TERM) cells of the Department of Telecommunications.

In the case of Internet traffic, the LIM systems are deployed at the international gateways of large Internet Service Providers (ISPs) and expand to a broad search across all Internet traffic using “keywords” and “key-phrases”. In other words, security agencies using LIM systems are capable of launching a search for suspicious words, resulting in the indiscriminate monitoring of all Internet traffic, possibly without court oversight and without the knowledge of ISPs.

India has also automated and centralized the interception of communications through the Central Monitoring System (CMS). This project was initially envisioned in 2009, following the 2008 Mumbai terror attacks and was approved in 2011. The CMS intercepts all telecommunications in India and centrally stores the data in national and regional databases. The CMS will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Intelligence Bureau (IB), the Central Bureau of Investigation (CBI), the Directorate of Revenue Intelligence (DRI), the Research and Analysis Wing (RAW) and the National Investigation Agency (NIA).

Unlike mainstream interception, where service providers are required to intercept communications and provision interception requests to law enforcement agencies, the Central Monitoring System will automate the entire process of interception. This means that the CMS authority will have centralized access to all intercepted data and that the authority can also bypass service providers in gaining such access. Once security agencies have access to this data, they are equipped with Direct Electronic Provisioning, filters and alerts on the target numbers, as well as with Call Details Records (CDR) analysis and data mining tools to identify the personal information of target numbers.

Given that roughly 73% of India's population uses mobile phones, this means that the Central Monitoring System can potentially affect about 893 million people, more than double the population of the United States! However, how is it even possible for Indian authorities to mine the data of literally millions of people? Who supplies Indian authorities with the technology to do this and what type of technology is actually being used?

India's surveillance industry

India has the world's second largest population, consisting of more than a billion people and an expanding middle class. Undoubtedly, India is a big market and many international companies aspire in investing in the country. Unfortunately though, along with everything else being imported into India, surveillance technologies are no exception.

Some of the biggest and most notorious surveillance technology companies in the world, such as ZTE, Utimaco and Verint, have offices in India. Even FinFisher command and control servers have been found in India. However, in addition to allowing foreign surveillance technology companies to create offices and to sell their products and solutions in the country, local companies selling controversial spyware appear to be on the rise too.

Kommlabs Dezign is an Indian company which loves to show off its Internet monitoring solutions at various ISS trade shows, otherwise known as “the Wiretapper's Ball”. In particular, Kommlabs Dezign sells VerbaNET, an Internet Interception Solution, as well as VerbaCENTRE, which is a Unified Monitoring Centre that can even detect cognitive and emotional stress in voice calls and flag them! In other words, Kommlabs Dezign makes a point that not only should we worry about what we text and say over our phones, but that we should also worry about what we sound like when on the phone.

Vehere is another Indian company which sells various surveillance solutions and notably sells vCRIMES, which is a Call Details Records (CDR) analysis system. VCRIMES is used to analyse and gather intelligence and to unveil hidden interconnections and relations through communications. This system also includes a tool for detecting sleeper cells through advanced statistical analysis and can analyse more than 40 billion records in less than 3 seconds.

Paladion Networks is headquartered in Bangalore, India and sells various Internet Monitoring Systems, Telecom Operator Interception Systems, SSL Interception and Decryption Systems and Cyber Cafe Monitoring Systems to law enforcement agencies in India and abroad. In fact, Paladion Networks even states in its website that its customers include India's Ministry of Information Technology and the U.S Department of Justice.

ClearTrail Technologies is yet another Indian company which not only sponsors global surveillance trade shows but also sells a wide range of monitoring solutions to law enforcement agencies in India and abroad. ComTrail is a solution for the centralised mass interception and monitoring of voice and data networks, including Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls. Furthermore, ComTrail is equipped to handle millions of communications per day, correlating identities across multiple networks, and can instantly analyse data across thousands of terabytes.

ClearTrail also sells xTrail, which is a solution for the targeted interception, decoding and analysis of data traffic over IP networks and which enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. Interestingly, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID.

Apparently, some the biggest challenges that law enforcement agencies face when monitoring communications include cases when targets operate from public Internet networks and/or use encryption. However, it turns out that ClearTrail's QuickTrail solution is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. This device can remotely deploy spyware into a target's computer and supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS.

Additionally, QuickTrail can identify a target machine on the basis of metadata, such as an IP address, and can monitor Ethernet LANs in real time, as well as monitor Gmail, Yahoo and all other HTTPS-based communications. ClearTrail's mTrail is designed for the passive 'off-the-air' interception of GSM communications, including the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information. MTrail also identifies a target's location by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation of so-called “lawfully intercepted” calls in near real-time.

In short, it looks like India is reaching the top league when it comes to surveillance technologies, especially since many of its companies and their products appear to be just as scary as some of the most sophisticated spying gear sold by the West. India may be the world's largest (by population) democracy, but that means that it has a huge population with way too many opinions...and apparently, the private and public sectors in India appear to be joining forces to do something about it.

So do Indians have nothing to hide?

A very popular rhetoric in both India and the west is that citizens should not be concerned about surveillance because, after all, if they are not terrorists, they should have nothing to hide. However, privacy advocate Caspar Bowden has rightfully stated that this rhetoric is fundamentally flawed and that we should all indeed “have something to hide”. But is privacy just about “having something to hide”? Jacob Appelbaum has stated that this rhetoric is merely a psychological copying mechanism when dealing with security.

It's probably rather comforting and reassuring to think that we are not special or important enough for surveillance to affect us personally. But is that really up to us to decide? Unfortunately not. The very point of data mining is to match patterns, create profiles of individuals and to unveil hidden interconnections and relations. A data analyst can uncover more information about us than what we are even aware of and it is they who decide if our data is “incriminating” or not. Or even worse: in many cases it's up to data mining software to decide how “special” or “important” we are. And unfortunately, technology is not infallible.

The world's largest democracy, which is also one of the most corrupt countries in the world, is implementing many controversial surveillance schemes which lack transparency, accountability and adequate legal backing, and which are largely being carried out in secret. And to make matters worse, India lacks privacy legislation. Over a billion people in a democratic regime are exposed to inadequately regulated surveillance schemes, while a local surveillance industry is thriving without any checks or balances whatsoever. What will this mean for the global future of democracy?

In the 52^nd Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated “...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) [1]

This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011[2] and analyses publicly available documents from the UIDAI website[3] as well as the UIDAI enrolment form[4] to demonstrate the ways in which:

• UIDAI practices are in line with section 43A and the Rules,
• UIDAI practices are not in line with section 43A and the Rules,
• UIDAI practices are partially in with section 43A and the Rules
• Where more information is needed to draw a conclusion.

Applicability and Scope

Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.

Body Corporate under the Information Technology Act 2008 is defined as:

“Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

UIDAI Practices - not in line: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.[5]

The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.

Privacy Policy on Website

Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:

• Clear and easily accessible statements of its practices and policies
• Type of personal or sensitive personal data or information collected
• Purpose of collection and usage of such information
• Disclosure of information including sensitive personal information
• Reasonable security practices and procedures as provided under rule 8

UIDAI Practices - Partially in Line

• Though the UIDAI has placed a privacy policy[6] on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.
• The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states “As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”
  
  Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.[7]
  
  The privacy policy goes on to state:  “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”
• The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.
• The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”
• The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI.

Consent

Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

UIDAI Practices - in Line
The UIDAI collects written consent from individuals through the enrolment form  for the issuance of an Aadhaar number.

Collection Limitation

Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.

UIDAI Practices - in Line
The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.

Notice During Direct Collection

Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:

• The fact that the information is being collected
• The purpose for which the information is being collected
• The intended recipients of the information
• The name and address of the agency that is collecting the information
• The name and address of the agency that will retain the information

UIDAI Practices - Partially in Line
The Aadhaar enrolment form does not provide the following information:

• The intended recipients of the information
• The name and address of the agency collecting the information
• The name and address of the agency that will retain the information

Retention Limitation

Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

UIDAI Practices - Unclear
It is unclear from publicly available information what the UIDAI retention practices are.

Use Limitation

Rule 5(5) requires that information must be used for the purpose that it was collected for.

UIDAI Practices - Unclear
It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for.

Right to Access and Correct

Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct  personal or sensitive personal information.

UIDAI Practices - Partially in Line
Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method. [9]

Right to ‘Opt Out’ and Withdraw Consent

Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time.  Body corporate has the right to withdraw services if consent is withdrawn.

UIDAI Practices - Partially in Line
The UID enrolment form provides individuals with one ‘optional’ field  - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.

Security of Information

Rule 8 requires that body corporate must secure information in accordance with the ISO  27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.

UIDAI Practices - Unclear
The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.

Disclosure with Consent

Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request.

UIDAI Practices - Partially in Line
In the enrolment form, consent for disclosure is stated as ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.

The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states “ We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”

Prohibition on Publishing and Further Disclosure

Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal  data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.

UIDAI Practices - in Line
The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.

Requirements for Transfer of Sensitive Personal Data

Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.

UIDAI Practices - Unclear
It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India.

Establishment of Grievance Officer

Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt.

UIDAI Practices - in Line
The website of the UIDAI provides details of a grievance officer that individuals can contact.[10] It is unclear from publicly available information if grievances are addressed within a month.

---

[1]. http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf

[2]. http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf

[3]. http://uidai.gov.in/

[4]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[5]. http://uidai.gov.in/organization-details.html

[6]. http://uidai.gov.in/privacy-policy.html

[7]. http://resident.uidai.net.in/home

[8]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[9]. https://ssup.uidai.gov.in/web/guest/ssup-home

[10]. http://uidai.gov.in/contactus.html

---

The article was published in the Indian Express on February 18, 2014

---

The age of volunteerism is officially over. The last decade of the mass adoption of the internet has been fuelled by endless human hours being spent in producing information which is the new currency of our times. The big transition to Web 2.0 began when the individual “user” became more than either an individual or the user. The individual found herself as a part of a collective, finding a voice and a community of others to belong to. Simultaneously, instead of being a passive consumer of the web, the user started producing data — blogs, videos, tweets, content management systems, online discussion boards, massively multiple online role-playing platforms, social network transactions — all of which became a part of the new Web’s widespread popularity.

Almost everything that we understand as the social web today is contingent upon people producing data in their interactions with the world around them. From knowledge producing websites like Wikipedia to entertainment platforms like YouTube, visualisation and data gathering spaces like Pinterest to photographs of self, food and cute animals on Instagram, political and social commentaries on Tumblr to Listicles and memes on Buzzfeed, the internet is a veritable smorgasbord of new information forms, formats and functions that are generated by the users.

What is possibly the most exciting about this burgeoning information universe has been the amount of free labour that goes into it, and often remains invisible. As digital labour scholar Trebor Schulz points out, the internet has become both a factory and a playground, where our leisure time is capitalised into producing work that sustains the new attention and information economies. For instance, the world’s largest social networking site, Facebook, does not produce any of its contents. It is, in fact, a system of information mining and sorting, which works as long as a growing user base continues to produce information on it. Tomorrow, if all of us stop producing Facebook, and only lurk on it, the platform will collapse. Which is why, Facebook continues to acquire new platforms and applications to be integrated into its universe.

Similarly, the real effort that goes into the sustenance of sites like Wikipedia, which has become the de facto reference for global knowledge systems, is carried out by unsung and invisible editors who patiently, meticulously, and without almost any expectation, continue to add, verify, strengthen and curate reliable information that we can use. When the non-profit organisation WikiMedia Foundation prides itself in running one of the least expensive websites in the top 10 most visited sites in the world, it is signalling its deep appreciation for the countless human hours that have made Wikipedia possible.

But, in recent years, there is noticeable stagnation in the wave of free information production on the Web. Oh, don’t get me wrong. We are producing an unprecedented amount of data — we are constantly being watched by surveillance technologies that detect biometric and genetic make-up of all our transactions, or we are inviting people to watch us on social network sites where we reveal some of our deepest secrets and desires, or we are watching ourselves, quantifying everything from things we ate to the number of hours we sleep. And yet, as we live in a world of Big Data, there is a definite decrease in people contributing to production of free information.

As the digital natives move from the web to mobile phones, traditional websites are already facing a crisis. News and media agencies that have celebrated the global citizen media networks have started realising that the individual user is more interested in local networks and information ecologies which are independent of mainstream conglomerates. And people are realising that their time and effort is worth money. They can be easily compensated for their online activities and gain reputation and importance.

The tension only becomes more palpable when people start realising that there are others who are being paid to work on the platforms that they are contributing to. We all knew that this model of depending on free information was not a sustainable one. But it seems the day has arrived, especially with the recent drives on Wikipedia to build specialised knowledge editors. In the last few months, we have seen people in the FemTechNet project — an academic activist feminist project that seeks to remind us of the intersections of feminism and technology in network societies — carry out “Wikistorming”, where students are adding pages of women’s contribution to technologies on Wikipedia. More recently, medicine students at University of Chicago have taken to correcting and adding accurate information to Wikipedia, which is often a source of health information.

Both of these are fantastic efforts to add to the platform that was the underdog that overthrew the mammoth encyclopaedia like The Encyclopaedia Britannica. We hope more specialised users in different locations, fields, disciplines and languages continue to edit and contribute to Wikipedia. However, it is also a signal that the generalist information producer is on the decline. We are transitioning into a new age, where people are going to need rewards, incentives and benefits for performing information transactions on the web. The user is no longer going to be available for free labour, and it is time we started thinking of “paid usership”.

Gautam Bhatia's blog post was originally published on Indian Constitutional Law and Philosophy Blog

---

We have seen that Gobind essentially crystallized a constitutional right to privacy as an aspect of personal liberty, to be infringed only by a narrowly-tailored law that served a compelling state interest. After the landmark decision in Gobind, Malak Singh v State of P&H was the next targeted-surveillance history-sheeter case to come before the Supreme Court. In that case, Rule 23 of the Punjab Police Rules was at issue. Its vires was not disputed, so the question was a direct matter of constitutionality. An order of surveillance was challenged by two individuals, on the ground that there were no reasonable bases for suspecting them of being repeat criminals, and that their inclusion in the surveillance register was politically motivated.  After holding that entry into a surveillance sheet was a purely administrative measure, and thus required no prior hearing (audi alteram partem), the Court then embarked upon a lengthy disquisition about the scope and limitations of surveillance, which deserves to be reproduced in full:

“But all this does not mean that the police have a licence to enter the names of whoever they like (dislike?) in the surveillance register; nor can the surveillance be such as to squeeze the fundamental freedoms guaranteed to all citizens or to obstruct the free exercise and enjoyment of those freedoms; nor can the surveillance so intrude as to offend the dignity of the individual. Surveillance of persons who do not fall within the categories mentioned in Rule 23.4 or for reasons unconnected with the prevention of crime, or excessive surveillance falling beyond the limits prescribed by the rules, will entitle a citizen to the Court’s protection which the court will not hesitate to give. The very rules which prescribe the conditions for making entries in the surveillance register and the mode of surveillance appear to recognise the caution and care with which the police officers are required to proceed. The note following R. 23.4 is instructive. It enjoins a duty upon the police officer to construe the rule strictly and confine the entries in the surveillance register to the class of persons mentioned in the rule. Similarly R.23.7 demands that there should be no illegal interference in the guise of surveillance. Surveillance, therefore, has to be unobstrusive and within bounds. Ordinarily the names of persons with previous criminal record alone are entered in the surveillance register. They must be proclaimed offenders, previous convicts, or persons who have already been placed on security for good behaviour. In addition, names of persons who are reasonably believed to be habitual offenders or receivers of stolen property whether they have been convicted or not may be entered. It is only in the case of this category of persons that there may be occasion for abuse of the power of the police officer to make entries in the surveillance register. But, here, the entry can only be made by the order of the Superintendent of Police who is prohibited from delegating his authority under Rule 23.5. Further it is necessary that the Superintendent of Police must entertain a reasonable belief that persons whose names are to be entered in Part II are habitual offenders or receivers of stolen property. While it may not be necessary to supply the grounds of belief to the persons whose names are entered in the surveillance register it may become necessary in some cases to satisfy the Court when an entry is challenged that there are grounds to entertain such reasonable belief. In fact in the present case we sent for the relevant records and we have satisfied ourselves that there were sufficient grounds for the Superintendent of Police to entertain a reasonable belief. In the result we reject both the appeals subject to our observations regarding the mode of surveillance. There is no order as to costs.”

Three things emerge from this holding: first, the Court follows Gobind in locating the right to privacy within the philosophical concept of individual dignity, found in Article 21’s guarantee of personal liberty. Secondly, it follows Kharak Singh, Malkani and Gobind in insisting that the surveillance be targeted, limited to fulfilling the government’s crime-prevention objectives, and be limited – not even to suspected criminals, but – repeat offenders or serious criminals. And thirdly, it leaves open a role for the Court – that is, judicial review – in examining the grounds of surveillance, if challenged in a particular case.

After Malak Singh, there is another period of quiet. LIC v Manubhai D Shah, in 1993, attributed – wrongly – to Indian Express Newspapers the proposition that Article 19(1)(a)’s free expression right included privacy of communications (Indian Express itself had cited a  UN Report without incorporating it into its holding).

Soon afterwards, R. Rajagopal v State of TN involved the question of the publication of a convicted criminal’s autobiography by a publishing house; Auto Shankar, the convict in question, had supposedly withdrawn his consent after agreeing to the book’s publication, but the publishing house was determined to go ahead with it. Technically, this wasn’t an Article 21 case: so much is made clear by the very manner in which the Court frames its issues: the question is whether a citizen of the country can prevent another person from writing his biography, or life story. (Paragraph 8) The Court itself made things clear when it held that the right of privacy has two aspects: the tortious aspect, which provides damages for a breach of individual privacy; and the constitutional aspect, which protects privacy against unlawful governmental intrusion. (Paragraph 9) Having made this distinction, the Court went on to cite a number of American cases that were precisely about the right to privacy against governmental intrusion, and therefore – ideally – irrelevant to the present case (Paras 13 – 16); and then, without quite explaining how it was using these cases – or whether they were relevant at all, it switched to examining the law of defamation (Para 17 onwards). It would be safe to conclude, therefore, in light of the clear distinctions that it made, the Court was concerned in R. Rajagopal about an action between private parties, and therefore, privacy in the context of tort law. It’s confusing observations, however, were to have rather unfortunate effects, as we shall see.

We now come to a series of curious cases involving privacy and medical law. In Mr X v Hospital Z, the question arose whether a Hospital that – in the context of a planned marriage – had disclosed the appellant’s HIV+ status, leading to his social ostracism – was in breach of his right to privacy. The Court cited Rajagopal, but unfortunately failed to understand it, and turned the question into one of the constitutional right to privacy, and not the private right. Why the Court turned an issue between two private parties – adequately covered by the tort of breach of confidentiality – into an Article 21 issue is anybody’s guess. Surely Article 21 – the right to life and personal liberty – is not horizontally applicable, because if it was, we might as well scrap the entire Indian Penal Code, which deals with exactly these kinds of issues – individuals violating each others’ rights to life and personal liberty. Nonetheless, the Court cited Kharak Singh, Gobind and Article 8 of the European Convention of Human Rights, further muddying the waters, because Article 8 – in contrast to American law – embodies a proportionality test for determining whether there has been an impermissible infringement of privacy. The Court then came up with the following observation:

“Where there is a clash of two Fundamental Rights, as in the instant case, namely, the appellant’s right to privacy as part of right to life and Ms. Akali’s right to lead a healthy life which is her Fundamental Right under Article 21, the RIGHT which would advance the public morality or public interest, would alone be enforced through the process of Court, for the reason that moral considerations cannot be kept at bay.”

With respect, this is utterly bizarre. If there is a clash of two rights, then that clash must be resolved by referring to the Constitution, and not to the Court’s opinion of what an amorphous, elastic, malleable, many-sizes-fit “public morality” says. The mischief caused by this decision, however, was replicated in Sharda v Dharmpal, decided by the Court in 2003. In that case, the question was whether the Court could require a party who had been accused of unsoundness of mind (as a ground for divorce under the wonderfully progressive Hindu Marriage Act) to undergo a medical examination – and draw an adverse inference if she refused. Again, whether this was a case in which Article 21 ought to be invoked is doubtful; at least, it is arguable, since it was the Court making the order. Predictably, the Court cited from Mr X v Hospital Z extensively. It cited Gobind (compelling State interest) and the ECHR (proportionality). It cited a series of cases involving custody of children, where various Courts had used a “balancing test” to determine whether the best interests of the child overrode the privacy interest exemplified by the client-patient privilege. It applied this balancing test to the case at hand by balancing the “right” of the petitioner to obtain a divorce for the spouse’s unsoundness of mind under the HMA, vis-à-vis the Respondent’s right to privacy.

In light of the above analysis, it is submitted that although the outcome in Mr X v Hospital Z and Sharda v Dharmpal might well be correct, the Supreme Court has misread what R. Rajagopal actually held, and its reasoning is deeply flawed. Neither of these cases are Article 21 cases: they are private tort cases between private parties, and ought to be analysed under private law, as Rajagopal itself was careful to point out. In private law, also, the balancing test makes perfect sense: there are a series of interests at stake, as the Court rightly understood, such as certain rights arising out of marriage, all of a private nature. In any event, whatever one might make of these judgments, one thing is clear: they are both logically and legally irrelevant to the Kharak Singh line of cases that we have been discussing, which are to do with the Article 21 right to privacy against the State.

As it noted in the NTIA's press release:

NTIA’s responsibility includes the procedural role of administering changes to the authoritative root zone file – the database containing the lists of names and addresses of all top-level domains – as well as serving as the historic steward of the [Domain Name System (DNS)]. NTIA currently contracts with [the Internet Corporation for Assigned Names and Numbers, ICANN] to carry out the Internet Assigned Numbers Authority (IANA) functions and has a Cooperative Agreement with Verisign under which it performs related root zone management functions. Transitioning NTIA out of its role marks the final phase of the privatization of the DNS as outlined by the U.S. Government in 1997.

This move was welcomed by "Internet technical leaders".

While this announcement cannot be said to be unexpected, it is nonetheless an important one and is also a welcome one. The NTIA seems to have foreclosed any option of the US government's role being performed by any government-led organization by noting in their press release, "NTIA will not accept a proposal that replaces the NTIA role with a government-led or an inter-governmental organization solution," once again reaffirming their belief in American exceptionalism: the NTIA could fulfil its role despite being a government, but now even a body involving multiple stakeholders can't replace the NTIA's role if it is going to be government-led.

Unfortunately, this announcement to relax American "stewardship" or "oversight" over some aspects of the Internet's technical functioning cannot restore the trust that has been lost due to actions taken by the US government and US companies. This new announcement won't change the US government's ability to 'tap' the Internet, nor will it affect their ability to unilaterally seize .com/.net/.name/.org/.edu/.tv/.cc/.us and other US-based domain names. Nor will a shift away from NTIA oversight lead to any of the chilling visions that some believe might lie in our future: the fears of the Association of National Advertisers and of some politicians and members of the US Congress is based on ignorance of what NTIA's role is.

The European Commission in a communiqué last month noted: "recent revelations of large-scale surveillance have called into question the stewardship of the U.S. when it comes to Internet governance". Unfortunately, the U.S. giving up that stewardship role will not prevent the continuation of their large-scale surveillance, just as the lack of such a stewardship role has not prevented other governments — U.K., India, Canada, Sweden, France, etc. — from engaging in large-scale surveillance.

There are three main benefits from the U.S. giving up this role.

• First, it will put an end to the political illegitimacy of the U.S. government having a core authority in a global system, somehow making it first among equals;

• Second, will focus light on ICANN, which under US oversight performs the IANA functions, and might, one hopes, lead to needed reform in ICANN's other functions;

• Third, it will allow us to collectively move on from this dreaded political issue at the heart of Internet governance, which nevertheless is of little practical consequence if ICANN's accountability mechanisms are strengthened. As difficult as it may be, ICANN has to be accountable not just to one government or another but to the world, and ensuring that accountability to all doesn't become accountability to none, as NetChoice's Steve DelBianco put it, is the formidable task ahead of us.
  

Yet, all the ICANN reform in the world will still not lead to a less spied-upon, more open, and more equitable Internet.

The principle behind net-neutrality, simply put, is that the data being transmitted to and from the user should be treated equally, i.e. that data carriage, at the level of ISP’s, should be ‘dumb’. This would mean that internet service providers cannot discriminate between different data based on the content of the data. Without the principle of net-neutrality being followed, ISP’s would become the ‘internet gatekeepers’, choosing what data gets to reach the end-user and how. There are many arguments for favouring or disfavouring net-neutrality, however, advocates of privacy on the internet should be wary of the possible implications of endorsing a non-neutral internet and allowing greater network management by ISP’s. So, how does the net-neutrality debate affect privacy?

It all depends upon what kind of network management ISP’s employ. Deep Packet Inspection (DPI) is a method of data inspection which allows the network manager to scrutinize data at the application level, and in real time. As compared to shallow packet inspection, which identifies based on headers like IP addresses or protocols like TCP and UDP, which are analogous to envelopes on a letter, DPI would be akin to having access to the contents. DPI-based network management can identify the programs, software and applications being used, and what they are being used for in real time. Unlike any ordinary online service provider ISP’s are in the unique position of having comprehensive access to all of their customers’ data. Allowing DPI-based network management for prioritizing certain data or applications, an almost certain outcome if net-neutrality is weakened, would mean that ISP’s would be able to intercept and scrutinize any and all user data, which would reveal substantial information about the user, and would be a serious blow to privacy. While DPI can have several benefits in its application (such as finding and fighting malware or viruses), but where it is used, must be for a targeted and legitimate aim. Even where DPI is not used, if network discrimination is allowed, based on a user-to-user basis it would require inspecting the IP addresses of the user, which can also be a problematic intrusion of privacy, especially since the ISP also has other data like addresses and names of users which it can use to identify them.

Privacy may not necessarily be affected through non-neutral internet systems, but in all probability, with the growth of systems like the DPI and commercial incentives for “gatekeeper ISP’s” who are in a position to profit greatly from an ability to scrutinize and discriminate between data, it is likely that it will. In India, though government ISP’s like MTNL and BSNL deny using DPI,[1] it’s likely that it is still applied by others, and that the government is aware of this (http://www.theinquirer.net/inquirer/news/2161541/indian-isps-block-104-websites). Even as the TRAI advocates and supports net-neutrality, Indian ISP’s seem to be heading the other way.[2] Before the trend becomes the norm, it’s high time for a comprehensive discussion about how policies should be framed for keeping the internet a more neutral, and more private, space.

---

References

1. Apar Gupta, TRAI(ing) to keep it neutral, http://www.iltb.net/2010/09/traiing-keep-it-neutral/
2. For a lay discussion on Deep Packet Inspection and net-neutrality, visit http://arstechnica.com/gadgets/2007/07/deep-packet-inspection-meets-net-neutrality/

Even as the Central Government prepares the Central Monitoring System for the unrestricted monitoring of all personal communication, the Department of Telecom has issued new guidelines for Telecom Service Providers to assist in responding to requests for interception and monitoring of communications from security agencies.

These guidelines do not appear to be publicly accessible, but according to news items, under the “Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers”, the TSP’s must now provide for lawful interception and monitoring requests for voice calls, Short message Service (SMS), General Packet Radio Service (GPRS) and Value Added Service (VAS) including Multi Message Service (MMS), data and voice in 3G/4G/Long Term Evolution (LTE) including video call or Voice Over Internet protocol (VoIP). This move comes just days after the Home Ministry suggested that the Department of Telecom either change the rules under their Telecom Policies such as the Unified Access Service Licence (UASL) to include VoIP monitoring, or, drastically, block all VoIP services on the internet, which would include several communication applications including Skype and GTalk. (See the article published by Economic Times).

The guidelines will supposedly also provide for some basic safeguards to ensure that non-authorized interception does not take place, such as ensuring that the interception is only to be provided by the Chief Nodal Officer of a TSP and only upon the issue of an order by the Home Secretary at the Central or State Government. Furthermore, these requests must only be in written, in untampered and sealed envelopes with no overwriting, etc. and bearing the order number issued by the concerned Secretary, with the date of the order. However, in exigent circumstances the order may be provided by email, provided that the physical copy is sent within two days of the order, else the interception order must be terminated. Inquiry processes are detailed under the new SOP’s which can verify whether the request was in original and addressed to the Nodal Officer and from which designated security agency it was issued, and can also verify the issue of an acknowledgment of compliance of the order by the TSP within two days of its receipt. The new guidelines also clarify the issue of interception of roaming subscribers by the State Government where the subscriber is registered. According to the guidelines, an order by the government of the state where such a caller has registered is sufficient and does not need vetting by the Home Secretary at the centre.

Notwithstanding the additional “safeguards” against unlawful or unauthorized interception, the message to take away from these guidelines is the Government’s continued efforts to expand its surveillance regime to comprehensively monitor every action and every communication at its whim. These requests for monitoring, undertaken by “security agencies” which include taxation agencies and the SEBI, are flawed not merely because of the possibility of “unauthorized” interception, rather because the legal basis of the interception is vague, broad and widely susceptible to misuse, as the recent “snoopgate” allegations against the Gujarat government have shown. (See the article published by the Hindu).

The current regime, based on a wide interpretation of Section 5(2) of the Indian Telegraph Act and the telecom policies of the Department of Telecom, do not have adequate safeguards for preventing misuse by those in power – such as the requirement of reasonable suspicion or a warrant. Without a sound legal basis for interception, which protects the privacy rights of individuals, any additional safeguards are more or less moot, since the real threat of intrusive surveillance and infringing of basic privacy exists regardless of whether it is done under the seal of the Home Secretary or not.

---

Resources

1. http://cis-india.org/internet-governance/resources/rule-419-a-indian-telegraph-rules-1951
2. http://www.thehindu.com/news/national/centre-issues-new-guidelines-for-phone-interception/article5559460.ece

---

Read the original published in the Economic Times on March 14, 2014

---

Activists have five main concerns.

1. Facebook has a track record of not keeping its promises to users.
2. The ethos of both companies when it comes to privacy is diametrically opposite.
3. The probability that WhatsApp messages and content will be intercepted because of Facebook's participation in NSA's PRISM spying programme.
4. Facebook slurping WhatsApp's large repository of phone numbers.
5. Two hundred trackers already monitor your internet use when you are not using Facebook and now they tracking mobile use much more granularly. This week the Indian competition regulator (CCI) also told the media that the acquisition would be subject to scrutiny. However, unlike the US regulator the Indian regulator does not have the mandate to examine the acquisition from a privacy perspective.

LIRNEAsia research in Indonesia paints a very similar picture to one we have in India. When Indonesian mobile phone users were asked if they used Facebook they answered in affirmative. Then the very same users were asked if they used the internet and they replied in negative. A large number of Facebook users in these other similar economies are trapped within what are called "walled gardens."

Walled gardens allow mobile phone subscribers without data connections to get access to a single over-the-top service provider like Facebook because their telcom provider has an arrangement. Software such as Facebook on every phone makes it possible for feature phone users to also enter the walled garden.

According to Facebook it "is a fast and easyto-use native app that works on more than 3,000 different types of feature phones from almost every handset manufacturer that exists today."

Unlike North American and European users of Facebook - who freely roam the "world wild web" and then choose to visit Facebook when they want to many Indian users will first experience data services in a domesticated fashion within a walled garden.

Whether or not they will wander in the wild when they are have full access to the internet remains to be seen. But given our poor rates of penetration, dogmatic insistence on network neutrality at this early stage of internet adoption may not be the right way to maximise welfare and consumer interest.

Fortunately for Facebook and unfortunately for us, India still does not have a comprehensive data protection or horizontal privacy law. The Justice AP Shah Committee that was constituted by the Planning Commission in October 2012 recommended that the Privacy Act articulate national privacy principles and establish the office of the Privacy Commissioner. It further recommended that data protection and surveillance be regulated for both the private sector and the state.

Since then the Department of Personnel and Training has updated the draft bill to implement these recommendations and has been working towards consensus within government.

Since we still don't have our own privacy regulator we will have to depend on foreign data protection authorities and privacy commissioners to protect us from the voracious appetite for personal data of over-the-top service providers like Facebook This is woefully insufficient because they will not act on harm caused to Indian consumers or be aware of how Facebook acts differently in the Indian market.

As we approach the first general election in India when social media will play a small but influential role it would have been excellent if we had someone to look out for our right to privacy.

The article was published in Index on Censorship in August 2012. This is an unedited version of the article.

---

In a matter of three days, in August 2012, India’s central government ordered internet service providers to block around 309 pieces of online content – mostly individual web pages, YouTube videos and Facebook groups. The blocking orders came days after people originally from north-eastern India living in Bangalore began fleeing the city in fear of attack. Rumours that some Muslims in the city were planning violence in retaliation for recent clashes between the indigenous Bodo tribe and Muslim settlers in Assam spread quickly via text messages and through the media. The Nepali migrant community in Bangalore also received text messages from their families, warning them that they might be mistaken for north-eastern Indians and also be targeted. Indian Railway, catering to the huge demand, organised special trains to Assam for the crowds of people.

Freedom of speech is enshrined in the Constitution of India, which came into force in 1952, and specifically in Article 19(1)(a), which guarantees that ‘all citizens shall have the right to freedom of speech and expression’. While in the United States, it wasn’t until the 1920s that the Supreme Court struck down a law or governmental action on freedom of speech grounds, in India, just one year after the constitution was adopted, government actions against both left- and right-wing political speech were struck down for violating Article 19(1)(a). Enraged, the Congress government then amended Article 19, expanding the list of restrictions to the right to free expression. These included speech pertaining to ‘friendly relations with foreign states’, ‘public order’ and ‘incitement to an offence’. In 1963, in response to the 1962 war with China, the ‘sovereignty and integrity of India’ was also added, taking the number of categories of permissible restrictions up to eight. While the constitution categorically stipulates that no further restrictions should be imposed, courts have on occasion added to the list (privacy, for instance) through judicial interpretation without explicitly stating that they are doing so. Comparisons are often drawn between the constitution’s ‘reasonable restrictions’ and the categorical prohibition enshrined in the US Constitution’s First Amendment: ‘Congress shall make no law … abridging the freedom of speech, or of the press’ – a meaningless comparison as there are indeed many categories of speech that are seen as being protected under the US constitution and even speech that is protected may be restrained in a number of ways.

Today, there are a number of laws that regulate freedom of speech in India, from the Indian Penal Code (IPC), the Victorian legislation meant to codify crimes, to the Information Technology Act, which was amended in 2008 and in some cases makes behaviour that is perfectly legal offline into a criminal activity when online.

Sedition and social harmony

The Indian Penal Code criminalises sedition; speech intended to cause enmity between communities; speech intended to ‘outrage religious feelings of any class’; selling, singing or displaying anything obscene; and defamation. It also prohibits ‘causing someone, by words or gestures, to believe they’re the target of divine displeasure’. Each of these provisions has been misused, as there are indeed many catagories of speech that are not seen as being protected under thw US constitution, and even speech that is protected may be restrained in a number of ways.

In recent years, sedition charges have been brought against human rights activists (Binayak Sen and Arundhati Roy), journalists (Seema Azad), cartoonists (Aseem Trivedi) and protesters (thousands of villagers in Koodankulam and neighbouring villages who demonstrated against a nuclear reactor in their area). It is usually the higher judiciary that dismisses such cases, while the lower judiciary seems to be supplicant to the bizarre claims of government, the police and complainants. Similarly, the higher judiciary has had to intervene in cases where books and films have been banned for ‘causing enmity between communities’ or for intentionally hurting the sentiments of a religious group.

Of the last six books banned by the Maharashtra government, all but one (RV Bhasin’s Islam: A Concept of Political World Invasion by Muslims) have been overturned by the Mumbai High Court. In one case, the court criticised the government for using a violent protest (organised by the Sambhaji Brigade, one of many right-wing political groups that frequently stage demonstrations) as reason enough for banning an academic book on the Maratha king Shivaji. In its decision, the judge pointed out that it is the government’s job to provide protection against such violence. Given India’s history of communal violence there is indeed a need for the law to address incitement to violence – but these laws should be employed at the actual time of incitement, not after the violence has already taken place. But, as recent events have shown, the government is willing to censor ‘harmful’ books and films and less likely to take action against individuals who incite violence during demonstrations.

Online speech and the law

There are regular calls for the government to introduce legislation that deals specifically with online behaviour, despite the fact that the vast majority of the laws regarding sedition and social harmony apply online as well as offline. One example is the recent move to introduce amendments to the Indecent Representation of Women Act (1986) so that it applies to ‘audiovisual media and material in electronic form’.

But the government’s attempts to control online speech began long before the introduction of any internet-specific legislation. Indeed, when state-monopoly internet service provider VSNL censored content, it did so under the terms of a contract it had entered with its customers, not under any law. In 1998, a mailing list called Middle East Socialist Network was blocked on national security grounds. In 1999, Pakistani newspaper Dawn’s website was blocked during the Kargil conflict. In both of the latter cases, the government relied on the Indian Telegraph Act (1885) to justify its actions, though that act contains no explicit provisions for such censorship.

In 2000, the Information Technology (IT) Act was passed and the Indian Computer Emergency Response Team (CERT-In) was created, which (unlawfully) assumed the role of official online censor. Importantly, while the IT Act did
make the publication of obscene content online illegal (though it already was under the IPC), it did not grant permission for authorities to block websites. Despite this, an executive order passed on 27 February 2003 granted CERT-In the power to block. Had this been challenged in a court, it may well have been deemed unconstitutional since, in the absence of a statutory law, an executive order cannot reverse the freedom granted under Article 19. And although the telecommunications sector in India was being liberalised around this time, as part of their licence agreements, all internet service providers (ISPs) have to agree to block links upon being requested to do so by the government. In 2008, when the IT Act was amended, it clearly stated that the government can block websites not only when it deems it necessary to do so but also when it is deemed expedient in relation to matters of public interest, national security and with regard to maintaining friendly relations with foreign states. The power to block does not, however, extend to obscenity or defamation offences. At the same time, further categories of speech crimes were introduced, along with other new offences, including the electronic delivery of ‘offensive messages through communication services’ or anything ‘for the purpose of causing annoyance or inconvenience’. This has often been abused, including by the chief minister of West Bengal, who issued proceedings against a professor for forwarding an email containing a cartoon that mocked him. Under this draconian and unconstitutional provision, the police do not need an arrest warrant and the punishment can be as much as three years’ imprisonment, longer than even the punishment for causing death by negligence. The amendment also granted the government extensive powers to monitor and intercept online speech and data traffic, greatly extending the powers provided under colonial laws such as the Indian Telegraph Act (1885). As legislation has been introduced, the penalties for online offences have increased significantly. For example, the penalty for the first-time publication of an obscene ebook is up to five years in prison and a 1,000,000 rupee (US$18,800) fine, compared with two years’ imprisonment and a 2,000 rupee (US$38) fine as stipulated in the IPC for publishing that same material in print version. New laws introduced in 2009 pertain specifically to blocking (section 69a), interception, decryption and monitoring (69 and 69b) and are in accordance with the constitution. However, the amendments were brought in without any attempt at transparency or accountability.

Power in the hands of intermediaries

In April 2011, despite critical submissions received during its public consultation, the government announced new ‘intermediary guidelines’ and ‘cyber cafe rules’, both of which have adverse effects on freedom of expression. The rules, which were issued by the Department of Information and Technology (DIT), grant not only the government but citizens significant powers to censor the internet. They require all intermediaries – companies that handle content, including web hosts, telecom companies, domain name providers and other such intermediaries – to remove ‘disparaging’ content that could ‘harm minors in any way’. They prohibit everything from jokes (if the person sharing the joke does not own copyright to it) to anything that is disparaging. In a recent case, in December 2011, thousands of people used the hashtag #=IdiotKapilSibal on Twitter to criticise the minister of communications and information technology, Kapil Sibal, who had requested that officials from Google, Microsoft, Yahoo! and Facebook in India pre-screen online content. These guidelines and rules are badly drafted and unconstitutional, as they go beyond the limits allowed under Article 19 in the constitution. And do so in a manner that lacks any semblance of due process and
fairness. They are inconsistent with offline laws, too: for example, because the guidelines also refer to gambling, the government of Sikkim can publish advertisements for its PlayWin lottery in newspapers but not online. It’s far easier to persuade officials to remove online material than it is to persuade them to remove books from a bookstore or artwork from a gallery. Police are only empowered to seize books if the government or a court has been persuaded that it violates a law and issues such an order. This fact is always recorded, in government or legal records, police files or in the press. By contrast, web content can be removed on the basis of one email complaint; intermediaries are required to ‘disable’ the relevant content within 36 hours of the complaint. A court order is not required, nor is there a requirement to notify the owner of the content that a complaint has been received or that material has been removed. The effect is that of almost invisible censorship.

This assertion – that it only takes one complaint – may seem far-fetched. But a researcher from the Centre for Internet and Society sent complaints to several intermediaries on a number of occasions, resulting in content being removed in a majority of cases. If intermediaries choose not to take action, they risk losing their immunity against punishment for content. In essence, the law is the equivalent of punishing a post office for the letters that people send via the postal service.

The amendments were brought in without any attempt at transparency or accountability

In 1984, Indira Gandhi was forced to sue Salman Rushdie for defamation in a London court in order to ensure one sentence was expurgated from his novel Midnight’s Children. Today Gandhi wouldn’t need to win a lawsuit against publishers. She would merely have to send a complaint to websites selling the book and it would have to be removed from sale. It is easier to block Akbari.in – the online newspaper run by Vinay Rai, who filed a criminal complaint against multiple internet companies in December 2011 for all manner of materials – than it is to prevent its print publication. There is no penalty for frivolous complaints, such as those sent by researchers from the Centre for Internet and Society, nor is there any requirement for records to be kept of who has removed what. Such great powers of  censorship without any penalties for abuse of these powers are a sure-fire way of moving towards greater intolerance, with the internet – that republic of opinions and expressions – being a casualty.

Censorship outside the law

Since 2011, governments and private companies alike have increasingly engaged in internet censorship. In April 2011, in response to a right to information request, the DIT released a list of 11 websites that had been officially blocked under the IT Act since 2009, when the amended act came into force. But, according to a recent Google Transparency Report, government requests for the removal of material far exceeds that number. The report reveals that the government (including state governments) requested that Google remove 358 items from January 2011 to June 2011. Of this number, only eight were considered to be hate speech and only one item was related to concerns over national security. The remaining material, 255 items (71 per cent of all requests), was taken down because of ‘government criticism’. Criticism of the government is protected under the country’s constitution but, nonetheless, Google complied with take-down requests 51 per cent of the time. It’s clear, then, that governmental censorship is far more widespread than officially acknowledged.

In July 2011, Reliance Entertainment obtained a ‘John Doe’ order to protect its intellectual property rights with regard to its film Singham, which was scheduled for release that month. The order prohibited both online and offline  infringement of copyright for the film and was sent to a number of ISPs, which then blocked access to file-sharing websites, even though there was no proof of the film having been available on any of them. According to Reliance Entertainment, they merely asked ISPs ‘not to make the film available’ on their networks, even though the order did not authorise it. But a right to information request pertaining to a similar case dealing with the distribution of the film Dhammu showed that the entertainment company’s lawyers had in fact asked for dozens of websites – not just deep-link URLs to infringing content – to be blocked, despite publicly claiming otherwise. If web users encountered any information at all about why access to the sites was blocked, it was that the Department of Telecom had ordered the blocking, which was plainly untrue. In February 2012, following a complaint from the Indian Music Industry (a consortium of 142 music companies), the Calcutta High Court ordered 387 ISPs to block 107 websites for music piracy. At least a few of those, including Paktimes.com and Filmicafe.com, were general interest entertainment sites. The most famous of these sites, Songs.pk, re-emerged shortly after the block as Songspk.pk, highlighting the pointlessness of the block. And outside the realm of copyright, in December 2011, the domain name CartoonsAgainstCorruption.com was suspended based on an unlawful complaint from the Mumbai police requesting its suspension, despite there being no powers for them to do so under any law.

Between August and November 2011, the DIT also went to great efforts to compel big internet companies including Indiatimes, Facebook, Google, Yahoo!, and Microsoft, to ‘self-regulate’. This revealed the department’s desire to gain ever greater powers to control ‘objectionable’ content online, effectively bypassing the IT Act. It’s obvious, too, that by encouraging internet companies to ‘self-regulate’ the government will avoid embarrassing statistics such as those revealed by Google’s Transparency Report.

New dangers

A way forward, at least for internet-specific laws, could be to rekindle the Cyber Regulations Advisory Committee – a multi-stakeholder committee required by the IT Act – and to practise at home what we preach abroad on matters of internet governance: the value of a multi-stakeholder system, which includes industry, academia and civil society and not just governments. The idea of a multi-stakeholder framework has gained prominence since it was placed at the core of the ‘Declaration of Principles’ at the first World Summit on Information Society in Geneva in 2003. It has also been at the heart of India’s pronouncements at the Internet Governance Forum and the India-Brazil-South Africa Dialogue Forum. The Internet Governance Division, which formulates the country’s international stance on internet governance, has long recognised that these decisions must be taken in an open and collaborative manner. It is time the DIT’s Cyber-Law and ESecurity Group, which formulates the country’s national stance on the internet, realises the same.

Freedom of speech means nothing in a democratic society if it does not allow everyone to speak. Despite the internet being a very elite space, the number of people who have used it to express themselves since its introduction in India in 1994 is vast, especially when compared to the number of people in India who have expressed themselves in print since 1947 when the country won its independence. Online speech is indeed a big shift from edited and usually civil discussions in the world of print media. Perhaps this gives us some indication of why there is some support among the mass media for government regulations on speech. Too many discussions of online speech laws in India descend into arguments about the lack of civility online. However, the press – and all of us – would do well to remember that civility and decency in speech, while desirable in many contexts, cannot be the subject of legislation. But in India, the greatest threat to freedom of expression is not a government clampdown on dissent but threats from political and corporate powers with a range of tools at their disposal, including fostering a climate of selfcensorship. The government has passed bad laws that have given way to private censorship. And many of these laws are simply a result of gross ineptitude.

We cannot take sufficient comfort in the fact that, in India, censorship is limited and nowhere on the scale that it is in China or Iran. It is crucial that, from a legal, cultural and technological standpoint we do not open the door for further censorship. And currently, we are failing.

---

Pranesh Prakash is Policy Director at the Centre for Internet and Society in Bangalore. Part of this article appeared in a blog by the author on the centre’s website, cis-india.org, in January 2012

---

Note: After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post.

---

This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in April 2011 and September 2011.

When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions.  Below is an outline of significant changes from the September 2011 Privacy Bill to the 2014 Privacy Bill:

• Scope: The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India.  The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.
• Definitions: The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.
  

Terms that have been added in the 2014 Bill and the definitions

1. Personal identifier: Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.
2. Legitimate purpose: A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.
3. Competent authority : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.
4. Notification: Notification issued under this Act and published in the Official Gazette
5. Control : And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.
6. Telecommunications system: Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.
7. Privacy standards: The privacy standards or protocols or codes of practice.  developed by industry associations.

Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions

1. Communication data:The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications
2. Data subject : Any living individual, whose personal data is controlled by any person
3. Interception: In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication.
4. Person: Any natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban  local body, or any other officer, agency or instrumentality of the state.
5. Sensitive personal data: Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation.  Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.
6. Individual: a resident of Indian
7. Covert surveillance: covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device  in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual
8. Re-identify: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;
9. Process: “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;
10. Direct marketing: Direct Marketing means sending of a commercial communication to any individual
11. Data controller:  any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;
12. Government: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;

Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:

1. Consent: Includes implied consent
2. Maintain: Includes maintain, collect, use, or disseminate.
3. Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller.
4. Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund.
5. Prescribed: Prescribed by rules made under this Act.
6. Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)
7. DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual.

Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):

1. Authority: The Data Protection Authority of India
2. Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.
3. Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject.
4. Member: Member of the Authority
5. Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data.
6. Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller.

• Exceptions to the Right to Privacy: According to the 2011 Bill, the exceptions to the Right to Privacy included:

1. Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state
2. Preventing incitement to the commission of any offence
3. Prevention of public disorder or the detection of crime
4. Protection of rights and freedoms of others
5. In the interest of friendly relations with foreign state
6. Any other purpose specifically mentioned in the Act.

The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.

• Acts not to be considered deprivations of privacy:  The 2011 Bill lists five instances that  will not be considered a deprivation of privacy  - namely

1. For journalistic purposes unless it is proven that there is a reasonable expectation of privacy,
2. Processing data for personal or household purposes,
3. Installation of surveillance equipment for the security of private premises,
4. Disclosure of information via the Right to Information Act 2005,
5. And any other activity exempted under the Act.

The 2014 limits these instances to:

1. The processing of data purely for personal or household purposes,
2. Disclosure of information under the Right to Information Act 2005,
3. And any other action specifically exempted under the Act.

• Privacy Principles:  Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices.

• Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:

1. Collection of personal data,
2. Processing of personal data,
3. Data quality,
4. Provisions relating to sensitive personal data,
5. Retention of personal data,
6. Sharing (disclosure) of personal data,
7. Security of personal data,
8. Notification of breach of security,
9. Access to personal data by data subject,
10. Updation of personal data by data subject
11. Mandatory processing of data,
12. Trans border flows of personal data.

Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:

1. Collection of personal data,
2. Processing of personal data,
3. Access to personal data,
4. Updating personal data
5. Retention of personal data
6. Data quality,

The 2014 Bill has further includes provisions addressing:

1. Openness and accountability,
2. Choice,
3. Consent,
4. Exceptions for personal identifiers.

The 2014 Bill has made changes to the provisions addressing:

1. Provisions relating to sensitive personal data,
2. Sharing (disclosure of personal data),
3. Notification of breach of security,
4. Mandatory processing of data
5. Security of personal data
6. Trans border flows of personal data.

The changes that have been made have been mapped out below:

Provisions Relating to Sensitive Personal Data: The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:

1. For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.
2. Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

Notification of Breach of Security: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach.

Notice: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:

1. The documented purposes for which such personal data is being collected
2. Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service
3. The consequences of the failure to provide the personal data
4. The recipient or category of recipients of the personal data
5. The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller
6. If such personal data is intended to be transferred out of the country, details of such transfer.

In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:

1. What data is being collected and
2. The legitimate purpose for the collection.

If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:

1. The use to which the personal data will be put
2. Whether or not the personal data will be disclosed to a third party and if so the identity of such person
3. If the personal data being collected is intended to be transferred outside India  and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data.
4. The security and safeguards established by the data controller in relation to the personal data
5. The processes available to a data subject to access and correct  his personal data
6. The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto
7. The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller.

Disclosure of personal data: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing.  In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.  As a safeguard, the 2014 Bill requires that any person to whom  personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.

Transborder flow of information: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

Mandatory Processing of Data: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.

Security of Personal Data: The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of  security.

• Conditions on which provisions do not apply: Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy  will not apply to personal data.  Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill  carves out an exception for Government Intelligence Agencies  - stating that the provisions of  updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.
• Privacy Officers: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.
• Power of Authority to Exempt: Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .

• The Data Protection Authority: The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority.  For example, new functions of the Authority include:

1. Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act,
2. Suggesting international instruments relevant to the administration of the Act,
3. Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.

The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.

At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement,  if for the objectives of  (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.

This power is instead vested with a court of competent jurisdiction.

• The National Data Controller Registry: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.
• Direct Marketing: Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’  and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.
• Interception of Communications: Though maintaining some of the safeguards defined in the 2011 Bill for interception,  2014 Bill changes  the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees,  removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.
• Video Recording Equipment in public places: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed.

The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.

• Privacy Standards and Self Regulation: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them.  For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.
• Settlement of Disputes and Appellate Tribunal: The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish.  If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court.

In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.

• Offences and Penalties: The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section.

• Offences: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:

1. Unauthorized interception of communications
2. Disclosure of intercepted communications
3. Undertaking unauthorized Covert Surveillance
4. Unauthorized use of disclosure of communication data

The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.

Penalties: The 2014 Bill provides a list of penalties including:

1. Penalty for obtaining personal data on false pretext
2. Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers
3. Penalty for disclosure of other personal information
4. Penalties for contravention of directions of the Authority
5. Penalties for data theft
6. Penalties for unauthorised collection, processing, and disclosure of personal data
7. Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines
   
   

Adjudicating Officer: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not  below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default

Civil Remedies and compensation: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense.

The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.

Exceptions for intelligence agencies:  Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law  Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.

The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.

In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.

Introduction:

1. Shielding the Messengers: Protecting Platforms for Expression and Innovation. The Centre for Democracy and Technology. December 2012, available at: https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf: This paper analyses the impact that intermediary liability regimes have on freedom of expression, privacy, and innovation. In doing so, the paper highlights different models of intermediary liability regimes, reviews different technological means of restricting access to content, and provides recommendations for intermediary liability regimes and provides alternative ways of addressing illegal content online.
2. Internet Intermediaries: Dilemma of Liability: Article 19. 2013, available at: http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf:This Policy Document reviews different components of intermediary liability and highlights the challenges and risks that current models of liability have to online freedom of expression. Relying on international standards for freedom of expression and comparative law,  the document includes recommendations and alternative models that provide stronger protection for freedom of expression. The key recommendation in the document include: web hosting providers or hosts should be immune from liability to third party content if they have not modified  the content, privatised enforcement should not be a model and removal orders should come only from courts or adjudicatory bodies, the model of notice to notice should replace notice and takedown regimes, in cases of alleged serious criminality clear conditions should be in place and defined.
3. Comparative Analysis of the National Approaches to the Liability of Internet Intermediaries: Prepared by Daniel Seng for WIPO, available at http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf:This Report reviews the intermediary liability regimes and associated laws in place across fifteen different contexts with a focus on civil copyright liability for internet intermediaries. The Report seeks to find similarities and differences across the regimes studied and highlight  principles and components in different that can be used in international treaties and instruments, upcoming policies, and court decisions.
4. Freedom of Expression, Indirect Censorship, & Liability for Internet Intermediaries. The Electronic Frontier Foundation. February 2011, available at: http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf:This presentation was created for the Trans-Pacific Partnership Stakeholder Forum in Chile and highlights that for freedom of expression to be protected, clear legal protections for internet intermediaries are needed and advocates for a regime that provides blanket immunity to intermediaries or is based on judicial takedown notices.
5. Study on the Liability of Internet Intermediaries. Contracted by the European Commission. 2007, available at: http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf. This Report provides insight on the application of the intermediary liability sections of the EU e-commerce directive  and studies the impact of the regulations under the Directive on the functioning of intermediary information society services. To achieve this objective, the study identifies relavant case law across member states, calls out and evaluates developing trends across Member States, and draws conclusions.
6. Internet Intermediary Liability: Identifying Best Practices for Africa. Nicolo Zingales for the Association for Progressive Communications,  available at: https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf: This background paper seeks to identify challenges and opportunities in addressing intermediary liability for countries in the African Union and recommend safeguards that can be included in emerging intermediary liability regimes in the context of human rights. The paper also reviews different models of intermediary liability and discusses the limitations, scope, and modes of operation of each model.
7. The Liability of Internet Intermediaries in Nigeria, Kenya, South Africa, and Uganda: An uncertain terrain. Association for Progressive Communications. October 2012, available at: http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain:This Report reviews intermediary liability in Nigeria, Kenya, South Africa and Uganda – providing background to the political context, relevant legislation, and present challenges . In doing so, the Report provides insight into how intermediary liability has changed in recent years in these contexts and explores past and present debates on intermediary liability. The Report concludes with recommendations for stakeholders affected by intermediary liability.
8. The Fragmentation of intermediary liability in the UK. Daithi Mac Sithigh. 2013, available at: http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT. This article looks at the application of the Electronic Commerce Directive across Europe and argues that it is being intermixed and subsequently replaced with provisions from national legislation  and provisions of law from area specific legislation. Thus, the article argues that systems for intermediary liability are diving into multiple systems – for example for content related to copyright intermediaries are being placed with new responsibilities while for content related to defamation, there is a reducing in the liability that intermediaries are held to.
9. Regimes of Legal Liability for Online Intermediaries: an Overview. OECD, available at:  http://www.oecd.org/sti/ieconomy/45509050.pdf. This article provides an overview of different intermediary liability regimes  including EU and US.
10. Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose. GNI. 2014, available at: http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf.  This Report argues that the provisions of the Information Technology Act 2000 are not adequate to deal with ICT innovations , and argues that the current liability regime in India is hurting the Indian internet economy.
11. Intermediary Liability in India. Centre for Internet and Society. 2011, available at: http://cis-india.org/internet-governance/intermediary-liability-in-india.pdf. This report reviews and ‘tests’  the effect of the Indian intermediary liability on freedom of expression. The report concludes that the present regime in India has a chilling effect on free expression and offers recommendations on how the Indian regime can be amended to protect this right.
12. The Liability of Internet Service providers and the exercise of the freedom of expression in Latin America have been explored in detail through the course of this research paper by Claudio Ruiz Gallardo and J. Carlos Lara Galvez. The paper explores the efficacy and the implementation of proposals to put digital communication channels under the oversight of certain State sponsored institutions in varying degrees. The potential consequence of legal intervention in media and digital platforms, on the development of individual rights and freedoms has been addressed through the course of this study. The paper tries to arrive at relevant conclusions with respect to the enforcement of penalties that seek to redress the liability of communication intermediaries and the mechanism that may be used to oversee the balance between the interests at stake as well as take comparative experiences into account. The paper also analyses the liability of technical facilitators of communications while at the same time attempting to define a threshold beyond which the interference into the working of these intermediaries may constitute an offence of the infringement of the privacy of users. Ultimately, it aims to derive a balance between the necessity for intervention, the right of the users who communicate via the internet and interests of the economic actors who may be responsible for the service: http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf

---

Click to read the newsletter from the Association of Progressive Communications. The summaries for the reports can be found below:

Internet Intermediaries: The Dilemma of Liability in Africa. APC News, May 2014, available at: http://www.apc.org/en/node/19279/. This report summarizes the challenges facing internet content regulators in Africa, and the effects of these regulations on the state of the internet in Africa. Many African countries do not protect intermediaries from potential liability, so some intermediaries are too afraid to transmit or host content on the internet in those countries. The report calls for a universal rights protection for internet intermediaries.

APC’s Frequently Asked Questions on Internet Intermediary Liability:  APC, May 2014, available at: http://www.apc.org/en/node/19291/. This report addresses common questions pertaining to internet intermediaries, which are entities which provide services that enable people to use the internet, from network providers to search engines to comments sections on blogs. Specifically, the report outlines different models of intermediary liability, defining two main models. The “Generalist” model intermediary liability is judged according to the general rules of civil and criminal law, while the “Safe Harbour” model protects intermediaries with a legal safe zone.

New Developments in South Africa: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri. This interview with researchers Alex Comninos and Andrew Rens goes into detail about the challenges of intermediary in South Africa. The researchers discuss the balance that needs to be struck between insulating intermediaries from a fear of liability and protecting women’s rights in an environment that is having trouble dealing with violence against women. They also discuss South Africa’s three strikes policy for those who pirate material.

Preventing Hate Speech Online In Kenya: APCNews, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli. This interview with Grace Githaiga investigates the uncertain fate of internet intermediaries under Kenya’s new regime. The new government has mandated everyone to register their SIM cards, and indicated that it was monitoring text messages and flagging those that were deemed risky. This has led to a reduction in the amount of hate speech via text messages. Many intermediaries, such as newspaper comments sections, have established rules on how readers should post on their platforms. Githaiga goes on to discuss the issue of surveillance and the lack of a data protection law in Kenya, which she sees as the most pressing internet issue in Kenya.

New Laws in Uganda Make Internet Providers More Vulnerable to Liability and State Intervention: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne. In an interview, Lilian Nalwoga discusses Uganda’s recent anti-pornography law that can send intermediaries to prison. The Anti-Pornography Act of 2014 criminalizes any sort of association with any form of pornography, and targets ISPs, content providers, and developers, making them liable for content that goes through their systems. This makes being an intermediary extremely risky in Uganda. The other issue with the law is a vague definition of pornography. Nalwoga also explains the Anti-Homosexuality Act of 2014 bans any promotion or recognition of homosexual relations, and the monitoring technology the government is using to enforce these laws.

New Laws Affecting Intermediary Liability in Nigeria: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria. Gbenga Sesan, executive director of Paradigm Initiative Nigeria, expounds on the latest trends in Nigerian intermediary liability. The Nigerian Communications Commission has a new law that mandates ISPs store users data for at least here years, and wants to make content hosts responsible for what users do on their networks. Additionally, in Nigeria, internet users register with their real name and prove that you are the person who is registration. Sesan goes on to discuss the lack of safe harbor provisions for intermediaries and the remaining freedom of anonymity on social networks in Nigeria.

Internet Policies That Affect Africans: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af. The Associsation for Progressive Communcations interviews researcher Nicolo Zingales about the trend among African governments establishing further regulations to control the flow of information on the internet and hold intermediaries liable for content they circulate. Zingales criticizes intermediary liability for “creating a system of adverse incentives for free speech.” He goes on to offer examples of intermediaries and explain the concept of “safe harbor” legislative frameworks. Asked to identify best and worst practices in Africa, he highlights South Africa’s safe harbor as a good practice, and mentions the registration of users via ID cards as a worst practice.

Towards Internet Intermediary Responsibility: Carly Nyst, November 2013, available at: http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility. Nyst argues for a middle ground between competing goals in internet regulation in Africa. Achieving one goal, of protecting free speech through internet intermediaries seems at odds with the goal of protecting women’s rights and limiting hate speech, because one demands intermediaries be protected in a legal safe harbor and the other requires intermediaries be vigilant and police their content. Nyst’s solution is not intermediary liability but responsibility, a role defined by empowerment, and establishing an intermediary responsibility to promote positive gender attitudes.

The 2014 seminar is jointly organized by the Center for Global Communication Studies (CGCS) at the University of Pennsylvania’s Annenberg School for Communication, the American Austrian Foundation (AAF), and the Diplomatic Academy of Vienna (DA).  For more information visit the seminar webpage and Facebook Page. Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India.

Nishant Shah's post was published on April 1st, 2014 | by cgcsblog

---

An imagined and perceived gap between the global and the local informs transnational politics and internet policy. The global views the local as both the site upon which the global can manifest itself as well as the microcosm that supports and strengthens global visions by providing mutations, adaptations and reengineering of the governance practices. The local is encouraged to connect with the global through a series of outward facing practices and policies, thus producing two separate domains of preservation and change.  On the one hand, the local, the organic and the traditional, needs to be preserved and make the transnational and the global the exotic other. On the other hand, the local also needs to be in a state of aspiration, transforming itself to belong to global networks of polity and policy that are deemed as desirable, especially for a development and rights based vision of societies.

While these negotiations and transactions are often fruitful and local, national, and transnational structures and mechanics have been developed to facilitate this flow, this relationship is precarious. There is an implicit recognition that the local and the transnational, dialectically produced, are often opaque categories and empty signifiers. They sustain themselves through unquestioned presumptions of particular attributes that are taken for granted in these interactions. There have been many different metaphors that have been used to understand and explain these complex transfers of knowledge and information, resources and capital, bodies and ideologies. Vectors, Flows, Disjunctures, Intersections are some of the examples. However, with the rise of the digital technologies and vocabularies, especially the internet, the metaphor of the Network with its distributed nodes has become one of the most potent explanations of contemporary politics. This idea of living in networked worlds is so seductive and ‘common-sense,’ that it has become an everyday practice to think of the global as a robust, never-ending, all-inclusive network where the local becomes an important node because it enables both connectivity within but also an expansion of the edges, in order to connect to that which is outside the traffic capacities of the network.

The ‘Network Society’ paradigm is distinct from earlier rubrics of information and open society that have informed existing information and communication policies. In this paradigm we have the opportunity to revisit and remap the ways in which local governments and populations function and how they produce locals who can feed into the transnational and global discourse. The network facilitates some knowledge that is valuable and allows us to map inequity and mal-distribution of resources by offering comparisons between the different nodes. Networks force our attention to the edges, the no-person’s-zone which is porous but still serves as an osmotic filter that often keeps the underprivileged and the unintelligible outside its fold. Networks as metaphors are valuable because they produce a cartographic vision of the world with multiple boundaries and layers, dealing with big data sets to create patterns that might otherwise be invisible. They enable the replication of models that can be further localised and adapted to fit the needs of the context.  Networks make the world legible – we write it through the lens of the network, intelligible – we understand it through the language and vocabulary of the network, and accessible – it allows for knowledge and practices to transfer across geographies and times.

At the same time, networks are a vicious form of organisation because they work through the logic of resource maximisation, efficiency and optimisation, often disallowing voices of dissent that threaten the consensus making mechanisms of the network. Networks have a self-referential relationship with reality because they produce accounts of reality which can easily stand in for the material and the real. They are the new narratives that can operate with existing data sets and produce such rich insights for analysis that we forget to account for that which cannot be captured in the database structures of these data streams. Networks work through a principle of homogeneity and records, thus precluding forms of operation which cannot be easily quantified.

Given this complex nature of networks and the fact that they are emerging as the de facto explanations of not only social and cultural relationships but also economic and political transactions, it might be fruitful to approach the world of policy and politics, the local and the transnational, through the lens of the network. Building a critique of the network while also deploying the network as a way to account for the governmental practices might produce key insights into how the world operates. What does it mean to imagine the world in the image of the internet as a gigantic network? What are the ways in which a networked visualisation of policy and governmental processes can help us analyse and understand contemporary politics? What tools can we develop to expose the limitations of a network paradigm and look at more inclusive and sensitive models for public discourse and participation? How do we document events, people, and drivers of political change that often get overlooked in the networked imagination of transnational politics? These are the kind of questions that the Center for Global Communication Study’s Internet Policy Observatory (IPO) could initiate, building empirical, qualitative and historical research to understand the complex state of policy making and its relationship with enforcement, operationalization and localisation.

Given the scope and scale of these questions, there are a few specific directions that can be followed to ensure that research is focused and concentrated rather than too vague and generalised:

1. Bird’s eye views: The big picture understanding of transnational political and policy networks is still missing from our accounts of contemporary discourse. While global representative networks of multi-stakeholder dialogues have been established, there is not enough understanding of how they generate traffic (information, knowledge, data, people, policies) within the network through the different nodes. Producing an annotated and visual network map that looks at the different structural and organisational endeavours and presences, based on available open public data, bolstered by qualitative interviews would be very useful both as a research resource but also an analytic prototype to understand the complex relationships between the various stakeholders involved in processes of political change.
2. Crisis Mapping: One of the most important things within Network studies is how the network identifies and resolves crises. Crises are the moment when the internal flaws, the structural weaknesses, and the fragile infrastructure become visible. The digital network, like the internet, has specific mechanisms of protecting itself against crises. However, the appearance of a crisis becomes an exciting time to look at the discrepancy between the ambition of the network and its usage. A crisis is generally a symptom that shows the potentials for radical subversion, overthrowing, questioning and the abuse of network designs and visions. Locating ICT related crises with historical and geographical focuses could similarly reveal the discrepancies of the processes of making policy and orchestrating politics.
3. Longitudinal Studies: The network remains strong because it works through a prototype principle. Consequently, no matter how large the network is, it is possible to splice, slice, and separate a small component of the network for deep dive studies. This microcosm offers rich data sets, which can then be applied across the network to yield different results. Further, working with different actors – from individual to the collective, from the informal the institutional – but giving them all equal valency provides a more equal view of the roles, responsibilities, and aspirations of the different actors involved in the processes. This kind of a longitudinal study, working on very small case-studies and then applying them to analyse the larger social and political conditions help in understanding the transnational and global processes in a new way.

These research based inquiries could result in many different outputs based on the key users that they are working with and for. The methods could be hybrid, using existing local and experimental structures, with predefined criteria for rigour and robustness. The research, given its nature, would necessitate working with existing networks and expanding them, thus building strong and sustainable knowledge networks that can be diverted towards intervention through capacity building and pedagogy directed at the different actors identified within these nodes.

---

Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India. He is an International Tandem Partner at the Centre for Digital Cultures, Leuphana University, Germany and a Knowledge Partner with the Hivos Knowledge Programme, The Netherlands. In these varied roles, he has been committed to producing infrastructure, frameworks and collaborations in the global south to understand and analyse the ways in which emergence and growth of digital technologies have shaped the contemporary social, political and cultural milieu. He is the editor for a series of monographs on ‘Histories of Internet(s) in India’ that looks at the complicated relationship that technologies have with questions of gender, sexuality, body, city, governance, archiving and gaming in a country like India. He is also the principle researcher for a research programme that produced the four-volume anthology ‘Digital AlterNatives With a Cause?’ that examines the ways in which young people’s relationship with digital technologies produces changes in their immediate environments.

Dr. Nishant Shah's column was published in the Indian Express on March 30, 2014.

---

Within the online space, where wonderments often run rife, and conspiracy theories travel at the speed of light, there are many dark recesses where netizens half-jokingly, self-referentially, in a spirit of part-truth, part-exaggeration, often wonder on what the real reason is for the internet to exist.

One suggestion, and probably the most persuasive one, drawing from the Broadway musical Avenue Q, is that the internet was made for porn. Positing a competing argument is a clowder of cat lovers, who insist that the internet was made for cats. Or, at least, it is definitely made of cats.

From the first internet memes like LOL Cats (and then subsequently Grumpy Cat, Ceiling Cat and Hipster Kitty), which had pictures of cats used for strong social, cultural and political commentary, to Caturday — a practice where users on the Web’s largest unmoderated discussion board, 4Chan, post pictures of cats every Saturday — cats are everywhere.

I want to add to this list and suggest that the internet was meant for “shame”. With the explosion of the interactive Web, more people getting access to mobile computing devices, and more websites inviting users to write reviews, leak pictures, expose videos and reveal more personal and private information online, there seems to be no doubt that we live in the age of digital shaming.

The aesthetic, also embedded in peer-to-peer platforms like chatroulete, or snapchat, where people often engage in sexting, is also becoming common in popular media. The ability to spy, to capture private images and videos, and expose the people who violate some imagined moral code has dangerous implications for the future of the Web and our own private lives. And as more of it goes unpunished and gets naturalised in our everyday digital practices, it is time to realise that the titillation it offers through scandal is far outweighed by the growing stress and grief it causes to victims. While there are some values to public shaming that ask for more transparency and accountability, we need to reflect on how it is creating societies of shame.

It sometimes emerges as an attempt to shame governments, private institutions, places of consumption, for compromise of the rights of the users.

Anything, from denial of service and corruption in government offices to bad food and substandard goods in restaurants and malls, is now reported in an attempt to shame the people responsible for it. This kind of “citizen journalism” allows for individual voices and experiences to be heard and documented, and the people in question are forced to be accountable for their jobs.

From fascinating websites like IPaidABribe.com to restaurant review sites like Zomato, we have seen an interesting phenomenon of “naming and shaming” that gives voice to individual discontent and anger. And so commonplace has this become, that most managers of different services and goods track, respond and mitigate the situation, often offering apologies and freebies to make up for that one bad experience.

Most big organisations have Twitter handles that function in a similar way, addressing grievances of users in real time, and helping to deliver better services and products. It is a new era of granular accountability that ensures that individual acts of discrimination, neglect or just disservice get reported and have direct impact on those responsible for it.

On the other end of the spectrum of this call for transparent and accountable structures, is the phenomenon of shaming and cyber bullying that is also increasing, especially with digital natives who spend more time online. On social networking sites, it has become almost passé, for personal and sensitive information to be leaked in order to shame and expose a person’s weaknesses and vulnerabilities. Especially for young teens who might be in a disadvantaged position — for reasons of sexual orientation, location, practices or interests — the shaming through exposing their private information often creates extremely traumatic conditions, even leading people to take their lives.
Shaming takes up particularly dire forms on websites and platforms that are designed to leak this kind of information. Hunter Moore, who has recently earned the title of being the most hated man on the internet, was the founder of a revenge-porn website, which invited male users to reveal sexual and embarrassing pictures of their former girlfriends and even spouses, to reveal them in compromising positions and shame them for being “sluts”.

Moore’s website has been shut down now and he is facing multiple charges of felony in the US, but that one site was just the tip of the iceberg. Slut shaming and trying to humiliate women has become a strong underground practice on the dark web. Hidden by anonymity and the security that the Web can sometimes offer, people betray the trust of their friends and lovers and expose them to be punished by voyeuristic audiences.

---

The article was published in Yojana (April 2014 Issue). Click to download the original here. (PDF, 177 Kb)

---

The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African,  American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement [1] on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for  "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable.  Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." [2] The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.

It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda [3] clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.

The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” –  and to this day, efforts are on to define it more clearly.

Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.

But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.

This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.

Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.

The Opportunity for India

Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.

Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.

Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.

What is the scope of Internet Governance?

Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions[4] and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers [5] within national borders and it would be near impossible for the US to shut down the Internet in India.

For a more expansive definition – The Working Group on Internet Governance report[6] has four categories for public policy issues that are relevant to Internet governance:

“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;

(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;

(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;

(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”

Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as  "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.[7] Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.

So who really governs the Internet?

So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.

---

[1]. Montevideo Statement on the Future of Internet Cooperation https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm

[2]. Brazil to host global internet summit in ongoing fight against NSA surveillance http://rt.com/news/brazil-internet-summit-fight-nsa-006/

[3]. Tunis Agenda For The Information Society http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

[4]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014  See: http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf

[5]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers

[6]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated:  14 July 2005 See: http://www.wgig.org/WGIG-Report.html

[7].Messaging, Malware and Mobile Anti-Abuse Working Group website See: http://www.maawg.org/

---

The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in its draft report on global surveillance has issued a scathing indictment of the activities of the NSA and its counterparts in other member nations and is a welcome stance taken by an international body that is crucial to the fight against surveillance.

The "European Parliament Draft Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs" released on the 8^th of January, 2014, comprehensively details and critiques the mass surveillance being undertaken by government agencies in the USA as well as within the EU, from a human rights and privacy perspective. The report examines the extent to which surveillance systems are employed by the USA and EU member-states, and declares these systems in their current avatars to be unlawful and in breach of international obligations and fundamental constitutional rights including "the freedom of expression, of the press, of thought, of conscience, of religion and of association, private life, data protection, as well as the right to an effective remedy, the presumption of innocence and the right to a fair trial and non-discrimination".

Furthermore, the report points to the erosion of trust between the EU and the US as well as amongst member states as an outcome of such secret surveillance, and criticises and calls for a suspension of the data-sharing and transfer agreements like the Terrorist Finance Tracking Program (TFTP), which share personal information about EU citizens with the United States, after examining the inadequacy of the US Safe Harbour Privacy principles in ensuring the security of such information.

After considering the secret and unregulated nature of these programmes, the report points to the need of restricting surveillance systems and criticizes the lack of adequate data protection laws and privacy laws which adhere to basic principles such as necessity, proportionality and legality.. It also questions the underlying motives of these programmes as mere security-tools and points to the possible existence of political and economic motives behind their deployment. Recognizing the pitfalls of surveillance and the terrible potential for misuse, the report "condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries."

Amongst the recommendations in the 51-page report are calls for a prohibition of mass surveillance and bulk data collection, and an overhaul of the existing systems of data-protection across the European Union and in the US to recognize and strengthen the right to privacy of their citizens, as well as the implementation of democratic oversight mechanisms to check security and intelligence agencies. It also calls for a review of data-transfer programmes and ensuring that standards of privacy and other fundamental rights under the European constitution are met. The committee sets out a 7-point plan of action, termed the European Digital Habeus Corpus for Protecting Privacy, including adopting the Data Protection Package, suspending data transfers to the US until a more comprehensive data protection regime is through an Umbrella Agreement, enhancing fundamental freedoms of expression and speech, particularly for whistleblowers, developing a European Strategy for IT independence and developing the EU as a reference player for democratic and neutral governance of the internet.

Though this draft report has no binding legal value as yet, the scathing criticism has assisted in calling to the attention of the global community the complex issues of internet governance and privacy and surveillance, and generated debate and discourse around the need for an overhaul of the current system. The recent decision of the US government to ‘democratize’ the internet by handing control of the DNS root zone to an international body, and thereby relinquishing a large part of its means of controlling the internet, is just one example of the systemic change that this debate is generating.

Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill

Constitutional Right to Privacy

The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.

Nine National Privacy Principles

The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data.  An analysis of the principles as compared in the Report and the Bill is below:

• Notice: The principle of notice as recommended by the Report of the Group of Experts on Privacy differs from the principle of notice in the 2014 Privacy Bill.  According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons;  Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information;  Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.
  
  In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India  and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.
  
  Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.

• Choice and Consent: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data.
  
  Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.

• Collection Limitation: The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken.

• Purpose Limitation: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data.

• Access and Correction: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual.

• Disclosure of Information: The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim).  As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.

• Security: The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.

• Openness: The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect.

• Accountability: The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles.

Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).

With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised.

With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.

Additional Protection for Sensitive Personal Data

The Report of the Group of Experts on Privacy broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The 2014 Privacy Bill incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions;  password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including:  collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual;  such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India,  the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.

Privacy Officers

The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.

Co-regulatory Framework

The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.

Recommendations in the Report that are not in the Bill

Scope

The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India.  The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.

Exceptions

The Report of the Group of Experts recommends the following as exceptions to the right to privacy:

1. National security
2. Public order
3. Disclosure in the public interest
4. Prevention, detection, investigation, and prosecution of criminal offenses
5. Protection of the individual and rights and freedoms of others

The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.

The Privacy Bill 2014 reflects only the exception of  “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:

1. Sovereignty, integrity or security of India or
2. Strategic, scientific or economic interest of India; or
3. Preventing incitement to the commission of any offence; or
4. Prevention of public disorder; or
5. The investigation of any crime; or
6. Protection of rights and freedoms others; or
7. Friendly relations with foreign states; or
8. Any other legitimate purpose mentioned in this Act.

Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.

Constitution of Infringement of Privacy

The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.

The Data Protection Authority

The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should  be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.

Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.

The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy,  the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs,  and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers.  Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.

Tribunal and System of Complaints

Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization.  The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.

Penalties and Offenses

The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.

Conclusion

The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.

In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.

---

References

1. Leaked Privacy Bill: 2014 vs. 2011
2. Report of the Group of Experts on Privacy

Let us take, for the purposes of this post, the following definition:

“The idea that all Internet traffic should be treated equally is known as network neutrality. In other words, no matter who uploads or downloads data, or what kind of data is involved, networks should treat all of those packets in the same manner.”

In other words, put simply, net neutrality in its broadest form requires the extant gatekeepers of the internet – such as, for instance, broadband companies – to accord a form of equal and non-discriminatory treatment to all those who want to access the internet. Examples of possible discrimination – as the quote above illustrates – include, for instance, blocking content or providing differential internet speed (perhaps on the basis of a tiered system of payment for access).

Net neutrality has its proponents and opponents, and I do not have space here to address that dispute. In its broadest and absolutist form, net neutrality is highly controversial (including arguments that existing status quo is not neutral in any genuine sense). I take as given, however, that some form of net neutrality is both an important and a desirable goal. In particular, intentional manipulation of information that is available to internet users – especially for political purposes – is, I assume, an undesirable outcome, as are anti-competitive practices, as well as price-discrimination for the most basic access to the internet (this brief article in the Times of India provides a decent, basic primer on the stakes involved).

An example of net neutrality in practice is the American Federal Communications Commission’s Open Internet Order of 2010, which was the subject of litigation in the recently concluded Verizon v. FCC. The Open Internet order imposed obligations of transparency, no blocking, and no unreasonable discrimination, upon internet service providers. The second and third requirements were vacated by a United States Court of Appeals. The rationale for the Court’s decision was that ISPs could not be equated, in law, to “common carriers”. A common carrier is an entity that offers to transport persons and/or goods in exchange for a fee (for example, shipping companies, or bus companies). A common carrier is licensed to be one, and often, one of the conditions for license is an obligation not to discriminate. That is, the common carrier cannot refuse to carry an individual who is willing and able to pay the requisite fees, in the absence of a compelling reason (for example, if the individual wishes the carrier to transport contraband). Proponents of net neutrality have long called for treating ISPs as common carriers, a proposition – as observed above – was rejected by the Court.

With this background, let us turn to India. In India, internet service providers are both state-owned (BSNL and MTNL), and privately-owned (Airtel, Spectranet, Reliance, Sify etc). Unlike many other countries, however, India has no network-neutrality laws. As this informative article observes:

“The Telecom Regulatory Authority of India (TRAI), in its guidelines for issuing licences for providing Unified Access Service, promotes the principle of non-discrimination but does not enforce it… the Information Technology Act does not provide regulatory provisions relating to Internet access, and does not expressly prohibit an ISP from controlling the Internet to suit their business interests.”

In the absence of either legislation or regulation, there are two options. One, of course, is to invoke the rule of common carriers as a common law rule in court, should an ISP violate the principles of net neutrality. In this post (and the next), however, I would like to analyze net neutrality within a constitutional framework – in particular, within the framework of the constitutional guarantee of freedom of speech and expression.

In order to do so, two questions become important, and I shall address them in turn. First, given that most of the ISPs are privately owned, how does the Constitution even come into the picture? Our fundamental rights are enforceable vertically, that is, between individuals and the State, and not horizontally – that is, between two individuals, or two private parties. Where the Constitution intends to depart from this principle (for instance, Article 15(2)), it specifically and expressly states so. As far as Article 19 and the fundamental freedoms are concerned, however, it is clear that they do not admit of horizontal application.

Yet what, precisely, are we to understand by the term “State”? Consider Article 12:

“In this part, unless the context otherwise requires, the State includes the Government and Parliament of India and the Government and the Legislature of each of the States and all local or other authorities within the territory of India or under the control of the Government of India.”

The key question is what, precisely, falls within the meaning of “other authorities”. The paradigmatic example – and this is something Ambedkar had in mind, as is evidenced by the Constituent Assembly Debates – is the statutory corporation – i.e., a company established under a statute. There are, however, more difficult cases, for instance, public-private partnerships of varying types. For the last fifty years, the Supreme Court has struggled with the issue of defining “other authorities” for the purposes of Part III of the Constitution, with the pendulum swinging wildly at times. In the case of Pradeep Kumar Biswas v. Indian Institute of Chemical Biology, a 2002 judgment by a Constitution bench, the Court settled upon the following definition:

“The question in each case would be whether in the light of the cumulative facts as established, the body is financially, functionally and administratively dominated by or under the control of the Government. Such control must be particular to the body in question and must be pervasive. If this is found then the body is a State within Article 12. On the other hand, when the control is merely regulatory whether under statute or otherwise, it would not serve to make the body a State.”

Very obviously, this dooms the ISP argument. There is no way to argue that ISPs are under the pervasive financial, functional and administrative domination or control of the State. If we step back for a moment, though, the Pradeep Kumar Biswas test seems to be radically under-inclusive. Consider the following hypothetical: tomorrow, the government decides to privatize the nation’s water supply to private company X. Company X is the sole distributor of water in the country. On gaining control, it decides to cut off the water supply to all households populated by members of a certain religion. There seems something deeply wrong in the argument that there is no remedy under discrimination law against the conduct of the company.

The argument could take two forms. One could argue that there is a certain minimum baseline of State functions (ensuring reasonable access to public utilities, overall maintenance of communications, defence and so on). The baseline may vary depending on your personal political philosophy (education? Health? Infrastructure?), but within the baseline, as established, if a private entity performs a State function, it is assimilated to the State. One could also argue, however, that even if Part III isn’t directly applicable, certain functions are of a public nature, and attract public law obligations that are identical in content to fundamental rights obligations under Part III, although their source is not Part III.

To unpack this idea, consider Justice Mohan’s concurring opinion in Unnikrishnan v. State of Andhra Pradesh, a case that involved the constitutionality of high capitation fees charged by private educational institutions. One of the arguments raised against the educational institutions turned upon the applicability of Article 14’s guarantee of equality. The bench avoided the issue of whether Article 14 directly applied to private educational institutions by framing the issue as a question of the constitutionality of the legislation that regulated capitation fees. Justice Mohan, however, observed:

“What is the nature of functions discharged by these institutions? They discharge a public duty. If a student desires to acquire a degree, for example, in medicine, he will have to route through a medical college. These medical colleges are the instruments to attain the qualification. If, therefore, what is discharged by the educational institution, is a public duty that requires… [it to] act fairly. In such a case, it will be subject to Article 14.”

In light of Pradeep Kumar Biswas, it is obviously difficult to hold the direct application of the Constitution to private entities. We can take Justice Mohan, however, to be making a slightly different point: performing what are quintessentially public duties attract certain obligations that circumscribe the otherwise free action of private entities. The nature of the obligation itself depends upon the nature of the public act. Education, it would seem, is an activity that is characterized by open and non-discriminatory access. Consequently, even private educational institutions are required to abide by the norms of fairness articulated by Article 14, even though they may not, as a matter of constitutional law, be held in violation of the Article 14 that is found in the constitutional text. Again, the content of the obligation is the same, but its source (the constitutional text, as opposed to norms of public law) is different.

We have therefore established that in certain cases, it is possible to subject private entities performing public functions to constitutional norms without bringing them under Article 12’s definition of the State, and without the need for an enacted statute, or a set of regulations. In the next post, we shall explore in greater detail what this means, and how it might be relevant to ISPs and net neutrality.

---

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and presently an LLM student at the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he will be blogging on issues of online freedom of speech and expression.

The article was originally published in GeneWatch (January - April 2014) issue.

---

Why should an organization that focuses on the Internet be invited to such a committee? There are some obvious reasons related to data protection and big data. CIS had previously served on the Justice AP Shah committee that was tasked by the Planning Commission to make recommendations on the draft Privacy Bill in 2012. There are also some less obvious connections, such as academic research into cyborgs wherein the distinction between human and machine/technology is blurred; where an insulin pump makes one realize that the Internet of Things could include the Internet of Body Parts. But for this note I will focus on biometrics - quantifiable data related to individual human characteristics - and their gate-keeping function on the Internet.

The bouquet of biometric options available to technologists is steadily expanding - fingerprint, palm print, face recognition, DNA, iris, retina, scent, typing rhythm, gait, and voice. Biometrics could be used as authentication or identification to ensure security and privacy. However, biometrics are different from other types of authentication and identification factors in three important ways that have implications for human rights in information societies and the Internet.

Firstly, biometrics allow for non-consensual authentication and identification. Newer, more advanced and more expensive biometric technologies usually violate human rights more extensively and intensively than older, more rudimentary and inexpensive biometrics. For example, it is possible to remotely harvest iris information when a person is wide awake without even being aware that their identification or authentication factors have been compromised. It isn't difficult to imagine ways to harvest someone's fingerprints and palm prints without their knowledge, and you cannot prevent a security camera from capturing your gait. You could use specialized software like Tor to surf the World Wide Web anonymously and cover your digital tracks, but it is much harder to leave no trail of DNA material in the real world.

Secondly, biometrics rely on probabilistic matching rather than discrete matching - unlike, for example, a password that you use on a social media platform. In the 2007 draft of India's current Human DNA Profiling Bill, the preamble said "the Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead, without any doubt." This extract from the bill was quoted in an ongoing court case to use tampered chain of custody for DNA as the means to seek exoneration of the accused. And the scientists on the committee insist that the DNA Data Bank Manager "...shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency ... as to whether the DNA profile received is already contained in the Data Bank" - in other words, a "yes" or "no" answer. This is indeed odd for those who come from the world of Internet policy - especially when one DNA lab worker confidentially shared that after a DNA profile was generated the "standard operating procedure" included checking it against the DNA profile of the lab worker to ensure that there was no contamination during the process of generating the profile. This would not be necessary for older forms of biometrics such as the process of developing a photograph. In other words, chain of custody issues with every generation of biometric technology are getting more and more complex. In the developing world, the disillusioned want to believe that "technology is the solution." The fallibility of technology must determine its evidentiary status.

Finally, biometrics are only machine-scrutable. This means machines and not human beings will determine whether you are guilty or innocent; whether you should get subsidized medicine, grain, or fuel; whether you can connect to the Internet via mobile phone, cybercafe or broadband. DNA evidence is not directly observable by judges and therefore the technology and equipment have to be made increasingly transparent so that ordinary citizens as well as the scientific community can audit their effectiveness. In 2009, the Second District Court of Appeal and Circuit Court in Florida upheld a 2005 ruling requiring CMI Inc, the manufacturer of Intoxilyzer 5000, to release source code, failing which evidence from the breathalyzer would be rendered inadmissible in more than 100 drunk driving cases. If the transparency of machines is important when prosecuting misdemeanors then surely this is something we must advocate for when culpability for serious crimes is determined through DNA evidence and other types of biometric technologies. This could be accomplished by the triad of mandates for free/open source software, open standards and open hardware. This is not necessary for all DNA technology and equipment that is used in the market, but only for a small sub-set of these technologies that impinge on our rights as human beings via law enforcement and the judicial system.

It has been nine years since India started the process of drafting this bill. We hope that the delays will only result in a robust law that upholds human rights, justice and scientific progress.

---

Sunil Abraham is Executive Director of the Centre for Internet and Society, based in Bangalore, India.

This post maps the discussion across the NETmundial submissions and presents six emerging evolution scenarios related to the IANA functions:

1. Separation of IANA from policy/ICANN, control of IANA to a multilateral body
2. Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
3. No separation of IANA from policy/ICANN, control of IANA to a multilateral body
4. No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
5. Multiplication of TLD registries and root servers
6. Maintenance of status quo

---

I. Separation of IANA from policy/ICANN, control of IANA to a multilateral body

The proposal under this category demands for the separation of IANA function from technical policy making, and suggests that the IANA function be transferred to an intergovernmental body.

Such proposal is listed below:

Sl.No.	Proposal No.	Name of Proposal	Organization	Sector	Region	Link
1	186	The Next Best Stage for the Future of Internet Governance is Democracy	Global Geneva	Civil Society	Geneva, Switzerland	http://content.netmundial.br/contribution/the-next-best-stage-for-the-future-of-internet-governance-is-democracy/305

This proposal by Global Geneva seeks the establishment of an intergovernmental organisation called World Internet Organisation (WIO), under which IANA (which is understood to be essentially technical and concerning safety and security of the Internet would be located. WIO would additionally have a special link/status/contract with IANA to avoid unwanted interference from governments. A 75% majority at WIO would be requested to act/modify/contest an IANA decision, making it difficult for governments to go beyond reasonable and consensual demands. WIO would act in concert with World Internet Forum, under which ICANN would be located, whereby it would make policy decisions regarding gTLDs apart from its other present functions.

II. Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

There are certain proposals whereby it is proposed that IANA function should be separated from technical policy making, or ICANN, and IANA function, which is perceived to be a purely administrative one in such submissions, should be handed over to some sort of non-multilateral organisation, which take different forms in each proposal.

Most such submissions have emerged from the civil society or the technical community.

The Internet Governance Project submission envisions the creation of a DNS Authority under whose umbrella IANA would function. The DNS Authority would be separate from ICANN. This proposal has been endorsed by the submissions of InternetNZ as well as Article 19 and Best Bits. Avri Doria’s submission, along with the submission of APC, envisions the establishment of an independent IANA, separate from the technical policy function. Such independence is sought to be preceded by a transition period by a body called IANA Stewardship Group which would be constituted mostly by members from the technical community. IANA is sought to be governed via MoUs with all stakeholders, on the same lines as the MoU between ICANN and the IETF, as described in RFC2860, RFC6220. The focus of these MoUs would not be policy but will be on performance and adherence to service level agreements.

These submissions are listed below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	19	Roadmap for Globalising IANA: Four Principles and a Proposal for Reform	Internet Governance Project	Civil Society	North America	http://content.netmundial.br/contribution/roadmap-for-globalizing-iana-four-principles-and-a-proposal-for-reform-a-submission-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/96
2	26	Roadmap for the Further Evolution of the Internet Governance Ecosystem- ICANN	Article 19 and Best Bits	Civil Society	Global	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem-icann/109
3	42	Content Contribution to NetMundial on the Roadmap for the Futher Evolution of the IG Ecosystem regarding the Internationalisation of the IANA Function	InternetNZ	Technical Community	New Zealand	http://content.netmundial.br/contribution/content-contribution-to-netmundial-on-the-roadmap-for-the-futher-evolution-of-the-ig-ecosystem-regarding-the-internationalisation-of-the-iana-function/130
4	60	One Possible Roadmap for IANA Evolution	Avri Doria, Independent Researcher	Other	USA	http://content.netmundial.br/contribution/one-possible-roadmap-for-iana-evolution/153
5	162	APC Proposals for the Further Evolution of the Internet Governance Ecosystem	Association for Progressive Communications (APC)	Civil Society	APC is an international organisation with its executive director's office in South Africa	http://content.netmundial.br/contribution/apc-proposals-for-the-further-evolution-of-the-internet-governance-ecosystem/280

III. No separation of IANA from policy/ICANN, control of IANA to a multilateral body

These submissions propose that the IANA function should come under a multilateral body. However they do not suggest the separation of IANA function from policymaking, or from ICANN; or they are at least silent on this latter issue. 2 such proposals come from the civil society and 2 from the government.

A list of these submissions is provided below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	8	Roadmaps for Further Evolution of Internet Governance	Association for Proper Internet Governance	Civil Society	Switzerland	http://content.netmundial.br/contribution/roadmaps-for-further-evolution-of-internet-governance/65
2	45	Russian Parliament Submission to NET mundial	State Duma of the Russian Federation (Parliament of the Russia)	Government	Russian Federation	http://content.netmundial.br/contribution/themes/133
3	121	Contribution from the Islamic Republic of Iran to the Global Multiskaeholder (sic) Meeting for the Future of the Internet, 23-24 April 2014 Sao Paulo, Brazil	Cyber Space National Center, Iran	Government	Islamic Republic of Iran	http://content.netmundial.br/contribution/contribution-from-the-islamic-republic-of-iran-to-the-global-multiskaeholder-meeting-for-the-future-of-the-internet-23-24-april-2014-sao-paolo-brazil/236
4	125	Towards Reform of Global Internet Governance	The Society for Knowledge Commons	Civil Society	India and Brazil	http://content.netmundial.br/contribution/towards-reform-of-global-internet-governance/240

IV. No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

These submissions do not consider the issue of separation of IANA function from policymaking, or ICANN, or at least do not state an opinion on the separation of IANA function from ICANN. However, they do suggest that the control of IANA should be held by a non-multilateral body, and not the US Government.

Many of these submissions also suggest that the oversight of ICANN should be done by a non-multilateral body, therefore it makes sense that the IANA function is administered by a non-multilateral body, without its removal from the ICANN umbrella.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	46	Norwegian Contribution to the Sao Paulo Meeting	Norwegian government	Government	Norway, Europe	http://content.netmundial.br/contribution/norwegian-government/137
2	50	Contribution from the GSM Association to the Global Multistakeholder Meeting on the Future of Internet Governance	GSMA	Private Sector	Global	http://content.netmundial.br/contribution/contribution-from-the-gsm-association-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/141
3	51	Contribution of Telefonica to NETmundial	Telefonica, S.A.	Private Sector	Spain	http://content.netmundial.br/contribution/contribution-of-telefonica-to-netmundial/143
4	56	ETNO Contribution to NETmundial	ETNO [European Telecommunications Network Operators' Association]	Private Sector	Belgium	http://content.netmundial.br/contribution/etno-contribution-to-netmundial/148
5	61	French Government Submission to NETmundial	French Ministry of Foreign Affairs	Government	France	http://content.netmundial.br/contribution/french-government-submission-to-netmundial/154
6	63	Nominet Submission on Internet Governance Principles and the Roadmap	Nominet	Private Sector	UK	http://content.netmundial.br/contribution/nominet-submission-on-internet-governance-principles-and-the-roadmap/156
7	64	Submission by AHCIET to the Global Multistakeholder Meeting on the Future of Internet Governance. NETmundial	AHCIET	Private Sector	Latin America	http://content.netmundial.br/contribution/submission-by-ahciet-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance-netmundial/157
8	70	Spanish Government Contribution to the Global Multi-stakeholder Meeting on the Future of Internet Governance	Ministry of Industry, Energy and Tourism, Spain	Government	Spain	http://content.netmundial.br/contribution/multistakeholder-human-rights-stability-gac/165
9	80	Roadmap for the Further Evolution of the Internet Governance Ecosystem	European Commission	Government	Europe	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/177
10	94	Roadmap for the Future Development of the Internet Governance Ecosystem	Ministry of Foreign Affairs of Argentina	Government	Argentina	http://content.netmundial.br/contribution/roadmap-for-the-future-development-of-the-internet-governance-ecosystem/196
11	97	Orange Contribution for NETmundial	Orange Group	Private Sector	Deputy to the Chief Regulatory Officer Orange Group	http://content.netmundial.br/contribution/orange/199
12	106	Submission on Internet Governance Principles and Roadmap for the Further Evolution of the Internet Governance Ecosystem	Kuwait Information Technology Society	Civil Society	Kuwait	http://content.netmundial.br/contribution/kuwait-information-technology-society-kits-submission-on-internet-governance-principles-and-roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/214
13	111	Content Submission by the Federal Government of Mexico	Secretara de Comunicaciones y Transportes, Mexico	Government	Mexico	http://content.netmundial.br/contribution/content-submission-by-the-federal-government-of-mexico/219
14	114	Better Understanding and Co-operation for Internet Governance Principles and Its Roadmap	Japan Internet Service Providers Association	Private Sector	Japan	http://content.netmundial.br/contribution/better-understanding-cooperation-for-internet-governance-principles-its-roadmap/222
15	116	Deutsche Telekom’s Contribution for to the Global Multistakeholder Meeting on the Future of Internet Governance	Deutsche Telekom AG	Private Sector	Germany / Europe	http://content.netmundial.br/contribution/deutsche-telekom-s-contribution-for-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/225
16	148	NRO Contribution to NETmundial	NRO (for AFRINIC, APNIC, ARIN, LACNIC, RIPE-NCC)	Technical Community	Mauritius	http://content.netmundial.br/contribution/nro-contribution-to-netmundial/259
17	146	Evolution and Internationalisation of ICANN	CGI.br- Brazilian Internet Steering Committee	Other	Brazil	http://content.netmundial.br/contribution/evolution-and-internationalization-of-icann/263
18	176	Addressing Three Prominent “How To” Questions on the Internet Governance Ecosystem Future	Luis Magalhes, Professor at IST of University of Lisbon, Portugal; Panelist of ICANN’s Strategy Panel on the Role in the Internet Governance System	Academia	Portugal	http://content.netmundial.br/contribution/addressing-three-prominent-how-to-questions-on-the-internet-governance-ecosystem-future/294
19	183	NETmundial Content Submission- endorsed by NIC Mexico	NIC Mexico	Technical Community	Mexico	http://content.netmundial.br/contribution/netmundial-content-submission-endorsed-by-nic-mexico/302

V. Multiplication of TLD registries and Root Servers

These submissions are based on the assumption that reform in the current ICANN/IANA administrative structure is impossible as the US government is unlikely to give up its oversight role over both. Instead, these submissions suggest that multiple TLD registries and root servers should be created as alternatives to today’s IANA/ICANN so that a healthy market competition can be fostered in this area, rather than fostering monopoly of IANA.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	41	Internet Governance: What Next?	EUROLINC	Civil Society	France, Europe	http://content.netmundial.br/contribution/internet-governance-what-next/129
2	175	The Intergovernance of the InterPLUS	INTLNET	Civil Society	France	http://content.netmundial.br/contribution/the-intergovernance-of-the-interplus/293

VI. Maintenance of status quo

These submissions are based on the “if it ain’t broke, don’t fix it” principle, and are of the opinion that there is no need to change the administration of IANA function as it functions efficiently in the current system.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	12	United Kingdom Government Submission	Department For Culture Media and Sport, United Kingdom Government	Government	Government	http://content.netmundial.br/contribution/united-kingdom-government-submission/79
2	133	Perspectives from the Domain Name Association	Domain Name Association	Private Sector	Private Sector	http://content.netmundial.br/contribution/perspectives-from-the-domain-name-association/249

---

Read more on ICANN/IANA: Role and Structural Considerations (PDF Document, 1215 Kb)

This post analyses the contributions of the academic community to draw out broad agreements and divergences concerning Internet governance principles.

I. Introduction

In two days, a large measure of the global Internet community – governments, the private sector, civil society, technical community and academia – gather in São Paulo, Brazil, for the Global Multi-stakeholder Meeting on the Future of Internet Governance. The NETmundial (April 23-24, 2014), touted as the World Cup of Internet governance, is a global conference convened and supported by the Brazilian president, Dilma Rousseff, and organized by the Brazilian Internet Steering Committee (CGI.br) and /1Net, a forum comprising various stakeholders involved and interested in Internet governance. It hopes, importantly, “to establish strategic guidelines related to the use and development of the Internet in the world”. To this end, it sought open-ended Contributions from interested stakeholders on the topics, “Set of Internet governance principles” and “Roadmaps for the further evolution of the Internet governance system”. The agenda for NETmundial may be found here.

To fully utilize the 2 short days available, knowledge of the stakeholder positions, especially their broad agreements and divergences on the two topics, is of immense help. Through a series of posts, I analyse the contributions to NETmundial on the question of Internet governance principles, seeking to dig deep into definitions and interpretations of suggested principles, such as management of Critical Internet Resources (such as the Domain Name System), human rights including freedom of expression and privacy, cyber-security, inclusiveness and participation in Internet governance, etc. In separate posts, I shall analyse contributions of each sector (governments, the private sector, civil society, technical community, academia and ‘Other’) and finally, present an overall analysis of the contributions pitted against the Draft Outcome Document, which is presently under discussion.

II. The Contributions

The NETmundial has received 187 contributions from 46 countries. Sector break-ups are given below:

Sector	Number of Contributions (187)
Academia	20
Governments	28
Private Sector	43
Civil Society	61
Technical Community	16
‘Other’ (such as UNESCO, the European Commission, etc.)	19

A quick look at the contributors indicates that contributions are primarily from North America, Europe, South and East Asia, and South America. No or very few contributions were made from large parts of Africa and South East Asia, Central and West Asia, Eastern Europe and Western South America. We present a graphical representation of contributing countries here.

Of the contributions, stakeholders from various sectors contributed to the two topics listed above in the following manner:

Sector	Set of Internet Governance Principles	Roadmaps for Further Evolution of the Internet Governance System	Combined: Internet Governance Principles & Roadmaps
Academia	7	7	6
Government	7	4	17
Private Sector	11	3	29
Civil Society	25	21	15
Technical Community	8	5	3
‘Other’	7	4	8

Despite the above classification, I focus on all 187 contributions for analysis. This is as some contributions expressly set out principles while others do not. Therefore, eliciting and analyzing principles from stakeholder contributions has involved a certain amount of subjective maneuvering. However, such elicitation has been restricted on the following bases:

1. The contribution is externally categorized as falling under either “Set of Internet governance principles” or “Combined – Internet governance principles & Roadmaps”.
2. Internally, the document places principles under rubrics of ‘Internet governance principles’.
3. Internally, the document makes references to Internet governance principles before setting out (without rubrics) principles.

With this caveat, I go on to discuss the NETmundial contributions from the academic community to Internet governance principles.

Part I: Academia

Of the academic contributions, the main contributors are Africa (Kenya – 1, Sudan – 3), Europe (Germany – 1, Poland – 1, Portugal – 1, Russia – 2, Ukraine – 1), South America (Argentina – 1, Brazil – 3) and the United States (8). No Asian country has made an academic contribution, and as evident from above, academia is geographically severely under-represented. Furthermore, only 4 out of 20 contributions expressly set out Internet governance principles. These four are:

1. Report of the Experts Meeting on Cyberspace Law
2. Proposed Internet Governance Principles
3. Taking Consent Seriously
4. Internet Governance Principles: Securing the Future of the Internet
   

Semantics aside, certain broad, high-level consensus emerges within the academic community. On substantive principles of governance on the Internet, the greatest support is found for freedom of express and access to information, with 6 contributions emphasizing this. Equally important is Internet universality and non-discriminatory (3 contributions), universal access to the Internet (6). Protection of privacy and permissible levels of surveillance come a close second, with 5 contributions referring to these. Cyber-security (5), respect for human rights (4) and support for net neutrality (3) and cultural and linguistic diversity on the Internet (3) also emerge as issues of concern for the academic community. The UNESCO and academics from Sudan emphasize training and education to use the Internet. Inter-operability (2) and a single, unfragmented Internet (2) also find a place in the academic community’s contributions.

With regard to processual principles for Internet governance, inclusiveness and participation are the most important concerns (5). The academic community asks for an open, transparent and multi-stakeholder Internet governance system (4), calling for international cooperation (2) among governments and other stakeholders. Interestingly, one contribution requires that the role of governments in the multi-stakeholder model be limited to “the facilitation of the participation of their domestic stakeholder communities in Internet governance processes”, while a Brazilian contribution advocates a multilateral model.

While no contribution expressly calls for these principles to underscore global Internet governance, the author believes that a high-level consensus may be gleaned in favour of respect for and protection of human rights, especially freedom of expression, access to information, privacy and protection from unwarranted domestic or extraterritorial surveillance. This is further supported by cyber-security concerns. The call for universal access to the Internet, alongside mention of net neutrality, emphasizes inclusiveness and non-discrimination. Processually as well, inclusiveness and participation (including equal participation) of all stakeholders finds the largest support, reflected in the calls for multi-stakeholder models of Internet governance.

No glaring divergences exist with regard to human rights or principles of governance on the Internet. The only major divergence amongst academia is the call for multilateral or multi-stakeholder models of Internet governance. While a majority of the contributions call for multi-stakeholder models, the Brazilian contribution (linked above) calls for “Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector”, while at the same time supporting a “real multi-stakeholder governance model for the Internet based on the full involvement of all relevant actors and organizations”. Indeed, even this divergence is marked by a common emphasis on open, transparent and inclusive participation in Internet governance.

---

These documents were obtained from the websites of the respective banks, and wherever they were lacking, from the branches of the banks themselves. Attempts were made to obtain any information required for the project that was not available on the website or in the forms from the officers of the respective banks.

The State Banks of India (hereinafter ‘SBI’), Central Bank of India (hereinafter ‘CBI’), ICICI Bank (hereinafter ‘ICICI’), IndusInd Bank (hereinafter ‘IndusInd’) and Standard Chartered Bank (hereinafter ‘SCB’) are the banks chosen for this project. As mentioned, these banks have been chosen to ensure a diverse sample pool. SBI is an Indian public multinational bank, CBI is an Indian public bank and it is not multinational, ICICI is an Indian private and multinational bank, IndusInd is an Indian private bank which isn’t multinational, and SCB is a British bank operating in India.

The forms and other documents of each of the banks have been compared against a template of twenty nine questions created from the nine principles given in Justice A.P. Shah Group of Experts’ Report on Privacy.

The two services provided by these banks that have been analysed are Opening an Account and Taking out a Personal Loan. This comparison has been done keeping in mind the obligations of the banks under the Master Circular and the KYC Norms detailed in it, Code of Conduct, and the Rules under Section 43A of the IT Act. Attempts have been made to clarify the basis of the response as much as possible. An analysis of the obligations of the banks is present below, along with an explanation of the relevance of various parts of the two services that are analysed.

---

Click to download:

1. Banking Policy Guide
2. Banking Practices

Image above: Comparing Absolute Appearance of Fifty Most Frequent Words

Image above: Comparing Relative Appearance of Fifty Most Frequent Words

Created by Sumandro using R. Download the R code. Download the data.

These heatmaps compare the appearance of fifty most frequently appearing words (for all 187 contributions) across the contributions made by different types of organisation. Click on them to see the larger images. Hit *escape* to come back to this page. The first heatmap shows the absolute appearance of the words -- that is the total number of times each word appears in contributions by a type of organisation. The second heatmap shows the relative appearance of the words -- that is the ratio of the word's appearance in contribution by a type of organisation divided by total number of contributions by that type of organisation.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities. The analysis was done by Geetha Hariharan, Jyoti Pandey, and Sumandro Chattapadhyay, with data entry support from Chandrasekhar.

Created by Sumandro using Google Charts. Google Terms of Use and Data Policy. Download the data.

This treemap chart divides up contributions submitted to NETmundial 2014 into their countries of origin, which are also clustered into regional divisions. The size of the rectangles indicate the total number of submissions from the respective region/country. Right click on the regions to see the division of submissions from the countries within that region. Left click to go back. Certain submissions have been contributed by global organisations, such as Internet Society, ICANN and Commonwealth agencies. These submissions have been included in the 'Global' division in the above chart. Also, Russia has been included within Europe, and China has been included within East Asia.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

Created by Sumandro using Google Charts. Google Terms of Use and Data Policy. Download the data.

This Sankey diagram shows all the countries/regions from where contributions have come in on the left side, and all the various types of organisations on the right side. Use the mouse cursor to hover over a country to see what proportion of the submissions from that country has come from which type of organisation, or hover over an organisation type to see what proportion of submission from such organisations have come in from which countries. The height of the blue bars next to the country/region names and organisation types indicate at the respective proportions among all the contributions. Certain submissions have been contributed by global organisations, such as Internet Society, ICANN and Commonwealth agencies. These submissions have been included in the 'Global' division in the above chart.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

Created by Sumandro using Datamaps.

The map shows (in *green*) all the countries from where no contributions (by any kinds of organisation) have been submitted to NETmundial. Countries appearing in *white* are those from where contributions have been submitted. Organisations that have indicated (in their submitted contribution) that they are either 'global' or 'international' organisations with headquarter in a specific country(ies), or a coalition of several organisations from different countries, have not been considered while making the above map. Such organisations (not considered while making this map) include African ICT/IG Stakeholders, Association for Progressive Communications, Best Bits, Just Net Coalition, OECD, etc. To see the map of all the countries from where the respective governments have not submitted any contributions to NETmundial, click here.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

Built on Bootstrap by Sumandro

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

Created by Sumandro using Datamaps.

The map shows (in *green*) all the countries from where no government agency has submitted any contribution to NETmundial. Governments of the countries appearing in *white* have contributed to the NETmundial process. Inter-governmental and international bodies that have submitted contributions to NETmundial -- such as OECD and UNESCO -- have not been considered while creating the above map. To see the map of all the countries from where there have been no contributions (by any kinds of organisation) to NETmundial, click here.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Panday, and with data entry support from Chandrasekhar.

Built on Bootstrap by Sumandro.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

---

---

Created by Sumandro using R. Download the R code. Download the data.

These word clouds show the hundred most frequently appearing words in the aggregated contribution text of each type of organisations. The size of the words in these diagrams refer to their frequency of appearance. A larger size refers to higher frequency of appearance. The colour of the words have been differentiated to group the words according to their freuqency of appearance. The color hierarchy is as follows: Green, Pink, Blue, Red. While creating these word clouds, certain common English words (like, 'the' and 'and') and obvious words for the contributions (like, 'internet' and 'governance') have been ommitted. The full list of ommitted words have been documented in the R code used to generate the diagrams.

Built on Bootstrap by Sumandro.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

The issue of how to ensure the legitimacy and accountability of ICANN is a concern which finds voice in many of the proposals. Generally speaking, the issue of representation, and legitimacy of ICANN members is a point which all proposals regarding ICANN accountability consider. The issue of funding also came up in several of the submissions. The Brazilian Internet Steering Committee, Joint Contribution of Civil Society from Latin America, submissions from University of Gezira in Sudan and NIC Mexico, called for increased funding for participation of stakeholders from developing countries in ICANN and other multistakeholder meetings. The Government of Austria expressed concern over dwindling funding of IGF and called for improvement of the same. In this scenario of crunched funds, submissions by Article 19 and BestBits as well as Net Coalition proposed the use of a percentage of ICANN’s gTLD revenues to fund inclusive participation in the multistakeholder process.

Apart from these concerns, submissions to NetMundial '14 also raised a myriad of different issues around the functioning of ICANN. Nevertheless, four broad stands can be gleaned from the issue of accountability of ICANN. These are as follows:

I. Submissions which suggest that oversight over ICANN should end, and ICANN accountability should be internalised.

8 submissions to the NetMundial 2014 were of the opinion that ICANN should become an independent body with no oversight exercised by any other body on it. In other words, these proposals opposed the replacement of current US government oversight on ICANN, by oversight through any other body. In such a case, accountability of ICANN was sought to be ensured through strengthening multistakeholderism and reform within the ICANN structure.

Most of these submissions came from the civil society (4) or the technical community (2); 1 from Panel on Global Internet Cooperation and Governance Mechanisms, which identifies as “other”, and 1 from the Government of France. 3 of these proposals represent a global community, 2 come from North America or USA, 1 from France, 1 from New Zealand and 1 from the Democratic Republic of Congo.

The ICANN model proposed in the submission from Internet Governance Project (IGP), from the North American civil society, found support among other contributors in this category. The proposal was based on the principle that oversight of ICANN must not be internationalised but ended. The rationale behind such proposal was that giving additional stakeholders besides the NTIA a say in IANA function and ICANN oversight will only politicise ICANN and make it a subject of possible geopolitical power struggles by governments, ultimately ignoring the interests of internet users all over the world. While calling for an end to ICANN oversight through any or all government agencies, the proposal also called for the strengthening of multistakeholderism within ICANN. This proposal was explicitly supported by InternetNZ, from the New Zealand technical community, in its proposal, as well as to quite an extent by Article 19 and BestBits, from the global civil society, in their proposal.

IGP’s submission also suggested whittling down of ICANN’s powers in order to separate management of IANA functions from ICANN’s present mandate. This is a point where the submissions in this category diverge. Submissions from IGP with Article 19 and BestBits, Association for Progressive Communications (APC) from the civil society and InternetNZ and Avri Doria, from the technical community, recommended the separation of IANA functions from the ICANN. The French Government submission, on the other hand, did not envisage separation of management IANA function from ICANN, but rather the internalisation of the former within the latter, even as proposing an independent and multistakeholder structure for ICANN with suitable accountability mechanisms for all stakeholders.

The submission from Article 19 and BestBits, in fact, suggested further narrowing of ICANN’s mandate by explicitly including a clause in its bylaws to prevent it from engaging in content regulation or conduct that could violate freedom of expression or privacy on the internet, including technical policy making involving trademarks and intellectual property. Such suggestions were made based on the fear that, if unregulated, ICANN might increasingly make its foray into public policy issues like content regulation, as happened in the .xxx controversy. Consequently, the submission from Article 19 and BestBits also suggested that ICANN’s bylaws include a provision whereby private parties can legally challenge ICANN’s actions on grounds of human rights violations before local courts or arbitration tribunals.

This approval for local dispute resolution when the submission agrees with the suitability of Californian law for ICANN incorporation is, however, likely to cause consternation amongst non-American stakeholders. While the submission is not averse to the idea of ICANN expanding its reach globally through creation of subsidiaries (preferably in western Europe), it also takes a firm stand on ICANN not moving its headquarters out of the US. The advantages of such status quo are seen in stability of current agreements with registrars etc., but the idea of ICANN being ultimately subject to Californian law and its courts is unlikely to go down well with other global stakeholders.

One concern found across board, but more explicitly in submissions of Article 19 and BestBits and Avri Doria was the strengthening of ICANN board by making it more representative and accountable through mechanisms of internal accountability like the ATRT2 Transparency and Accountability Review process. Avri Doria of USA, in her submission suggested, the improvement of accountability mechanisms in ICANN by supplementing the ATRT process with a strong appeals mechanism, as found in IETF, for accountability process and results with powers to remove officers from their roles if they do not fulfil their responsibilities. Strengthening of GAC within ICANN by making it more participatory and representative is another concern which is highlighted.

II. Submissions which suggest that oversight of ICANN should be transferred to a multilateral or intergovernmental body

A second, small category of 4 submissions argued that the oversight function of the ICANN should be transferred from the present unilateral U.S. government (NTIA) oversight, to oversight by all countries. This was suggested to counter the power imbalance exercised by one country over critical internet infrastructure, over others, by sharing oversight of ICANN with all others.

In their details, submissions in this category can be vague. While some of them envisioned transfer of ICANN control by the US Government to an intergovernmental body like the ITU, others do not specify the details of the transfer, but merely mention that ICANN oversight should be multilateral in nature. Submissions from CIPIT, part of the Kenyan academia and The Society for Knowledge Commons, civil society stakeholder covering India and Brazil, mentioned that the oversight of technical policy functions should be “multilateral” in nature, while the submission by the Government of Iran called for restructuring ICANN as an “international” organisation.

The submission by Swiss civil society organisation, Association for Proper Internet Governance, referred to the response by the Syrian representative in ITU to RFC sought by the US Department of Commerce, to bring ICANN in the aegis of ITU by signing of a MoU between the two entities, as far as technical policy decisions (eg. development of policies relating to operation of root servers and those relating to operation and administration of gTLDs and ccTLDs) are concerned. Such a proposal was found necessary in light of the non-binding advisory nature of GAC in ICANN, especially when technical policy decisions by ICANN have public policy implications. In such a scenario, the submission dubs it “strange” to relegate government to a subsidiary role within ICANN and “unusual (to say the least)” for governments to constitute a sub-committee of the board of a private company like ICANN. Consequently, the MoU between ITU and ICANN is sought to make GAC a group within ITU so as to strengthen its legitimacy and accountability.

III. Submissions which suggest that oversight of ICANN should be transferred to another body not intergovernmental in nature.

10 submissions suggested the transfer of ICANN oversight to a non-intergovernmental or multilateral body. 2 of these proposals came from governments and 1 from the Brazilian Internet Steering Committee, which identifies as “other”, 3 from the private sector, 2 from civil society and 1 from technical community and academia each. Most of these proposals come from European stakeholders (5), 1 each from Brazil and Argentina, 1 from India, 1 from Nigeria, and 1 from the global civil society group, Just Net Coalition.

Like the last category, these submissions also expressed their dissatisfaction with the unilateral US Government oversight of ICANN, but suggested replacing it with a non-multilateral body. Details of the composition of such bodies vary. Some called for replacement by a technical body, other envision a wholly newly created multistakeholder body, yet others called for signing of the present ICANN AoC with US Government, by a number of stakeholders, which would not include just governments.

One such submission came from Portuguese academic, Luis Magalhaes, which called for the signature of ICANN AoCs with all the stakeholders in internet governance, thus effectively replacing oversight by NTIA to oversight by all stakeholders. This submission also expressed concern over the incorporation of ICANN under Californian law, and suggests that ICANN should be regulated in an international law framework, though without relinquishing its control to merely governments. Submission by the private sector stakeholder Orange Group also looked to expand the AoC of ICANN to include within it, the “ICANN community and stakeholders including Governments represented through the GAC.”

Private sector stakeholder from the UK, Nominet, similarly, called for wider engagement in the ICANN AoC and ensuring wider engagement for transparency and accountability in the AoC process. It also called to end ambiguity about the legal jurisdiction for ICANN, while including and strengthening ITU and IGF in the internet governance ecosystem. Submission by private player, Data Security Council of India, while endorsing “a multistakeholder model with defined roles of relevant stakeholders” was vaguer about the model it sought for ICANN. But it called for nomination of stakeholders by Governments rather than ICANN selecting them without transparency.

The Austrian Government submission, on the other hand, was more ambiguous. It envisaged the extension of AoCs regarding ICANN and IANA while ensuring “the full participation of all stakeholders, from both developed and developing countries, within their respective roles and responsibilities.” In its submission, the Government of Argentina sought to “promote the internationalisation of ICANN through a deep revision of the current structure,” and ensure “active representation from all regions and all actors in the ICANN structure, including representatives of governments on an equal footing,” especially in the structures of ICANN Board, SSAC and GNSO.

The submission by Brazilian Internet Steering Committee similarly, looked to export oversight to entities outside of ICANN in its submission, as long as such entities are recognised as representative of the international public interest. This was suggested with the rationale to avoid a situation where the same organisation is responsible is responsible for policy making as well as its implementation. The Committee also suggested strengthening of ATRT2 process, as well as reform of GNSO and of ALAC so that the latter can have transparent processes for nomination of members, as well as participate in policy development processes in GNSO, along with increased government participation in GNSO. It was also suggested that the number of ICANN Board seats allocated by NomCom should be reduced in order to increase slots for Board members directly elected by the SOs.

Other submissions offered a more detailed view into the composition of the oversight entity recommended to replace NTIA. The submission by global civil society organisation, Just Net Coalition, for example, proposed the formation of a “Internet Technical and Advisory Board” to discharge ICANN oversight function by replacing the present NTIA oversight role. In addition, this board was recommended to advice on public policy perspectives to various technical standards bodies, and thus act as the link between public policy bodies and these standards bodies. The composition of such a board was recommended to consist of people with specialised technical expertise but also with appropriate political legitimacy, ensured via a democratic process. 10-15 members were envisaged in such a board which could include 1 member from each of the Regional Internet Registries (RIRs). 2-3 members from each of the 5 geographic regions as understood in the UN system to be selected through an appropriate process by the relevant technical standards bodies and/or country domain name bodies of all the countries of the respective region were suggested to be part of the board. It was preferred that these members would come from the top recognised technical academic bodies of each country/region, but the entire constitution of the board was left open to other suggestions in Just Net Coalition’s submission.

The technical community stakeholder, Nigeria Internet Registration Association, on the other hand, offered a rather confused proposal for the formation of a “World Internet Governance Organisation (WIGO),”envisaged as “a global organisation with equal participation of the Government, Private sector, Civil Society, Technical Community in a multi-stakeholder consensus building NET-NATIONS.” But while in the beginning the submission suggests a multistakeholder composition of WIGO, seemingly for oversight of ICANN, later the submission sparks the idea that ICANN itself should be changed to WIGO.

Global Geneva’s submission proposed to transfer ICANN oversight to a body called World Internet Forum, which, while part of the UN system, is envisioned as a multistakeholder venue for citizens globally, where constituencies are not governments. ICANN is allowed to pursue technical policy functions like gTLD management under the supervision of WIF, while not encroaching on public policy matters. IANA function is envisaged to be managed separately from the ICANN.

In many of these submissions, like those of Argentinian Government and Brazilian Internet Steering Committee emphasis was also paid on the strengthening of GAC, while taking into consideration stakeholders other than governments.

IV. Submissions which endorse globalisation and multistakeholder governance of ICANN but are vague about the specifics of such governance model

Lastly, there are submissions which call for the globalisation of ICANN and express their dissatisfaction with the U.S. Government oversight of it, while endorsing multistakeholder governance. However, these submissions are also vague about the details of such ICANN globalisation, and the structures in which it will be held accountable.  4 such submissions emerge from governments (Spain, Norway, Mexico and the European Commission), 6 from the private sector, 2 from the technical community, and 2 from the civil society. Europe leads in this category of proposals with 6 of these proposals emerging from there, 2 from Latin America and Mexico each (4 altogether), 1 from Kuwait, 1 from Japan, 1 from the NRO (identifying itself from Mauritius) and 1 from the global GSM Association of mobile operators.

A list of these submissions is provided below.

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
	46	Norwegian Contribution to the Sao Paulo Meeting	Norwegian government	Government	Norway, Europe	http://content.netmundial.br/contribution/norwegian-government/137
	50	Contribution from the GSM Association to the Global Multistakeholder Meeting on the Future of Internet Governance	GSMA	Private Sector	Global	http://content.netmundial.br/contribution/contribution-from-the-gsm-association-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/141
	51	Contribution of Telefonica to NETmundial	Telefonica, S.A.	Private Sector	Spain	http://content.netmundial.br/contribution/contribution-of-telefonica-to-netmundial/143
	56	ETNO Contribution to NETmundial	ETNO [European Telecommunications Network Operators' Association]	Private Sector	Belgium	http://content.netmundial.br/contribution/etno-contribution-to-netmundial/148
	64	Submission by AHCIET to the Global Multistakeholder Meeting on the Future of Internet Governance. NETmundial	AHCIET	Private Sector	Latin America	http://content.netmundial.br/contribution/submission-by-ahciet-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance-netmundial/157
	70	Spanish Government Contribution to the Global Multi-stakeholder Meeting on the Future of Internet Governance	Ministry of Industry, Energy and Tourism, Spain	Government	Spain	http://content.netmundial.br/contribution/multistakeholder-human-rights-stability-gac/165
	80	Roadmap for the Further Evolution of the Internet Governance Ecosystem	European Commission	Government	Europe	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/177
10.	106	Submission on Internet Governance Principles and Roadmap for the Further Evolution of the Internet Governance Ecosystem	Kuwait Information Technology Society	Civil Society	Kuwait	http://content.netmundial.br/contribution/kuwait-information-technology-society-kits-submission-on-internet-governance-principles-and-roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/214
	111	Content Submission by the Federal Government of Mexico	Secretara de Comunicaciones y Transportes, Mexico	Government	Mexico	http://content.netmundial.br/contribution/content-submission-by-the-federal-government-of-mexico/219
10.	114	Better Understanding and Co-operation for Internet Governance Principles and Its Roadmap	Japan Internet Service Providers Association	Private Sector	Japan	http://content.netmundial.br/contribution/better-understanding-cooperation-for-internet-governance-principles-its-roadmap/222
11.	116	Deutsche Telekom’s Contribution for to the Global Multistakeholder Meeting on the Future of Internet Governance	Deutsche Telekom AG	Private Sector	Germany/Europe	http://content.netmundial.br/contribution/deutsche-telekom-s-contribution-for-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/225
12.	135	Joint Contributions of Civil Society Organisations from Latin America to NetMundial	Group of individuals and Civil Society Organizations from Latin America	Civil Society	Latin America	http://content.netmundial.br/contribution/joint-contributions-of-civil-society-organizations-from-latin-america-to-netmundial/251
13.	143	NRO Contribution to NETmundial	NRO (for AFRINIC, APNIC, ARIN, LACNIC, RIPE-NCC)	Technical Community	Mauritius	http://content.netmundial.br/contribution/nro-contribution-to-netmundial/259
14.	183	NETmundial Content Submission- endorsed by NIC Mexico	NIC Mexico	Technical Community	Mexico	http://content.netmundial.br/contribution/netmundial-content-submission-endorsed-by-nic-mexico/302

***

A previous version of this post performed preliminary analysis of the NETmundial submissions. It may be found here.

Every evening is capped by a music performance, and the opening act was a stand-out two-hour visual extravaganza by Tom Zé, Tropicalia's most avant-garde exponent. Lula (Luiz Inácio Lula da Silva, the previous President of Brazil) was supposed to join us at 7 p.m. today to discuss Marco Civil da Internet - the Brazilian bill for "civil rights" on the Internet - but was a no show.

No matter: Marco Civil was passed into law by the Senate at about 8 p.m. this evening, and President Dilma Rousseff (who reportedly willed this meeting into being) is expected to sign her assent to it tomorrow morning at the opening of NETmundial, which she is scheduled to attend. (While the global press around Marco Civil is unanimously positive and upbeat, it's worth noting that there is one problematic provision — the issue of data retention — that many folks from Brazilian civil society see as a huge loss).

A host of civil society groups spent the day at Arena NETmundial figuring out how to stage a coordinated, detailed and forceful response to what many saw as watered-down text from the NETmundial organisers. (Several corporate representatives and some academics also saw it as watered-down, but from another direction).

There are several puzzling aspects to the shape NETmundial has assumed. What began as a response to the Snowden leaks — the unprecedented scale of the US government sponsored, NSA-executed surveillance — has become a meeting that strangely doesn't have all that much to say about surveillance, perhaps thanks to the various partners roped in to manage the process. There is little that references the bitter SOPA/PIPA battles of two years ago, and not much in the NETmundial outcome document that addresses the manner in which a sovereign state has outrageously sought to export its national application of copyright onto the global Internet landscape. The civil society meeting produced language to address both these situations.

Perhaps the most confounding aspect of this meeting is the manner in which the word "multistakeholder" is thrown about by people of every political stripe. Seemingly, if there is one thing that most everyone, from governments to businesses to civil society activists at NETmundial agree on, it is that multistakeholderism has an essential place in the future of Internet governance.

That being as it is, I asked a bunch of people what their interpretation of the term was, and many agreed to be recorded. Their answers were surprising, to say the least.

This is what they said:

Q: What does "multi-stakeholder" mean? What is "multi-stakeholderism"?

I think multistakeholderism is a kind of democracy, which means, in the public policy area, other than the critical internet resources, usually only governments make public policy. They sometimes consult with other stakeholders, but it is not usually open or transparent and it is very selective. They only choose the experts they like. I think "multistakeholder" is useful in comparison with an inter-governmental or governmental process.

Byoungil Oh from the Korean Progressive Network Jinbonet

Multistakeholderism is a mechanism to ensure that people who are affected or have the potential to be affected by a policy or a technical decision get to have a say in the decision, in the process, or in coming to a decision, so that their rights — the rights of the affected people — are assured. I think there should be some sort of equity, currently the way multistakeholderism is being carried out is that certain stakeholders carry much higher weight and I think that is something that needs to be addressed.

YoungEum Lee from Korea National Open University (Korea)

If multistakeholderism is a form of institutionalising participatory democracy, then it's good. But public policy decision making is only something that the representatives of people can do. For me, that's sacrosanct. When you're taking in views, in consultation, multistakeholderism works. But public policy decision-making, at a global level, has to be a multilateral process. However, it has to be embedded into a huge amount of public consultations, transparencies, accountabilities, etc., which could be a multistakeholder system.

Parminder Jeet Singh from IT for Change (ITFC) (India)

I hate with a passion the concept of multistakeholderism. For me, how it can make sense is by recognising there are multiple stakeholders. And they’re not fixed. But issues affect different people in different ways and these people need to be involved in decision making processes. It's an approach that can potentially democratise processes by identifying who is affected by those processes and making sure they participate in them. But turning them into an -ism which is undifferentiated, which doesn't recognise conflict, power, voice, and that there are differences, makes it meaningless and also possibly dangerous.

Anriette Esterhuysen from the Association for Progressive Communications (APC) (South Africa)

This multistakeholderism thing I think is bullshit. We now a have a clear picture of technology as a whole being turned against its users, being turned into a tool for oppression, for control. And when you look at the most important struggles of the 20th century, whether women's rights or civil rights or gay rights, it never happened with a total global consensus. This is an illusion. What we need is to affirm that we citizens have the right to decide. We are the only stakeholders here, because we are the co-owners of the Internet as a public good.

Jérémie Zimmermann, co-founder of La Quadrature du Net (France)

Everyone has to participate, and everyone has to decide what is the future of the Internet. I think that we need to improve our networks. There is no real answer here: for me it is very difficult to think of the kind of discussion we will have, but I know that my voice is probably useful for others who are in a similar situation to me.

Pilar Saenz from the Karisma Foundation (Colombia)

Multistakeholderism means that we are going to smash the patriarchy. Ask me what the colour blue means? [Ok: What does the colour blue mean?] The colour blue means we are going to smash the patriarchy.

Jacob Appelbaum, journalist, activist and core member of the TOR Project (USA/Germany)

Ultimately rights are embedded in laws. But when it comes to an international framework, in the current Internet governance model, nothing is based in law, including the domain name system. So the whole structure of international Internet governance is divorced from international law, and that's why, when you talk of a multistakeholder model, what you are really saying is that the market will finally determine what happens. No stakeholder is going to operate against its own interest whether it be governments or corporations. We need an international legal framework, from which the powers - or rights - of Internet governance emerge. Without that you're leaving it to the market. In reality, even today, what we have is a private-sector-led multistakeholder model.

Prabir Purkayastha from Knowledge Commons and the JustNet Coalition (India)

What does multistakeholderism mean? Listen, I'm a brown person from a developing country, and I'm female.

Anonymous

Introduction

A technically borderless Internet, in a world defined by national boundaries, brings many challenges in its wake. The social, ethical and legal standards of all countries are affected by technical standards and procedures, created by a few global players. This disparity in capacity and opportunities to participate and shape Internet policy, fuelled by Edward Snowden's revelations led to the development of the Global Multi-stakeholder Meeting on the Future of Internet Governance or NETmundial. Set against, an urgent need for interdisciplinary knowledge assessment towards establishing global guiding principles with respect to the technological architecture and the legal framework of the Internet–NETmundial is seen as a critical step in moving towards a global policy framework for Internet Governance (IG). As stakeholder groups from across the world come together to discuss future forms of governance, one of the most widely discussed issues will be that of Multistakeholderism (MSism).

Multistakeholderism

The governance structure of the Multistakeholder model is based on the notion, that stakeholders most impacted by decisions should be involved in the process of decision making. The collaborative multistakeholder spirit has been widely adopted within the Internet Governance fora, with proponents spread across regions and communities involved in the running, management and use of the Internet. So far, MSism has worked well in the coordination of technical networking standards and efforts to set norms and best practices in defined areas, in the realm of technical governance of the Internet.  However, the extension  of MSism beyond truly voluntary, decentralized and targeted contexts and expanding its applicability, to other substantive areas of Internet Governance is proving a challenge. Beyond defining how the process of policymaking should be undertaken, MSism does not provide any guidance on substantive policy issues of Internet governance. With the increasing impact of Internet technology on human lives and framed against the complexity of issues such as security, access and privacy, the consensus on MSism is further rendered unattainable.

The need for contextualizing the model aside, as with most policy negotiations certain open concepts and words have also prevented agreement and adoption of MSism as the best way forward for IG. One such open and perhaps, the most contentious issue with respect to the legitimacy of MSism in managing Internet functions is the role of stakeholders. A key element of MSism is that decisions will be made by and including all relevant stakeholders. Stakeholder groups are broadly classified to include governments, technical community and academia, private sector and civil society. With each stakeholder representing diverse and often conflicting interests, creating a consensus process that goes beyond a set of rules and practices promising a seat at the negotiation table and is supportive of broad public interest is a challenging task that needs urgent addressing.

This post aims to add to the discourse on defining the role and scope of stakeholders' decision-making powers, towards a better understanding of the term "in their respective role". Addressing the complexity of functions in managing and running the Internet and the diversity of stakeholders that are affected and hence should be included in decision making, I have limited the scope of my analysis to cover three broad internet management functions:

1. Technical: Issues related to infrastructure and the management of critical Internet resources
2. Policy: Issues relating to the developmental aspects, capacity building, bridging digital divide, human rights
3. Implementation: Issues relating to the use of the Internet including jurisdictional law, legislation spam, network security and cybercrime

While this may be an oversimplification of complex and interconnected layers of management and coordination, in my opinion, broad categorisation of issues is necessary, if not an ideal starting point for the purpose of this analysis. I have considered only the submissions categorised under the theme of Roadmap, seeking commonalities  across stakeholder groups and regions on the role of stakeholders and their participation in the three broad functions of technology, policy and implementation.

Towards a definition of respective roles: Analysis NETmundial submissions on Roadmap

There were a total of 44 submissions specific to Roadmap with civil society (20) contributing more than any other group including academia (7), government (4), technical community (5), private sector (3) and other (5). MSism sees support across most stakeholder groups and many submissions highlight or agree on participation and inclusion in decision making processes.

Regionally, submissions from North (24) were dominated by USA (10) with contributions cutting across academia (4), civil society (2), technical community (2) and other (2). Brazil (5) contributed the most to submissions from South (15), followed by Argentina (3). The submissions were consistent with the gender disparity prevalent in the larger technology community with only 12 females contributing submissions. An overwhelming number of submissions (38), thought that the multistakeholder (MS) model needs further definition or improvements, however, suggestions on how best to achieve this varied widely across stakeholders and regional boundaries. Only 16 submissions referenced or suggested Internet Governance Forum (IGF) in its present capacity or with an expanded policy role as a mechanism of implementing MSism on the Internet.

Many submissions referred to issues related to the management of critical internet resources (CIRs), the role of ICANN and US oversight of IANA functions. A total of 11 submissions referred to or specified governance processes with respect to technical functions and issues related to critical resources with civil society (5) and academia (3) contributing the most. In an area that perhaps has the most direct relevance to their work, the technical community was conspicuous with just two submissions making any concrete recommendations. The European Commission was the only governmental organisation that addressed this issue, recommending an expansion of the role of IGF.  There were no specific recommendations from the private sector.

The suggestions on oversight and decision making mechanism were most conflicted for this category of Internet functions and included:

• setting up a technical advisory group, positioned within a new intergovernmental body World Internet Organization (WIO) framework;
• splitting IANA functions into protocol parameters, that Internet Engineering Task Force (IETF) will be responsible for and IP address-related functions retained by ICANN
• expanding the role of IGF, possibly creating an IGF Secretariat
• expanding the role of Government Advisory Committee (GAC) to mainstream government representatives participation within supporting organisations, in particular the Generic Name Supporting Organisation (GNRO)
• expanding the role of private sector
• expanding the role of ICANN with multistakeholder values
• expanding the role of all stakeholders
• implementing changes that do not necessarily require legislative acts or similar hard law approaches and implementation does not necessitate international treaties or intergovernmental structures
• establishing a new non-profit corporation DNS Authority (DNSA) combining the IANA Functions and the Root Zone Maintainer roles in
• improving transparency and accountability of current bodies managing CIRs

16 submissions referred to issues related to policy development and implementation including developmental aspects, capacity building, bridging digital divide and human rights. All submissions called for a reform or further definition of MSism and included recommendations from civil society (5), academia (4), technical community (2), governments (2), private sector (1) and Other (2). All stakeholder groups across regions, unanimously agreed that all stakeholders within their respective role should have a role in decision making and within public policy functions. There was however, no broad consensus on the best way to achieve this.

Specific recommendations and views captured on who should be involved in policy related decision making and what possible frameworks could be developed included:

• improving existing intergovernmental organizations
• creating Internet Ad Hoc Group
• modularization of ICANN’s functions
• creating a stewardship group IETF, ICANN and the RIRs
• creating an independent IANA as an International NGO with host country agreements  governed by its MOUs-defined by the IANA Stewardship Group prior to the signing of MOUs with IANA Partners
• creating a 'new body' to develop international level public policies in concerned areas; seek appropriate harmonization of national level policies; and facilitate required treaties, conventions and agreements
• responsibility of the definition of these policies rests within the States as an inalienable right
• continuity of bottom-up oversight enables a better view of an organization and thus better accountability as government oversight will destroy multistakeholder character
• evolving global governance norms that separate DNS maintenance from policies on TLDs, as well as public policies that intersect with nations’ rights to make them
• policy makers incrementally develop formal and informal relationships
• dealing with conflict of interest and ensuring pluralism
• full multi-stakeholder framework including possible establishment of Working Groups where all parties concerned are represented

18 submissions referred to issues related to the implementation of standards including issues relating to the use of the Internet including jurisdiction, law, legislation, spam, network security and cybercrime. All submissions called for a reform or further definition of MSism values and included recommendations from civil society (8), academia (3), technical community (3), governments (2), private sector (1) and other (1). Stakeholders from academia (5), civil society (3) and government (1) collectively called for the reform of ICANN guided by multistakeholder values, but did not specify how this reform would be achieved.

Specific recommendations on the improvements of institutional frameworks and arrangements for issues related to implementation of  standards included:

• establishment of double system of arbitrage/settlement placed under World Internet Forum (WIF) scrutiny and under the neutral oversight and arbitrage of the UN general secretariat
• new legal instruments in establishing MS model need to be adopted
• establishment of the Internet Technical Oversight and Advisory Board (ITOAB) replace the US government's current oversight role
• multilateral frameworks with oversight role of governments

In summation,  the classification of Internet functions discussed above, presents a very broad view of complex, dynamic and often, interrelated relationships amongst stakeholder groups. However, even within these very broad categories there are various interpretations of how MSism should evolve.

To come back to the very beginning of this post,  NETmundial is an important step towards a global policy framework for Internet governance. This is the first meeting outside formal processes and it is difficult to know what to expect, partly as the expectations are not clear and range widely across stakeholders. Whatever the outcome,  NETmundial's real contribution to Internet Governance has been sparking anew, the discourse on multistakeholderism and its application on the Internet through the creation of a spontaneous order amongst diverse actors and providing a common platform for divergent views to come together.

NETmundial Day 1

>
>***LIVE SCRIBING BY BREWER & DARRENOUGUE - WWW.QUICKTEXT.COM***
>------
>>> LADIES AND GENTLEMEN, GOOD MORNING. IN SOME MINUTES WE WILL HAVE OUR OPENING SESSION OF OUR GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF THE INTERNET GOVERNANCE. PLEASE TURN OFF YOUR MOBILE PHONES OR TURN THEM INTO VIBRATING. PLEASE TAKE YOUR SEATS. OR SHUT IT OFF. THANK YOU VERY MUCH.
>------
>------
>>> LADIES AND GENTLEMEN, PLEASE TAKE YOUR SEATS AND PLEASE TURN OFF YOUR MOBILE PHONES OR SET THEM INTO SILENT MODE. IN SOME MINUTES, WE ARE GOING TO START OUR OPENING CEREMONY OF OUR GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE GOVERNANCE OF THE INTERNET.
>------
>------
>>> PLEASE TAKE YOUR SEATS AND TURN OFF YOUR MOBILE PHONES OR SET THEM INTO SILENT MODE. IN A FEW MINUTES, WE WILL START OUR OPENING CEREMONY OF THE GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF INTERNET GOVERNANCE.
>------
>------
>------
>------
>>> LADIES AND GENTLEMEN, IN SOME MINUTES WE WILL START OFF THE OPENING CEREMONY OF THE GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF INTERNET GOVERNANCE.
>------
>------
>[MUSIC ] >> THIS IS MY INTERNET.
>>> THIS IS MY INTERNET.
>------
>------
>------
>------
>------
>>> LADIES AND GENTLEMEN, THE PRESIDENT OF BRAZIL, HER EXCELLENCY DILMA ROUSSEFF. THE CHAIRMAN OF NETmundial, VIRGILIO ALMEIDA, AND THE MIKE RODENBAUGH OF SAO PAULO, THE COO OF ICANN, FADI CHEHADE, AND THE REPRESENTATIVE OF THE TECHNICAL SECTOR AND CREATOR OF THE WEB, TIM BERNERS-LEE. REPRESENTATIVE OF THE PRIVATE SECRETARY AND VICE PRESIDENT OF GOOGLE, VINT CERF, AND THE REPRESENTATIVE OF THE -- OF CIVIL SOCIETY, COFOUNDER, NNENNA NWAKANMA.
>[APPLAUSE ] >> WE ARE STARTING OFF THIS EFFORT AND WE ARE GOING TO LISTEN TO THE NATIONAL ANTHEM OF BRAZIL.
>[ PLAYING OF NATIONAL ANTHEM. ] [APPLAUSE ] >> WE ARE GOING TO LISTEN TO THE WORDS OF THE MINISTER OF COMMUNICATIONS, PAULO BERNARDO.
>>>PAULO BERNARDO SILVA: GOOD MORNING, HER EXCELLENCY DILMA ROUSSEFF, MEMBERS HERE AND PARTICIPANTS OF THIS MEETING.
>LADIES AND GENTLEMEN, WELCOME TO BRAZIL AND TO NETmundial. WE ARE VERY PROUD AND FEEL VERY RESPONSIBLE FOR RECEIVING YOU IN SAO PAULO.
>ALL OF YOU WHO CARE ABOUT INTERNET IN THE FUTURE HAVE REASONS FOR BEING PLEASED WITH WHAT WE ARE GOING TO DO TODAY.
>THIS MEETING IS THE CONCRETIZATION OF ALL OUR WISHES. WE NEEDED AN ADEQUATE ENVIRONMENT FOR THIS TO BE VOICED. WE BELIEVE THAT NETmundial IS THIS ENVIRONMENT WE NEED. FREE PARTICIPANTIVE AND PLURAL, AS WELL AS THE INTERNET WE BELIEVE IN.
>AND THIS IS SO BECAUSE THE CONCERN THAT GETS US TOGETHER IS GREATER THAN THE CONCERNS OF EACH PARTY. WE ARE DISCUSSING THIS INTERNET AROUND THIS TABLE OR OTHERWISE WE WILL HAVE NO FUTURE FOR THE INTERNET FROM THE VERY FIRST MOMENT, THE DIFFERENT STAKEHOLDERS GOT INVOLVED IN THE ORGANIZATION OF THIS EVENT AND THE PROOF OF THIS ENVIRONMENT IS HERE IN THE GREAT DIVERSITY OF CONTRIBUTIONS RECEIVED.
>WE ALSO HAVE HERE MANY AUTHORITIES AND PARTICIPANTS. WE'D LIKE TO THANK EACH ONE OF YOU AND CONGRATULATE EACH ONE OF YOU FROM DIFFERENT COUNTRIES. WE'RE ALL PROTAGONISTS OF AN HISTORICAL MOMENT AND TODAY WHAT WE HAVE BEFORE US IS A CHALLENGE TO MAKE THE MOST FOR ALL THE DIFFERENT OPINIONS IN FAVOR OF A UNIQUE PATH.
>THIS PATH HAS A VERY STRAIGHT SENSE OF ORIENTATION, A FREE AND UNFRAGMENTED INTERNET. THAT'S THE BEST WE CAN HAVE, THE CAPACITY TO CONNECT, TO MOBILIZE, TO INNOVATE, TO CREATE RICHNESS OF CULTURE OR WHATEVER, AND RESPECT THE LINKS. SO INTERNET BEING RULED BY MORE PEOPLE COULD REACH MORE PEOPLE IN THE WORLD.
>SO I WISH THAT WHEN WE LEAVE SAO PAULO, WE CAN 81BRATE A NEW AND PROMISSORY BEGINNING. THIS IS OUR RESPONSIBILITY HERE, AND THANK YOU VERY MUCH. AND HAVE A GOOD MEETING. THANK YOU.
>[APPLAUSE ] >> NOW, MR. HONKING, SECRETARY-GENERAL OF THE UNITED NATIONS FOR BUSINESS MATTERS WILL DELIVER HIS MESSAGE FROM THE SECRETARY-GENERAL, BAN KI-MOON.
>>>WU HONGBO: YOUR EXCELLENCY, PRESIDENT ROUSSEFF, DISTINGUISHED MINISTERS, EXCELLENCIES, DISTINGUISHED DELEGATES, COLLEAGUES, LADIES AND GENTLEMEN.
>I'M HONORED TO BE HERE WITH YOU FOR THIS IMPORTANT EVENT. IT IS MY GREAT PLEASURE TO DELIVER A MESSAGE ON BEHALF OF THE UNITED NATIONS SECRETARY-GENERAL, MR. BAN KI-MOON.
>HERE I QUOTE: I THANK THE GOVERNMENT OF BRAZIL FOR HOSTING THE NETmundial MEETING, AND I COMMEND THIS GLOBAL MULTISTAKEHOLDER NATURE. ONLY THROUGH INCLUSIVE AND BOTTOM-UP PARTICIPATION WE BE ABLE TO FOSTER AN ACCESSIBLE, OPEN, SECURE, AND TRUSTWORTHY INTERNET.
>THE INTERNET IS TRANSFORMING SOCIETIES IN ALL REGIONS. IT IS THE BACKBONE OF OUR GLOBAL ECONOMY AND AN ESSENTIAL VEHICLE FOR DISSEMINATING INFORMATION AND IDEAS.
>ONE-THIRD OF THE PEOPLE NOW HAVE ACCESS TO THE INTERNET AND THE KNOWLEDGE AND THE TOOLS IT PROVIDES. INCREASING NUMBER OF PEOPLE NOW HAVE A PLATFORM TO VOICE THEIR OPINIONS AND PARTICIPATE IN SOCIETY FROM COMMERCE TO DEMOCRATIC DECISION-MAKING. THAT IS WHY IT IS ESSENTIAL THAT INTERNET GOVERNANCE POLICIES CONTINUE TO FOSTER FREEDOM OF EXPRESSION AND THE FREE FLOW OF INFORMATION.
>THE INTERNET AND THE INFORMATION SOCIETY HOLD TREMENDOUS PROMISE FOR THE POST-2015 DEVELOPMENT AGENDA.
>THE INTERNET CAN STRENGTHEN EFFORTS TO ERADICATE POVERTY, ADDRESS INEQUALITY, AND PROTECT AND RENEW THE PLANET'S RESOURCES.
>BUT REALIZING THE PROMISE MEANS EXPANDING INTERNET ACCESS TO NEARLY 1.3 BILLION PEOPLE WHO CURRENTLY LACK IT.
>MOST ARE IN DEVELOPING COUNTRIES AND THERE ARE SIGNIFICANT GENDER GAPS.
>INTERNET GOVERNANCE MUST, THEREFORE, WORK TO BRIDGE THE DIGITAL DIVIDE THROUGH INCLUSIVE RIGHTS-BASED POLICIES.
>INTERNET GOVERNANCE SHOULD AIM FOR UNIVERSAL ACCESS TO AN INTEROPERABLE, GLOBALLY CONNECTED, AND SAFE ONLINE SPACE.
>TO THIS END, THE PRINCIPLES OF THE WORLD SUMMIT ON THE INFORMATION SOCIETY REMAIN RELEVANT.
>THE UNITED NATIONS INVITES ALL STAKEHOLDERS TO JOIN IN THE ONGOING SUMMIT REVIEW PROCESS.
>CONFIDENCE IN THE INTERNET AND ITS GOVERNANCE IS VITAL. IF IT IS TO BE EFFECTIVELY CONTRIBUTING TO THE SUSTAINABLE DEVELOPMENT.
>IN THIS CONNECTION, I WISH TO INFORM THE MEETING I INTEND TO APPOINT AMBASSADOR JANIS KARKLINS OF LATVIA AS THE CHAIR OF THE MULTISTAKEHOLDER ADVISORY GROUP OF THE INTERNET GOVERNANCE FORUM.
>[APPLAUSE ] >>WU HONGBO: I COUNT ON MR. KARKLINS TO PROMOTE A STRENGTHENED INTERNET GOVERNANCE THROUGH BROADER PARTICIPATION, NOT ONLY BY GOVERNMENTS BUT ALSO THE PRIVATE SECTOR AND CIVIL SOCIETY, INCLUDING THE ACADEMIC AND THE TECHNICAL COMMUNITIES.
>BUILDING CONSENSUS ON THE ROADMAP FOR THE FUTURE OF INTERNET GOVERNANCE IS CRUCIAL. THIS NETmundial IS AN IMPORTANT MILESTONE. I WISH YOU A PRODUCTIVE MEETING. UNQUOTE.
>THANK YOU VERY MUCH ON BEHALF OF UNITED NATIONS DEPARTMENT OF ECONOMIC AND SOCIAL AFFAIRS, UNDESA. I WOULD LIKE TO THANK BRAZIL AND THE BRAZILIAN INTERNET STEERING COMMITTEE FOR NOT ONLY HOSTING THIS IMPORTANT MEETING, BUT ALSO FOR BEING CONSISTENT SUPPORTERS OF INTERNET GOVERNMENT FORUM. THE IGF COMMUNITY LOOKS FORWARD TO RUNNING TO BRAZIL FOR THE SECOND TIME FOR THE 10TH IGF IN 2015.
>THANK YOU VERY MUCH.
>[APPLAUSE ] >> NOW, WE ARE GOING TO LISTEN TO MS. NNENNA NWAKANMA, A REPRESENTATIVE OF CIVIL SOCIETY AND CONTRIBUTOR OF THE OPEN SOURCE FOUNDATION OF AFRICA.
>[APPLAUSE ] >>NNENNA NWAKANMA: OOH-LA-LA. YOUR EXCELLENCIES, COLLEAGUES, PRESENT AND REMOTE LADIES AND GENTLEMEN, (NON-ENGLISH WORD OR PHRASE). MY NAME IS I COME FROM THE INTERNET. I ALSO COME FROM DIVERSE CIVIL SOCIETY TEAMS AND NETWORKS, ONE OF WHICH IS THE TEAM THAT WORKS WITH THE WORLD WIDE WEB FOUNDATION.
>AT THE WEB FOUNDATION, WE ARE ENGAGED IN THE ALLIANCE FOR AFFORDABLE INTERNET. WE'RE ENGAGED IN THE WEB INDEX AND OPEN DATA INITIATIVES. ONE THING I DO FOR A LIVING IS TO ESTABLISH THE OPEN WEB AS A GLOBAL PUBLIC GOOD AND A BASIC RIGHT, ENSURING THAT EVERYONE CAN ACCESS AND USE IT FREELY. THAT'S WHAT I DO.
>I ALSO BELONG TO THE (INDISCERNIBLE) CIVIL SOCIETY PLATFORM, THE INTERNET GOVERNANCE CAUCUS FOR THE PAST 12 YEARS, AND THE AFRICA INTERNET GOVERNANCE FORUM.
>SO FOR ME, NETmundial, IN CONVENING US TO TAKE A CRITICAL LOOK AT THE PRINCIPLES AND ROADMAP FOR THE FUTURE OF THE INTERNET GOVERNANCE AVAILS ME WITH AN OPPORTUNITY TO RAISE THREE KEY ISSUES.
>THE FIRST ISSUE IS ACCESS.
>AS MUCH AS TWO-THIRDS OF THE WORLD'S POPULATION IS NOT YET CONNECTED TO THE INTERNET. THE PENETRATION RATES IN DEVELOPED COUNTRIES AVERAGE AROUND 31%, BUT IN AFRICA WHERE I COME FROM, WE ARE ABOUT 16%.
>IN THE WORLD'S 49 LEAST DEVELOPED COUNTRIES, OVER 90% OF THE POPULATION ARE STILL NOT ONLINE.
>WE HAVE 1 BILLION PEOPLE LIVING WITH DISABILITY, AND 80% OF THESE LIVE IN THE DEVELOPING COUNTRIES. EACH ONE OF THESE DESERVE ACCESS.
>ACCESS TO INFORMATION, ACCESS TO LIBRARIES, ACCESS TO KNOWLEDGE, AND ACCESS TO AFFORDABLE INTERNET.
>MY SECOND ISSUE IS SOCIAL AND ECONOMIC JUSTICE.
>THE INTERNET IS FAST BECOMING THE DOMINANT MEANS OF WEALTH CREATION, SO THE RIGHTS TO DEVELOPMENT, I THINK, SHOULD INCLUDE SOCIAL JUSTICE.
>FOR ME, IT IS NOT ENOUGH TO DO A SUPERFICIAL CAPACITY-BUILDING JUST FOR A FEW PERSONS. I'M LOOKING FOR THE MECHANISM THAT ALLOWS THE HIGHEST NUMBER OF PERSONS TO BE INCLUDED, THE LARGEST NUMBER OF VOICES TO BE HEARD, THE WIDEST EXTENT OF ACCESS TO INNOVATION, AND THE DEEPEST CREATIVITY FOR THE HUMAN MIND TO FLOURISH.
>FOR THIS, I THINK WE NEED TO START CONSIDERING THE INTERNET AS PUBLIC COMMENTS.
>MY THIRD ISSUE IS HUMAN RIGHTS AND FREEDOM.
>NOW I WILL INVITE YOU TO LISTEN THROUGH MY VOICE TO SOMEONE THAT I GREATLY RESPECT.
>THIS PERSON IS A "SHE." SHE WAS SPEAKING AT THE UNITED NATIONS GENERAL ASSEMBLY IN NEW YORK ON THE 25TH OF SEPTEMBER RAFT YEAR. DO YOU WANT TO HEAR WHAT SHE SAID?
>>> YES!
>>>NNENNA NWAKANMA: SHE SAID, "I CANNOT BUT DEFEND IN AN UNCOMPROMISING FASHION THE RIGHT TO PRIVACY OF INDIVIDUALS. IN THE ABSENCE OF THE RIGHT TO PRIVACY, THERE CAN BE NO TRUE FREEDOM OF EXPRESSION AND OPINION AND THERE IS NO EFFECTIVE DEMOCRACY." AND THAT WAS DILMA ROUSSEFF.
>[CHEERS AND APPLAUSE ] >>NNENNA NWAKANMA: OKAY. THANK YOU. RIGHT. LADIES AND GENTLEMEN, IN LOOKING FORWARD TOWARDS THE ROADMAP, I ALSO NEED TO RAISE THREE KEY ISSUES.
>MY FIRST ISSUE IS PARTICIPATION. WHEN WE STARTED, WE KICKED OFF WITH THE BASIC UNDERSTANDING THAT ALL STAKEHOLDERS HAVE A PLACE, A ROLE, A CONTRIBUTION.
>BUT AS WE'VE MOVED FURTHER DOWN THE LINE, THE IDEA OF MULTISTAKEHOLDER ENGAGEMENT IS GETTING MUDDLED AND IT'S LOSING A BIT OF ITS MEANING, SO I WOULD REQUEST THAT WE GO BACK TO THE DRAWING BOARD AND WE REVISIT IT, AND IF IT NEEDS TO UPGRADE, PLEASE LET'S DO THAT.
>BECAUSE WE NEED TO ENGAGE ALL STAKEHOLDERS AT A GLOBAL, REGIONAL, AND NATIONAL LEVELS.
>WE NEED TO ESTABLISH RESPECT AND VALUE FOR ALL CONTRIBUTIONS COMING FROM ALL STAKEHOLDERS, AND WE NEED MEANINGFUL PARTICIPATION FROM INDIVIDUALS COMING FROM DEVELOPING COUNTRIES AND UNDERREPRESENTED GROUPS.
>MY SECOND ISSUE IS RESOURCES.
>HOW DO WE ENSURE THAT RESOURCES ARE MOBILIZED AND MAINTAINED FOR A VIABLE INTERNET GOVERNANCE MECHANISM?
>THE QUESTION IS NOT JUST AT THE GLOBAL LEVEL. IT'S AT CONTINENTAL, REGIONAL, AND EVEN NATIONAL LEVELS.
>WHO'S RESOURCES ARE WE GOING TO COMMIT?
>MY FIRST THOUGHT IS THAT THE INTERNET SHOULD BE ABLE TO PROVIDE RESOURCES FOR ITS OWN GOVERNANCE. MAYBE PART OF THE DOMAIN NAME FEES SHOULD BE REINVESTED IN THIS AREA.
>[APPLAUSE ]
>>>NNENNA NWAKANMA: NOW, MY THIRD ISSUE IS CHANGE.
>NETmundial IS OFFERING US A GREAT OPPORTUNITY FOR CHANGE. CHANGE FROM ONE STAKEHOLDER HIJACKING THE PROCESS TO AN OPEN AND INCLUSIVE PROCESS. CHANGE FROM ONE OFFICIAL ISSUING ORDERS TO COLLABORATION. CHANGE FROM JUST REPORTS TO REAL TRANSPARENCY.
>CHANGE FROM POWER TO ACCOUNTABILITY. CHANGE FROM MONOLOGUES TO DIALOGUES AND DEBATES. CHANGE FROM THE RHETORIC OF CYBER-WAR TO THE NOTION OF INTERNET FOR PEACE. CHANGE FROM CYBER-THREATS TO DIGITAL SOLIDARITY. AND I DO BELIEVE THAT ALL OF THESE PRINCIPLES WILL ALSO GUIDE US IN IANA TRANSITION.
>LADIES AND GENTLEMEN, THERE IS ONE MESSAGE I MUST LEAVE WITH YOU TODAY, IT IS THE MESSAGE OF TRUST.
>WE'RE IN BRAZIL BECAUSE WE TRUST THE PERSON OF DILMA ROUSSEFF. WE ARE HERE BECAUSE WE TRUST THE NETmundial PROCESS. WE TRUST THE MULTISTAKEHOLDER APPROACH OF BRAZIL IN ITS OWN IGF, AND WE HAVE FOLLOWED THE STORY OF MARCO CIVIL AND I WANT TO SEE CONGRATULATIONS TO ALL BRAZILIANS ON THIS.
>[CHEERS AND APPLAUSE ] >>NNENNA NWAKANMA: HANG ON. HANG ON. HANG ON.
>THE TRUST THAT WE HAVE IN BRAZIL IS NEEDED AT ALL LEVELS. BUT THIS TRUST HAS BEEN DESTROYED BY THE COLLECTION, PROCESSING, AND INTERCEPTION OF OUR COMMUNICATIONS.
>[APPLAUSE ] >>NNENNA NWAKANMA: YES. SURVEILLANCE ON INTERNET SECURITY AND OUR TRUST IN ALL PERSONAL BUSINESS AND DIPLOMATIC COMMUNICATIONS. THAT'S WHY WE SAY "NO." THE WEB WE CAN TRUST, THAT IS THE WEB WE WANT. THE WEB THAT CONTRIBUTES TO PEACE, THAT IS THE WEB WE WANT. THE WEB THAT IS OPEN AND INCLUSIVE, THAT IS THE WEB WE WANT. THE WEB OF OPPORTUNITIES AND SOCIAL JUSTICE, THAT IS WHY I AM HERE.
>LADIES AND GENTLEMEN, NETmundial, I THINK, IS THE WORLD CUP OF INTERNET GOVERNANCE. WE NEED A ROBUST STADIUM THAT CAN HOLD US. THAT IS INFRASTRUCTURE. WE NEED TO ENJOY THE GAME. THAT IS PARTICIPATION. WE SHOULD NOT DISCRIMINATE. THAT IS NET NEUTRALITY. EVERYBODY'S FREE TO SUPPORT THEIR TEAM. I SUPPORT (SAYING NAME) OF NIGERIA. THAT IS FREEDOM. I SUPPORT BRAZIL AS LONG AS THEY ARE NOT PLAYING AGAINST AFRICA, ANYWAY.
>[LAUGHTER ] >>NNENNA NWAKANMA: WE NEED TO BE ABLE TO WEAR OUR COSTUMES AS FANS AND THAT IS DIVERSITY. AND MOST IMPORTANTLY, WE NEED TO KNOW THE RULES OF THE GAME AND PLAY BY IT. THAT, FOR ME, IS TRANSPARENCY.
>SO IT'S NOT GOING TO BE ABOUT POWER AND CONTROL FOR GOVERNMENTS. IT'S NOT GOING TO BE JUST INTEREST FOR THE INDUSTRY. IT'S NOT GOING TO BE NAMES AND NUMBERS FOR TECHNICAL COMMUNITY. IT'S NOT GOING TO BE FOR OR AGAINST FOR CIVIL SOCIETY. I THINK THAT WE NEED HUMILITY. THE HUMILITY TO LISTEN TO DIVERSE VOICES IS ESSENTIAL FOR AN AUTHENTIC DIALOGUE. LET US TALK TO EACH OTHER AND NOT AT EACH OTHER. BECAUSE SOMETIMES WE CAN BE SO DROWNED IN OUR OWN VOICES THAT WE DO NOT HEAR THE OTHER STAKEHOLDERS.
>JUST BEFORE I SIT DOWN, LADIES AND GENTLEMEN, TOMORROW IS GIRLS IN ICT DAY, SO I'M GOING TO SPEAK TO LADIES.
>GIRLS, IT IS UP TO US TO SEIZE THE OPPORTUNITY THAT THE INTERNET HAS GIVEN US. LET'S SEIZE IT AND LET'S ROCK THE WORLD! LET US GET WOMEN ONLINE. LET US GET US ONLINE.
>AND THIS, I WANT TO SAY A SPECIAL TRIBUTE TO ALL THE GIRLS IN MY WORLD FOUNDATION TEAM. ALEXANDRA IS HERE, RENAT AVILA, SONIA GEORGE, ANGELA, AND NOT JUST NETmundial BUT GIRLS ACROSS THE WORLD WORK ON THE INTERNET EVERY DAY. DEBORAH BROWN IS IN THE U.S. MARION FRANKLIN IS IN EUROPE. ANNA IS IN INDIA, (SAYING NAME) IS IN LATIN AMERICA HERE, (SAYING NAME) IS IN AFRICA, JOY LID I COT IS IN NEW ZEALAND, AND SALANIETA IS SOMEWHERE IN THE ISLANDS OF FIJI. GREAT WOMEN WHO DO THIS WORK. AND EVEN HERE IN BRAZIL, WE HAVE GREAT LADIES. ONE IS (SAYING NAME) AND THE OTHER IS (SAYING NAME) BUT COME ON, IT'S NOT JUST ABOUT WOMEN. THERE ARE GUYS, MEN, WHO WORK EVERY DAY, WHO PUT IN THE ENERGY, WHO PUT IN THEIR LIFE, WHO PUT IN ALL THEY HAVE, PUT IN THEIR EXPERTISE, SO THAT WE CAN HAVE A GLOBAL, TRUE, OPEN AND RESILIENT. AND TO ALL OF US WHO LOVE THE INTERNET AND TO ALL OF US WHO ARE HERE AND TO SOMEONE CALLED EDWARD, EDWARD SNOWDEN, THANK YOU.
>[CHEERS AND APPLAUSE ]
>>> ---
>>>VINT CERF: PRESIDENT DILMA ROUSSEFF, EXCELLENCIES, DISTINGUISHED GUESTS, LADIES AND GENTLEMEN, IT IS AN HONOR AND A PRIVILEGE TO PARTICIPATE IN NETmundial. THIS DIALOGUE IS TIMELY AND MUCH NEEDED AS THE INTERNET CELEBRATES THE 40th YEAR OF ITS PUBLIC UNVEILING AND THE 31st YEAR OF ITS OPERATION. IN MAY 1974, THE DESIGN OF THE INTERNET WAS PUBLISHED IN THE IE EX-E PUBLICATIONS. ROBERT KAHN AND I FELT STRONGLY THE DESIGN AND THE PROTOCOLS OF THE INTERNET NEEDED TO BE FREELY AND OPENLY AVAILABLE TO ANY INTERESTED PARTIES AND WITHOUT ANY BARRIERS TO ADOPTION AND USE.
>OVER FOUR DECADES BY WORKING TOGETHER AND INCLUDING THE EXPERIENCES GATHERED FROM OTHER GLOBAL NETWORK EXERCISES, AN INFORMAL COALITION HAS BUILT FROM THE BOTTOM UP THE SUCCESSFUL, FREE AND OPEN INTERNET AND THE POPULAR WORLDWIDE WEB. SOME 3 BILLION PEOPLE ARE ALREADY ONLINE WORKING TOGETHER TOWARDS GROWTH IN A POWERFUL ECONOMIC ENGINE AND POSITIVE SOCIAL FORCE.
>THIS INTERNET GOVERNANCE MEETING COMES AT A TIME WHEN THE INTERNET AND ITS USE REFLECTS THE FULL RANGE OF INTERESTS OF A GLOBAL AND INCREASINGLY ONLINE SOCIETY.
>IN ADDITION TO APPRECIATING THE ENORMOUS BENEFITS ALREADY OBTAINED THROUGH THE COOPERATIVE CREATION, DISCOVERING AND SHARING OF INFORMATION ON THE INTERNET, IT IS ALSO APPARENT THAT USERS AND GOVERNMENTS ARE BECOMING CONCERNED ABOUT POTENTIAL HARMS THAT MAY BE ENCOUNTERED IN THIS DIGITAL WORLD.
>A SMALL FRACTION OF THE INTERNET'S USERS DELIBERATELY SEEK TO BENEFIT THEMSELVES AT THE EXPENSE OF OTHERS OR JUST SEEK TO DO DAMAGE THROUGH A KIND OF DIGITAL VANDALISM, AS ALSO HAPPENS OFFLINE.
>MOREOVER, IT IS APPARENT THAT THE RICH SOCIAL NETWORKING APPLICATIONSES THAT ARE RAPIDLY PROLIFERATING ALSO HAVE A POLITICAL POTENTIAL THAT MAY BE ALARMING TO SOME REGIMES.
>GOVERNMENTS UNDERSTANDABLY SEEK WAYS TO DEFEND THE GENERAL PUBLIC AND PRIVATE SECTORS AGAINST HARM, SUCH AS FRAUD, MALWARE, IDENTITY THEFT AND BULLYING. OTHERS VIOLATE HUMAN RIGHTS BY USING THE INTERNET TO CENSOR, MISINFORM, CONDUCT SURVEILLANCE AND RESTRICT SPEECH OR USE IT AS A MEANS TO IDENTIFY AND INCARCERATE THOSE WHO SPEAK TRUTH TO POWER.
>THE OPENNESS OF THE INTERNET HAS BEEN THE KEY TO ITS GROWTH AND VALUE. PERMISSIONLESS INNOVATION IS THE MAIN SPRING OF INTERNET'S ECONOMIC POWER. WE MUST FIND WAYS TO PROTECT THE VALUES THAT THE INTERNET BRINGS, INCLUDING THE RIGHTS OF ITS USERS WHILE ALSO PROTECTING THEM FROM HARM.
>THESE PRINCIPLES, TOGETHER WITH GROWING ACCESS TO THE INTERNET WILL PROVE TO BE OF LASTING VALUE TO THE DEVELOPING WORLD THAT CAN TAKE ADVANTAGE OF THE POSITIVE BENEFITS OF AN EXPANDING INFORMATION ECONOMY.
>OUR WORK IS NOT NEARLY DONE UNTIL THE INTERNET IS ACCESSIBLE TO EVERYONE AND IPv6 IS ACCESSIBLE EVERYWHERE.
>BRAZIL HAS SET A POSITIVE EXAMPLE IN NETmundial. IN A MULTIPARTY INITIATIVE LED BY CONGRESSMAN ALESANDRO MALONE, THE COUNTRY HAS JUST LEGISLATED MARCO CIVIL WHICH OFFERS IMPORTANT SAFEGUARDS TO PROTECT INTERMEDIARY INTERNET PROVIDERS AND PROTECT USER RIGHTS. ITS INTERNET STEERING COMMITTEE, CGI.BR, IS A MODEL OF NATIONAL MULTISTAKEHOLDER GOVERNANCE.
>THIS MEETING, AMONG MANY OTHERS, REPRESENTS AN IMPORTANT OPPORTUNITY TO EXAMINE A MULTISTAKEHOLDER MODEL FOR INTERNET GOVERNANCE BASED ON THE PARTICIPATION OF ALL STAKEHOLDERS, INCLUDING ROLES FOR GOVERNMENT, ACADEMICS, CIVIL SOCIETY, PRIVATE BUSINESSES AND THE TECHNICAL COMMUNITY. THIS CONFERENCE HAS BROUGHT TOGETHER A RICH AND VARIED GROUP OF INTERESTED PARTIES TO EXPLORE PRINCIPLES AND GUIDELINES FOR FUTURE INTERNET GOVERNANCE AS IT REACHES THE OTHER 4 BILLION STILL UNCONNECTED PEOPLE IN THE WORLD.
>THE INTERNET HAS BEEN BUILT ON THE BASIS OF COLLABORATION AMONG A DIVERSE AND CONSTANTLY EVOLVING SET OF INTERESTED PARTIES. AND THIS IS A FOUNDATIONAL IDEA THAT MUST BE PRESERVED. NEW INSTITUTIONS AND OPERATIONAL PLAYERS HAVE BEEN FORMED AT NEED, SUCH AS THE INTERNET ARCHITECTURE BOARD, THE INTERNET ENGINEERING TASK, THE INTERPRET SOCIETY, THE INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS, THE REGIONAL INTERNET REGISTRIES AND THE NUMBER RESOURCE ORGANIZATION, OTHER REGIONAL TLD ORGANIZATIONS SUCH AS CENTR AND LacTLD, THE ROOT SERVER OPERATORS, REGIONAL NETWORK OPERATION GROUPS, THE EMERGENCY RESPONSE TEAMS, INTERNET EXCHANGE POINTS, THE TOP-LEVEL DOMAIN REGISTRIES AND REGISTRARS AND THE NETWORK INFORMATION CENTERS SUCH AS THE BRAZILIAN NIC.
>OUT OF THE WORLD SUMMIT ON THE INFORMATION SOCIETY HAS COME THE ANNUAL INTERNET GOVERNANCE FORUM AND ITS REGIONAL AND NATIONAL ANALOGS. WE CREATE INSTITUTIONS AT NEED.
>AS WE GATHER HERE FOR THE NEXT TWO DAYS, WE HAVE TWO SPECIFIC CHALLENGES TO CONSIDER. THE LARGER ONE IS THE GENERAL DESIGN OF A GLOBAL, MULTISTAKEHOLDER INTERNET GOVERNANCE FRAMEWORK THAT PRESERVES THE FREE AND OPEN INTERNET AND PROVIDES TRANSNATIONAL PROTECTIONS FOR THE RIGHTS OF USERS.
>THE FRAMEWORK HAS TO ENABLE THE EVOLUTION OF THE INTERNET AND BE ABLE TO ADAPT TO IT. THE MORE FOCUSED CHALLENGE IS TO DEVISE A RESPONSE TO THE U.S. INVITATION TO ASSURE THAT WHEN THE U.S. GOVERNMENT AND ITS CONTRACTUAL RELATIONSHIP WITH ICANN, THE MULTISTAKEHOLDER FRAMEWORK FOR ICANN'S MANAGEMENT OF UNIQUE IDENTIFIERS AND PARAMETERS WILL ADHERE TO THE PRINCIPLES THAT HAVE MADE THE INTERNET A REMARKABLE, GLOBAL AND BENEFICIAL INFRASTRUCTURE.
>I BELIEVE THAT THE CHALLENGE BEFORE US, ASSURING ICANN'S ADHERENCE CAN BE ACCOMPLISHED BY REINFORCING ITS ACCOUNTABILITY AND TRANSPARENCY MECHANISMS. THE LARGER CHALLENGE, PROTECTING THE RIGHTS OF USERS WHILE ASSURING THEIR SAFETY WILL REQUIRE LAYERED, LOCAL, NATIONAL AND TRANSNATIONAL ENABLING MECHANISMS. WE CANNOT PRETEND TO KNOW THE SOLUTION TO ALL THE CHALLENGES AND OPPORTUNITIES THAT THE INTERNET POSES. WE CAN, HOWEVER, CREATE STRUCTURES THAT WILL ALLOW MULTISTAKEHOLDER COLLABORATIONS TO DISCOVER AND EVALUATE POSSIBLE ANSWERS.
>AMONG THE MECHANISMS THAT SHOULD BE REINFORCED AND SUPPORTED, I WOULD SINGLE OUT THE INTERNET GOVERNANCE FORUM. IT NEEDS FINANCIAL SUPPORT AND A PROPERLY STAFFED SECRETARIAT. IT HAS ILLUMINATED OUR UNDERSTANDING OF THE PROSPECTS AND PROBLEMS ARISING FROM THE GLOBAL GROWTH OF THE INTERNET.
>MOBILE TECHNOLOGY RAPIDLY DROPPING COSTS FOR INTERNET-ENABLING EQUIPMENT AND COMMUNICATIONS, AND BOUNDLESS DEVELOPMENT OF NEW APPLICATIONS HAVE CREATED A RICH PALATE FROM WHICH TO PAINT A BENEFICIAL DIGITAL FUTURE. THE GLOBAL IGF AND ITS REGIONAL AND NATIONAL COUNTERPARTS CAN BECOME AN EVEN MORE HELPFUL MECHANISM FOR HIGHLIGHTING ISSUES BY TRACKING THEIR SOLUTIONS IN A VARIETY OF FORUMS AND ENABLING THE EMERGENCE OF NEW APPROACHES WHEN THESE SEEM NECESSARY.
>WE WOULD HAVE TO BE A PRETTY SILLY SPECIES NOT TO TAKE ADVANTAGE OF THE GIFT THAT THE TECHNOLOGY HAS GIVEN US. THOSE OF US PARTICIPATING IN THE NETmundial -- WELL, I HAVE A VERY INTERESTING PROBLEM HERE, MY SPEECH ENDS BECAUSE THE REST OF IT WASN'T PRINTED OUT.
>[LAUGHTER ]
>SO I WILL END BY THANKING YOU VERY MUCH FOR THE TIME ON THIS STAGE.
>[APPLAUSE ]
>>>TIM BERNERS-LEE: TECHNOLOGY IS PERFECT THEN.
>45 YEARS AGO VINT CERF AND BOB KAHN PUT TOGETHER THE IDEA OF THE INTERNET, DESIGNED THAT, AND MADE THAT OPEN. 25 YEARS AGO -- A LONG TIME LATER, THE INTERNET WAS RUNNING. THERE WAS REMOTE --- . THERE WAS EMAIL RUNNING OVER THE INTERNET. BUT THERE WERE NO WEB, NO WEB SITES, NO WEB PAGES, NO LINKS. I FELT IT WAS REALLY IMPORTANT THERE SHOULD BE SO I INVENTED THE WEB. AND AS THE WORLDWIDE WEB PROJECT GREW, I NEEDED COLLABORATORS. I INVENTED HTML AND HTTP AND URLS BUT THE DEVELOPMENT OF THOSE HAD TO BE DONE BY A LARGE TECHNICAL COMMUNITY. I WENT TO THE INTERNET ENGINEERING TASK FORCE, I FOUNDED THE WORLDWIDE WEB CONSORTIUM THAT ASSESS THE STANDARDS FOR THE WEB AND ITS MOTTO IS TO LEAD THE WEB TO ITS FULL POTENTIAL.
>SO THE COLLABORATION BETWEEN THESE MULTISTAKEHOLDER GROUPS LIKE IETF AND W3C AND ALL THE PEERS THEY WORK WITH LIKE ECMA, TC39 FOR (SAYING NAME) THAT HAS BEEN REALLY CRUCIAL AND IT REALLY HAS BEEN HOW THIS HAS ALL WORKED.
>I HOPE YOU WILL AGREE THAT PEOPLE WORKING TOGETHER HAVE DONE A REASONABLE JOB AND LOOKING BACK AT THE 25 YEARS OF THE WEB, IT HAS BEEN -- IT HAS BEEN AN INCREDIBLE RIDE AND WE REALIZE NOW THAT RATHER THAN BEING A FUN PROJECT LIKE ALL THESE THINGS STARTED OFF WITH, IT NOW BECOMES SOMETHING WE HAVE TO REGARD AS TO BEING CRUCIAL.
>SOME OF THESE ORGANIZATIONS WHICH BELIEVE IN OPEN STANDARDS IN THIS PARTICULAR SORT OF MULTISTAKEHOLDER OPEN ON THE WEB SORT OF MEANING OF THE WORD, DEVISED THE WORD OPEN STAND. YOU CAN GO TO OPENSTAND.ORG TO EXPRESS THE WAY IT SHOULD BE ABOUT WITH OPEN DISCUSSION WITH THE DOCUMENTS BEING FREELY AVAILABLE ON THE WEB. WITH W3C SPECIFICALLY COMPANIES COMMIT THAT WHEN THEY START AND WORK TOWARDS THESE STANDARDS, THAT WHEN THE STANDARDS COME OUT THAT THEY WILL NOT CHARGE ROYALTIES TO ANYBODY WHO WANTS TO IMPLEMENT IT. SO KEEPING IT ROYALTY FREE HAS ALSO BEEN REALLY IMPORTANT.
>THE WEB GREW AS SOMETHING WHICH DID NOT INVOLVE BORDERS BECAUSE IT GREW ON THE INTERNET AND THE INTERNET, WHEN YOU CONNECT -- WHEN I WROTE A PROGRAM TO CONNECT FROM ONE COMPUTER TO THE OTHER, NEITHER PROGRAM HAD AN AWARENESS, NEEDED TO KNOW OR NECESSARILY FOUND IT EASY TO FIND OUT WHICH COUNTRY THOSE TWO COMPUTERS WERE IN. BUT INTERNET WAS TECHNICALLY -- IS A NATIONLESS THING. SO IN A NON-NATIONAL ENVIRONMENT, THE WEB GROWING UP, IT HAS BEEN A NON-NATIONAL SOCIETY WHICH HAS GROWN UP AROUND IT.
>YES, THERE HAS BEEN -- FORMALLY, THERE HAS BEEN A CONNECTION BETWEEN THE U.S. GOVERNMENT AND THE WAY INTERNET NUMBERS AND NAMES HAVE BEEN ASSIGNED. AND I'M VERY GLAD THAT THE U.S. GOVERNMENT HAS ACCEPTED TO RELEASE THAT OVERSIGHT. I THINK THAT IS VERY OVERDUE AND A VERY IMPORTANT STEP.
>IT IS AN IMPORTANT STEP BECAUSE ICANN SHOULD SERVICE -- IT SERVICES THE GLOBAL PUBLIC INTERNET, AND, THEREFORE, IT SHOULD BE A GLOBAL PUBLIC BODY. SO FOR ME, WHAT DOES THAT MEAN? IT IS EASY TO SAY IN THE PUBLIC INTEREST. FOR ME, FOR ICANN, THAT MEANS THAT DECISIONS THAT IT MAKES ABOUT TOP-LEVEL DOMAINS, ABOUT WHATEVER, ABOUT HOW TO SPEND ITS FUNDING, THEY SHOULD BE MADE BY STEPPING BACK AND THINKING, WELL, NEVERMIND THE PEOPLE WE KNOW INTIMATELY WHO ARE INVOLVED IN THAT DECISION BUT LET'S THINK ABOUT THE PLAN AS A WHOLE. WHAT IS BEST FOR HUMANITY AS A WHOLE? THAT SHOULD GUIDE EVERY DECISION THAT ICANN MAKES.
>OBVIOUSLY, ONE OF THE THINGS THAT ICANN DOES IS IT HAS FUNDS TO SPEND AND SO PARTLY IT CAN FURTHER THE WORLD BY SPENDING THOSE IN A BENEFICIAL WAY SUCH AS SUPPORTING -- WELL, SUPPORTING STANDARDIZATION, SUPPORTING HARDENING WEB TECHNOLOGY, SUPPORTING PIECES OF TECHNOLOGY LIKE THAT, THE INTERNATIONALIZATION OF THE TECHNOLOGY, KEEPING IT SO IT WORKS WITH EVERY CULTURE AND LANGUAGE, ACCESSIBILITY FOR PEOPLE WITH DISABILITIES AND, OF COURSE, CLOSING THE DIGITAL DIVIDE FOR REALLY IMPORTANT AGENDAS WHICH ICANN CAN THINK ABOUT SUPPORTING.
>THE INTERNET HAS THRIVED FROM THE EMPOWERMENT OF CAPABLE AND PUBLIC-SPIRITED PEOPLE. INITIALLY, THEY WERE FROM THE TECHNICAL COMMUNITY AND ACADEMIA BUT MORE RECENTLY THE WHOLE PRIVATE SECTOR, CIVIL SOCIETY AND GOVERNMENTS. WE NEED INTERNET GOVERNMENTS WHICH ALLOWS EACH COMMUNITY TO BRING ITS PARTICULAR STRENGTHS TO THE TABLE BUT ALLOWS NONE OF THEM TO ELEVATE ITS OWN INTEREST ABOVE THE PUBLIC GOOD.
>FIVE YEARS AGO, RELATIVELY RECENTLY IN INTERNET TIME, SOME OF US REALIZE THAT ALL THE TECHNICAL WORK WE WERE DOING WAS WONDERFUL BUT IT WAS EVERY SINGLE THING DID WAS INCREASING THE DIGITAL DIVIDE, INCREASING THE GAP BETWEEN THE POWER OF THE PEOPLE WHO HAD THE WEB AND DID NOT HAVE IT. SO AT THAT POINT, WE STARTED THE WORLDWIDE WEB FOUNDATION ABOUT WHICH YOU ALREADY HEARD SOME TO MAKE SURE THAT THE WEB -- WELL, YES, THAT IT GETS TO, FOR EXAMPLE, THE 60% OF THE PEOPLE WHO IN THE WORLD WHO DON'T HAVE IT AT ALL BUT ALSO FOR THE PEOPLE WHO HAVE IT, THAT IT REALLY IS THE WEB THAT WE WOULD WANT, THE WEB HAS NOW BECOME AN ESSENTIAL PUBLIC UTILITY SO WE HAVE TO REGARD IT AS SUCH.
>MUCH OF OUR TRADITIONAL THINKING ABOUT HUMAN RIGHTS APPLIES DIRECTLY TO EVERYTHING ON THE INTERNET SUCH AS FREE EXPRESSION. BUT NEW THINGS BECOMING IMPORTANT IN THE NETWORK CONTEXT, NET NEUTRALITY MEANS KEEPING THE NET FREE FROM DISCRIMINATION, BE IT COMMERCIAL OR POLITICAL.
>THE INNOVATIVE EXPLOSION WHICH HAPPENED ACROSS THE NET OVER THE LAST 25 YEARS HAS HAPPENED ONLY BECAUSE THAT NET HAS BEEN NEUTRAL. THE SOCIAL GROUND-BREAKING SENSE OF POSSIBILITY THAT WE CAN UNDERSTAND EACH OTHER AND POSSIBLY LIVE IN PEACE RELIES ON AN OPEN NET. OH, AND THANKS TO EVERYBODY WHO HAS EVER HELD UP A BANNER IN ANY FORUM ABOUT PUSHING FOR THE OPEN NET AND PUSHING AGAINST LAWS WHICH RESTRICT THE OPEN NET.
>SO THAT SENSE OF EXCITEMENT WHICH WE ALL HAVE GIVES US ALSO A RESPONSIBILITY THAT WE MUST KEEP THE NET NEUTRAL -- THE NET AS A NEUTRAL PLATFORM IN THE FUTURE.
>FREEDOM OF EXPRESSION IS A CRUCIAL RIGHT BUT IT HAS TO BE COUPLED ON THE NETWORK WITH A COMPLIMENTARY RIGHT TO PRIVACY AS, MADAM PRESIDENT, YOU HAVE POINTED OUT BEFORE AND HAVE ALREADY BEEN QUOTED TODAY.
>SO I WON'T QUOTE YOU AGAIN, BUT I WOULD, YES, AGREE THAT THERE ARE A LOT OF PEOPLE THAT ARE WORRIED ABOUT SURVEILLANCE AND FEEL IT IS PERHAPS THE MOST IMMEDIATE THREAT. IT FEELS THE MOST IMMEDIATE THREAT. AND, OF COURSE, SURVEILLANCE ALL AFFECTS THE INTERNET, IT IS ONE OF THE MORE INSIDIOUS ONES BECAUSE YOU DON'T SEE IT HAPPENING UNLIKE CENSORSHIP.
>IT IS GREAT TO BE BACK IN BRAZIL TODAY, NOT JUST BECAUSE BRAZIL IS A WONDERFUL COUNTRY AND ONE WHICH HAS HAD A REALLY VIBRANT SENSE OF WHAT OPPORTUNITY ON THE NET BUT, OF COURSE, ESPECIALLY TODAY IS A SPECIAL DAY. YESTERDAY WAS A VERY SPECIAL DAY, THE MARCO CIVIL GOING THROUGH IS WONDERFUL. A FANTASTIC EXAMPLE OF HOW GOVERNMENTS COMPARE POSITIVE ROLE IN ADVANCING WEB RIGHTS AND KEEPING THE WEB OPEN. YES, EUROPEANS ALSO CELEBRATE, THE EUROPEAN PARLIAMENT PASSING LEGISLATION PROTECTING USERS ON THE WEB. WELL DONE. SO TWO DATA POINTS THAT SUGGEST WE ARE MAKING PROGRESS. THAT IS GREAT, BUT, BOY, WE HAVE GOT A HUGE WAY THE PRINCIPLES OF HUMAN RIGHTS ON THE NET ARE NEW AND THEY'RE NOT UNIVERSALLY ACCEPTED.
>THE WEB BECOMES EVER MORE EXCITING WITH EVERY ADVANCING TECHNOLOGY LIKE MOBILE WEB AND SO ON, BUT 60% OF THE WEB -- OF THE POPULATION CAN'T USE THE WEB AT ALL.
>AS THE WEB GIVES PEOPLE GREATER AND GREATER POWER, INDIVIDUALLY AND COLLECTIVELY, SO MANY FORCES ARE ABUSING OR THREATEN TO ABUSE THE NET AND ITS CITIZENS. THE WEB THAT WE WILL HAVE IN ANOTHER 25 YEARS' TIME IS, BY NO MEANS, CLEAR. BUT IT IS COMPLETELY UP TO US TO DECIDE WHAT WE WANT TO MAKE THAT WEB, WHAT WE WANT TO MAKE THAT WORLD.
>THAT'S WHY I'M ASKING WEB USERS AROUND THE WORLD, NOT JUST PEOPLE HERE IN THIS CONFERENCE ROOM AND THE OTHER CONFERENCE ROOMS WHERE THIS IS BEING RELAYED, NOT JUST PEOPLE IN THIS CONFERENCE BUT PEOPLE ALL OVER THE WORLD, TO GO AND THINK ABOUT WHAT YOU WANT AND TO FIND SOME SORT OF GLOBAL MAGNA CARTA FOR THE INTERNET. THAT IS WHY --
>[APPLAUSE ] >>TIM BERNERS-LEE: THAT IS WHY I'M ASKING COUNTRIES EVERYWHERE TO FOLLOW BRAZIL'S EXAMPLE AND EUROPE'S EXAMPLE AND DEVELOP POSITIVE LAWS THAT PROTECT AND EXPAND THE RIGHTS OF USERS IN AN OPEN, FREE, AND UNIVERSAL WEB.
>[APPLAUSE ]
>>>TIM BERNERS-LEE: THANK YOU.
>[APPLAUSE ] >> LADIES AND GENTLEMEN, THE PRESIDENT OF THE REPUBLIC HAS APPROVED A LAW THAT GUARANTEES THE RIGHTS AND DUTIES FOR THE USE OF INTERNET IN THE WORLD.
>[CHEERS AND APPLAUSE ] >>H.E. DILMA ROUSSEFF: GOOD MORNING TO ONE AND ALL. I WOULD LIKE TO THANK THOSE WHO SPOKE BEFORE ME FOR PERFECTLY PRONOUNCING "GOOD MORNING" IN PORTUGUESE, (NON-ENGLISH WORD OR PHRASE) AS VOICED BY OUR DEAR REPRESENTATIVE FROM AFRICA, NNENNA NWAKANMA.
>THANK YOU VERY MUCH FOR PERFECTLY PRONOUNCING (NON-ENGLISH WORD OR PHRASE) IN BRAZILIAN PORTUGUESE. GOOD MORNING.
>AND BY GREETING HER, I WOULD LIKE TO EXTEND MY GREETINGS TO ALL WOMEN WHO ARE CURRENTLY ACTIVE ON THE WEB. BOTH THE GIRLS AND THE GUYS WHO ARE EQUALLY ACTIVE ON THE WEB.
>GREETINGS, LIKEWISE, TO THE MAYOR OF SAO PAULO WHO HAS SO KINDLY WELCOMED US, AND ABOVE ALL, I WOULD RECYCLE TO, FIRST OF ALL, GREET TWO MEMBERS OF CONGRESS FROM BRAZIL. NAMELY MR. (SAYING NAME) REPRESENTING THE HOUSE OF REPRESENTATIVES WHO SERVED AS RAPPORTEUR OF THE BILL OF LAW WHICH LED UP TO THE PASSING YESTERDAY OF THE INTERNET CIVIL FRAMEWORK, AS WELL AS REPRESENTATIVE -- RATHER SENATOR (SAYING NAME), AND THROUGH HIM, I WOULD LIKE TO FURTHER EXTEND MY GREETINGS, LIKEWISE, TO THE SENATE RAPPORTEURS WHO WERE ABLE TO PASS THE PIECE OF LAW IN A RECORD TIME, SENATOR (SAYING NAME), SENATOR (SAYING NAME), AND SENATOR (SAYING NAME). THANK YOU.
>AND SO SENATOR (SAYING NAME) AND TO REPRESENTATIVE (SAYING NAME), I WOULD LIKE TO VOICE MY THANKS FOR YOUR EFFORTS IN PASSING THE INTERNET CIVIL FRAMEWORK.
>GREETINGS, LIKEWISE, TO THE SECRETARY-GENERAL OF THE UNITED NATIONS, HONG BO. SPECIAL GREETINGS LIKEWISE TO THE INVENTOR OF THE INTERNET, TIM BERNERS-LEE.
>I WOULD LIKE TO GREET THE VICE PRESIDENT OF GOOGLE, AND A KEY PERSON -- RATHER A KEY PERSON IN THE ESTABLISHMENT OF THE INTERNET, MR. CERF.
>GREETINGS, ONCE AGAIN, TO MR. (SAYING NAME) WHO, ON OCTOBER THE 8TH LAST YEAR, 2013 -- CORRECT, FADI, IF I'M NOT MISTAKEN, WE MET IN BRAZIL YEAH AND ON THAT OCCASION DURING THAT MEETING WITH YOU THE SEMINAL IDEA SURFACED OF ESTABLISHING THIS INTERNET GOVERNANCE SUMMIT MEETING THAT IS REALIZED HERE TODAY, SO THANK YOU VERY MUCH AN ALL OF YOU, INCLUDING CABINET MINISTERS AND FOREIGN DELEGATES ATTENDING THIS SESSION TODAY. ---
>MAY I ALSO USE THE OPPORTUNITY ---
>MAY I ALSO USE THE OPPORTUNITY TO GREET ALL CABINET MINISTERS WHO HAVE BEEN ACTIVELY INVOLVED IN THE PROCESS THAT LED UP TO THE PASSING OF THE INTERNET GOVERNANCE CIVIL FRAMEWORK, AN EFFORT WHICH OF COURSE INVOLVED ALL STAKEHOLDERS AND SOCIETY.
>SPECIAL THANKS TO MINISTER OF FOREIGN AFFAIRS, AMBASSADOR (SAYING NAME), MINISTER OF JUSTICE CARDOZO, ALSO MINISTER OF COMMUNICATIONS, MINISTER OF SCIENCE AND TECHNOLOGY, (SAYING NAME), AND MAY I ALSO GREET AND THANK SENATOR AND MINISTER OF CULTURE (SAYING NAME) AS WELL AS THE BRAZILIAN SECRETARY-GENERAL OF THE PRESIDENT'S OFFICE, (SAYING NAME). GREETINGS LIKEWISE TO ALL ATTENDEES, PARTICULARLY THE MEDIA PROFESSIONALS, JOURNALISTS, PHOTOGRAPHERS, AND CAMERAMEN AND WOMEN.
>MAY I SAY THAT YOU ARE ALL MOST WELCOME TO BRAZIL.
>AS ATTENDEES TO THIS GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF INTERNET GOVERNANCE, THE SO-CALLED NETmundial AS WE CALL IT IN PORTUGUESE.
>AT THIS POINT IN TIME I WOULD ALSO LIKE TO VOICE MY GREETINGS TO THE ORGANIZERS, I.E., THE INTERNET MANAGEMENT OR MANAGING COMMITTEE AS WELL AS THE 1net COMMITTEE. IT GIVES ME GREAT JOY TO SEE IN THIS PLENARY HALL REPRESENTATIVES OF ALL DIFFERENT SECTORS WHO -- OR WHICH ARE IN ONE WAY INVOLVED IN THE INTERNET GOVERNANCE.
>IN THIS HALL TODAY, WE HAVE CIVIL SOCIETY, ACADEMIA, MEMBERS OF THE TECHNICAL COMMUNITY, BUSINESSES, AND GOVERNMENTS AT LARGE.
>THIS HEALTHY DIVERSITY -- AND I STRESS IT IS A HEALTHY DIVERSITY -- IS ALSO A HALLMARK OF THOSE GROUPS THAT HAVE JOINED US THROUGH THE INTERNET AND THIS MEETING, AND I WOULD LIKE TO USE THE OPPORTUNITY TODAY TO ESTABLISH A DIALOGUE ON THE ISSUES AND THE PURPOSES THAT BRING US TOGETHER IN SAO PAULO TODAY.
>BACK IN MID-2013 WHEN THE REVELATION SURFACED ON THE COMPREHENSIVE MECHANISMS FOR COLLECTIVE MONITORING OF COMMUNICATIONS CAUSED ANGER AND REPUDIATION IN VAST CIRCLES OF PUBLIC OPINION BOTH IN BRAZIL AND IN THE WORLD AT LARGE, IN BRAZIL CITIZENS, COMPANIES, DIPLOMATIC REPRESENTATIONS AND EVEN THE PRESIDENCY OF THE REPUBLIC ITSELF WERE TARGETED, AND THEIR COMMUNICATIONS INTERCEPTED.
>THESE EVENTS ARE NOT ACCEPTABLE. WERE NOT ACCEPTABLE IN THE PAST AND REMAIN UNACCEPTABLE TODAY, IN THAT THEY ARE AN AFFRONTMENT AGAINST THE VERY NATURE OF THE INTERNET AS A DEMOCRATIC, FREE, AND PLURALISTIC PLATFORM.
>THE INTERNET WE WANT IS ONLY POSSIBLE IN A SCENARIO WHERE HUMAN RIGHTS ARE RESPECTED. PARTICULARLY THE RIGHT TO PRIVACY AND TO ONE'S FREEDOM OF EXPRESSION.
>ACCORDINGLY, IN MY ADDRESS TO THE 68TH GENERAL ASSEMBLY OF THE UNITED NATIONS, I PUT FORTH A PROPOSAL TO TACKLE SUCH PRACTICES. I THEN PROPOSED A DISCUSSION ON ESTABLISHING A GLOBAL CIVIL FRAMEWORK FOR INTERNET GOVERNANCE AND USE, AS WELL AS MEASURES TO ENSURE ACTUAL PROTECTION OF DATA THAT TRAVELS THROUGH THE INTERNET.
>ALSO, WORKING TOGETHER WITH GERMAN CHANCELLOR ANGELA MERKEL WE SUBMITTED TO THE UNITED NATIONS A DRAFT RESOLUTION ON THE RIGHT TO PRIVACY IN THE DIGITAL AGE.
>BY CONSENSUS, THE RESOLUTION WAS PASSED AS PROPOSED AND WE ALSO PASSED A CALL FOR STATES TO DISCONTINUE ANY ARBITRARY OR ILLEGAL COLLECTION OF PERSONAL DATA AND TO ENFORCE USERS' RIGHTS TO PRIVACY.
>I SHOULD ACTUALLY STRESS THE FACT THAT THE SAME RIGHTS THAT PEOPLE ARE ENTITLED TO OFFLINE OR IN THE OFFLINE WORLD SHOULD BE LIKEWISE PROTECTED ON THE ONLINE WORLD.
>THIS MEETING TODAY, NETMUNDIAL, PROVIDES FURTHER MOMENTUM TO THAT EFFORT. THIS MEETING ALSO LIVES UP TO A GLOBAL YEARNING AS WE PROPOSE CHANGES IN THE CURRENT STATE OF AFFAIRS AND FOR AN ONGOING CONSISTENT STRENGTHENING OF FREEDOM OF EXPRESSION ON THE INTERNET AS WELL AS EFFORTS TO ULTIMATELY PROTECT BASIC HUMAN RIGHTS, AS IS THE CASE OF ONE'S RIGHT TO PRIVACY. AND WITHOUT THE SHADOW OF A DOUBT, THAT IS ALSO THE CASE OF ONE'S RIGHT TO PROPER TREATMENT OF WEB-BASED DISCUSSIONS IN A RESPECTFUL FASHION, TO ENSURE ITS OPEN, DEMOCRATIC NATURE. WE HAVE ALL TO SAO PAULO, THEREFORE, WITH A SHARED PURPOSE, THE PURPOSE OF ENHANCING AND DEMOCRATIZING INTERNET GOVERNANCE BY MEANS OF CONSENSUS BUILDING. AND I MEAN CONSENSUS AROUND PRINCIPLES, AND ON A ROADMAP TO BE DEVELOPED FOR ITS FUTURE EVOLUTION.
>A POINT I'D LIKE TO MAKE PLAIN AND CLEAR IS THAT THE IDEA HERE IS NOT, OF COURSE, TO REPLACE FOR THE COUNTLESS FORA OUT THERE THAT ALREADY ADDRESS THE TOPIC OR THE MATTER AT HAND TODAY. THE IDEA, RATHER, IS TO LEND A NEW MOMENTUM TO THE ONGOING DISCUSSIONS IN A MUCH NEEDED SENSE OF URGENCY.
>WE, THEREFORE, WORK FROM TWO PREMISES OR KEY ASSUMPTIONS.
>THE FIRST SUCH PREMISE IS THAT WE ALL WANT TO PROTECT THE INTERNET AS A SPACE, AVAILABLE TO ALL, AS A SHARED ASSET, AND AS SUCH, TRULY HERITAGE OF HUMANKIND, MORE THAN SIMPLY A WORK TOOL AND WAY BEYOND ITS WELL-KNOWN CONTRIBUTION FOR ECONOMIC GROWTH, PROVIDED, OF COURSE, THAT IT BE INCREASINGLY INCLUSIVE AND THE FACT IS THAT THE INTERNET HAS ENABLED THE CONSTANT REINVENTION OF THE WAY PEOPLE AND INSTITUTIONS INTERACT, PRODUCE CULTURE, AND ORGANIZE THEMSELVES, EVEN POLITICALLY.
>AN OPEN AND DECENT NETWORK ARCHITECTURE FAVORS GREATER ACCESS TO KNOWLEDGE. IT HELPS MAKE COMMUNICATIONS MORE DEMOCRATIC AND ALSO FOSTERS CONSTANT INNOVATION. THESE BASIC FEATURES ARE THE FEATURES THAT WE WANT AND THAT SHOULD BE PRESERVED UNDER ANY CIRCUMSTANCES, AND IN ANY SCENARIO, IN ORDER TO ULTIMATELY GUARANTEE THE FUTURE OF THE INTERNET AND, THUS, BOOST ITS TRANSFORMATIVE EFFECTS FOR AND IN SOCIETIES.
>THE SECOND PREMISE OR ASSUMPTION IS THE DESIRE WE ALL SHARE TO INCORPORATE AN INCREASINGLY BROADER AUDIENCE INTO THIS PROCESS.
>OUR COMMITMENT TO AN OPEN AND INCLUSIVE DEBATE HAS GUIDED THE EFFORTS TO ORGANIZE THIS MEETING IN SAO PAULO TODAY. ALL DIFFERENT WALKS OF LIFE HAVE TAKEN PART IN ITS PREPARATION AND ARE DULY REPRESENTED IN THIS PLANE HALL TODAY.
>WE ARE TALKING ABOUT THOUSANDS OF PARTICIPANTS FROM ALL OVER THE WORLD WHO ARE JOINED BY VIRTUAL CONNECTIONS IN SEVERAL DIFFERENT POINTS OF THE PLANET.
>THE TOPICS TO BE DISCUSSED HAVE BEEN THE SUBJECT OF BROAD AND PRIOR INTERNATIONAL PUBLIC CONSULTATION AND HAVE RECEIVED INPUTS FROM PLAYERS OR STAKEHOLDERS LOCATED IN SEVERAL DIFFERENT COUNTRIES AND IN DIFFERENT GEOGRAPHIES.
>THESE PROPOSALS IN TURN, OR INPUTS, HAVE SERVED AS THE FOUNDATION TO DEVELOP A DRAFT DOCUMENT, THE DRAFT DOCUMENT TO BE DISCUSSED AND FURTHER ENHANCED HERE IN THE NEXT FEW DAYS.
>I WOULD LIKE TO WELCOME THE WORK CONDUCTED BY THE EXECUTIVE METRIC SECTORAL COMMUNITY AS WELL AS THE HIGH-LEVEL MULTISTAKEHOLDER COMMITTEE FOR THIS JOINT EFFORT.
>THE INTEREST OF BRAZILIANS IN THE INTERNET IS REFLECTED ON THE SUBSTANTIAL PARTICIPATION OF BRAZILIAN NATIONALS IN THE DOMESTIC PUBLIC CAPTION AS FACILITATED BY THE.BR PORTAL. AT THIS TIME, CIVIL SOCIETY IS ORGANIZED IN THIS FORUM, THE SO-CALLED NETmundial ARENA, WHICH IS THE BRAZILIAN LOCUS FOR ACCESS TO TODAY'S SESSIONS.
>MAY I REMIND ALL THE LADIES AND GENTLEMEN AND FRIENDS ATTENDING THIS SESSION THAT BRAZIL ADVOCATES THAT INTERNET GOVERNANCE SHOULD BE MULTISTAKEHOLDER, MULTILATERAL, DEMOCRATIC, AND TRANSPARENT IN NATURE.
>IT IS OUR VIEW THAT THE MULTISTAKEHOLDER MODEL IS THE BEST WAY TO EXERCISE INTERNET GOVERNANCE.
>VERY MUCH IN ACCORDANCE WITH THAT VIEW, OUR LOCAL GOVERNANCE SYSTEM WHICH HAS BEEN IN OPERATION FOR 20 YEARS HAS RELIED ON ACTUAL PARTICIPATION OF REPRESENTATIVES FROM CIVIL SOCIETY, MEMBERS OF ACADEMIA, THE BUSINESS COMMUNITY, AND THE GOVERNMENT AT LARGE AT THE INTERNET GOVERNANCE -- OR AT THE INTERNET MANAGEMENT COMMITTEE.
>FULLY IN LINE WITH WHAT I JUST SAID, I ALSO ATTACH A GREAT DEAL OF IMPORTANCE TO THE MULTILATERAL PERSPECTIVE, ACCORDING TO WHICH GOVERNMENT PARTICIPATION SHOULD OCCUR ON AN EQUAL FOOTING AMONG GOVERNMENTS IN SUCH A WAY AS TO ENSURE THAT NO COUNTRY WILL HAVE OR BEAR GREATER WEIGHT VIS-A-VIS OTHER COUNTRIES.
>[APPLAUSE ] >>H.E. DILMA ROUSSEFF: OUR ADVOCACY OF THE MULTILATERAL MODEL IS THE NATIONAL CONSEQUENCE OF AN ELEMENTARY PRINCIPLE THAT SHOULD GOVERN TODAY'S INTERNATIONAL RELATIONS AS ENSHRINED IN THE BRAZILIAN FEDERAL CONSTITUTION. I'M TALKING ABOUT EQUALITY AMONG STATES.
>WE, THEREFORE, SEE NO OPPOSITION WHATSOEVER BETWEEN MULTI- -- OR THE MULTILATERAL AND THE MULTISTAKEHOLDER NATURE OF THE INTERNET. ACTUALLY, THE OPPOSITE OF THAT WOULD BE A ONE-SIDED UNILATERAL INTERNET WHICH IS UNTENABLE.
>AN INTERNET THAT IS ULTIMATELY SUBJECT TO INTERGOVERNMENTAL ARRANGEMENTS THAT EXCLUDE OTHER SECTORS OF SOCIETY IS NOT DEMOCRATIC.
>MULTISTAKEHOLDER ARRANGEMENTS THAT ARE IN TURN SUBJECT TO OVERSIGHT BY ONE OR FEW STATES ARE NOT ACCEPTABLE EITHER.
>WE TRULY WANT TO MAKE RELATIONS BETWEEN GOVERNMENTS AND SOCIETIES MORE DEMOCRATIC, AS WELL AS THE RELATIONS AMONG GOVERNMENTS. WE WANT MORE, NOT LESS, DEMOCRACY.
>THE TASK OF PROVIDING A GLOBAL DONATION TO THE ORGANIZATIONS THAT ARE CURRENTLY RESPONSIBLE FOR CENTRAL FUNCTIONS OF THE INTERNET IS NOT ONLY NECESSARY, BUT ALSO AN UN-POSTPONABLE TASK.
>THE COMPLEXITY OF THE TRANSITION AT HAND, WHICH ON THE ONE HAND INVOLVES JURISDICTIONAL COMPETENCE, AS WELL AS ACCOUNTABILITY AND AN AGREEMENT WITH MULTIPLE STAKEHOLDERS, DOES NOT, NEVERTHELESS, MAKE IT LESS URGENT A TASK.
>THAT IS WHY I'D LIKE TO AGAIN WELCOME THE RECENTLY VOICED INTENTION OF THE UNITED STATES GOVERNMENT TO REPLACE ITS INSTITUTIONAL LINKAGE WITH THE AUTHORITY FOR -- OR WITH THE INTERNET AUTHORITY FOR NUMBER ASSIGNMENT, IANA, AND THE INTERNET CORPORATION FOR NAMES AND NUMBER ASSIGNMENTS, ICANN, BY A GLOBAL MANAGEMENT OF THESE INSTITUTIONS FROM NOW ONWARDS, A NEW INSTRUMENTAL AND LEGAL ARRANGEMENT OF THE ISDN UNDER THE RESPONSIBILITY OF IANA AND ICANN SHOULD BE BUILT IN SUCH A WAY AS TO INCLUDE BROAD-RANGING INVOLVEMENT OF ALL SECTORS THAT HAVE AN INTEREST IN THE MATTER WAY BEYOND THE TRADITIONAL STAKEHOLDERS OR PLAYERS.
>EACH SECTOR, OF COURSE, PERFORMS DIFFERENT ROLES BASED ON LIKEWISE DIFFERENTIATED RESPONSIBILITIES.
>THE OPERATIONAL MANAGEMENT OF THE INTERNET SHOULD CONTINUE BEING LED BY ITS TECHNICAL COMMUNITY. MAY I, AT THIS POINT, VOICE MY PUBLIC RECOGNITION -- AND THIS IS ON BEHALF OF MY GOVERNMENT -- TO THESE PEOPLE WHO DEVOTE THEIR TIME AND ENERGY ON A DAY-TO-DAY BASIS TO KEEPING THE INTERNET AS AN OPEN, STABLE, AND SECURE PLATFORM, A KEY EFFORT WHICH REMAINS LARGELY INVISIBLE IN THE EYES OF MOST OF US END USERS.
>MATTERS PERTAINING TO SOVEREIGNTY SUCH AS CYBERCRIME, BREACH OF RIGHTS, ECONOMIC ISSUES OR TRANSNATIONAL ECONOMIC ISSUES, AND THREATS OF CYBER-ATTACKS ARE THE PRIMARY RESPONSIBILITY OF STATES.
>THE TASK AT HAND IS, ABOVE ALL, TO ENSURE THAT STATES WILL HAVE AT THEIR AVAIL THE TOOLS THAT WILL ALLOW THEM TO FULFILL THEIR RESPONSIBILITIES BEFORE THEIR CITIZENS, TO INCLUDE THE GUARANTEE OF FUNDAMENTAL RIGHTS. RIGHTS WHICH ARE ENSURED OFFLINE SHOULD BE EQUALLY INSURED ONLINE.
>THESE RIGHTS THRIVE UNDER THE SHELTER AND NOT IN THE ABSENCE OF THE STATE.
>IN ORDER FOR THE GLOBAL INTERNET GOVERNANCE TO BE TRULY DEMOCRATIC, MECHANISMS ARE REQUIRED TO ENABLE GREATER PARTICIPATION OF DEVELOPING COUNTRIES IN ALL DIFFERENT SECTORS.
>THE MATTERS THAT ARE IN THE INTEREST OF THESE COUNTRIES THAT ARE THE HEAVY-DUTY USERS OF THE INTERNET, TOPICS SUCH AS, FOR EXAMPLE, EXPANDING CONNECTIVITY, ACCESSIBILITY, AND THE RESPECT TO DIVERSITY, SHOULD BE CENTRAL ON THE INTERNATIONAL AGENDA.
>IT IS NOT ENOUGH FOR FORA TO BE OPEN FROM A PURELY FORMAL STANDPOINT. WE MUST FURTHER IDENTIFY AND REMOVE THE VISIBLE AND INVISIBLE BARRIERS TO ACTUAL PARTICIPATION OF THE ENTIRE POPULATION OF EVERY COUNTRY OR ELSE WE WOULD BE ULTIMATELY RESTRICTING OR LIMITING THE DEMOCRATIC ROLE AND THE SOCIAL AND CULTURAL REACH OF THE INTERNET.
>THE EFFORT AT HAND FURTHER REQUIRES THAT THE INTERNET GOVERNANCE FORUM BE FURTHER STRENGTHENED AS A DIALOGUE FORUM CAPABLE OF PRODUCING RESULTS AND RECOMMENDATIONS.
>IT ALSO REQUIRES A COMPREHENSIVE, BROAD-RANGING REVIEW OF THE 10 YEARS FOLLOWING THE SUMMIT -- WORLD SUMMIT MEETING OF INFORMATION SOCIETY AS WELL AS A DEEPER DISCUSSION ON ETHICS AND PRIVACY AT THE UNESCO LEVEL.
>GIVEN THE ABOVE, MAY I SAY THAT WE ARE STRONG BELIEVERS THAT THE CYBER-SPACE -- AND I'M SURE THAT BELIEF IS SHARED BY ALL OF US -- THE CYBER-SPACE SHOULD BE THE TERRITORY OF TRUST, HUMAN RIGHTS, CITIZENSHIP, COLLABORATION, AND PEACE.
>TO ACHIEVE THESE OBJECTIVES, WE MUST AGREE ON BASIC PRINCIPLES THAT WILL ULTIMATELY GUIDE INTERNET GOVERNANCE.
>AS REGARDS PRIVACY, THE RESOLUTION PASSED BY THE UNITED NATIONS ORGANIZATION WAS AN IMPORTANT STEP IN THE RIGHT DIRECTION, BUT WE MUST -- BUT WE STILL HAVE MUCH PROGRESS TO MAKE.
>ANY DATA COLLECTION OR TREATMENT SHOULD ONLY BE CARRIED OUT WITH FULL AGREEMENT OF THE PARTIES INVOLVED OR AS LEGALLY PROVIDED FOR.
>HOWEVER, THE DISCUSSION ON PRINCIPLES IS MUCH MORE COMPREHENSIVE. IT SHOULD -- AND I STRESS IT SHOULD -- INCLUDE UNIVERSAL INTERNET ACCESS, WHICH IS ABSOLUTELY KEY FOR THE WEB TO SERVE AS A TOOL FOR HUMAN AND SOCIAL DEVELOPMENT SO AS TO ULTIMATELY HELP BUILD INCLUSIVE, NONDISCRIMINATORY SOCIETIES.
>IT SHOULD ALSO INCLUDE FREEDOM OF EXPRESSION AND NET NEUTRALITY AS AN SINE BRAZIL HAS ITS CONTRIBUTIONS TO MAKE FOLLOWING A BROAD RANGING DISCUSSION, DOMESTIC PROCESS THAT HAS ULTIMATELY LED TO THE PASSING OF THE INTERNET CIVIL FRAMEWORK ACT AS PASSED YESTERDAY BY CONGRESS IN WHICH I HAD THE HONOR OF SANCTIONING JUST A FEW MINUTES AGO. THE LAW -- AND I MAY QUOTE TIM BERNERS-LEE WHO QUOTED THE LAW AS A PRESIDENT TO THE WEB ON THE OCCASION OF THE 20th -- OR 25th ANNIVERSARY AS SUCH THE LAW CLEARLY SHOWS THE FEASIBILITY AND SUCCESS OF OPEN MULTISECTORIAL DISCUSSIONS AS WELL AS THE INNOVATIVE USE OF THE INTERNET AS PART OF ONGOING DISCUSSIONS AS A TOOL AND A INTERACTIVE DISCUSSION PLATFORM.
>I THINK IT IS FAIR TO SAY THAT THE PROCESS THAT LED UP TO THE CIVIL FRAMEWORK ACT CAN BE DESCRIBED AS A VIRTUOUS PROCESS IN THAT OUR CIVIL FRAMEWORK, AS IT CURRENTLY STANDS, HAS BEEN EVEN FURTHER APPRECIATED GIVEN THE PROCESS THAT PRECEDED THE EFFORTS TO ESTABLISH IT AS SUCH.
>MAY I, THEREFORE, CALL TO MIND THAT OUR CIVIL FRAMEWORK ESTABLISHES PRINCIPLES, GUARANTEES AND USER RIGHTS, CLEARLY ASSIGNING DUTIES AND RESPONSIBILITIES OF THE DIFFERENT STAKEHOLDERS AND GOVERNMENT AGENCIES ON AN ONLINE ENVIRONMENT. AND EQUALLY IMPORTANT, IT ENSHRINES NETWORK NEUTRALITY AS A KEY PRINCIPLE, A MAJOR GAIN WHICH WE WERE ABLE TO MATERIALIZE AS A CONSENSUS IN THE PROCESS.
>IT ENSHRINES NETWORK NEUTRALITY BY ESTABLISHING THE TELECOMMUNICATIONS COMPANY SHOULD TREAT ANY DATA PACKAGES ON IN A --- FASHION WITH ACCOUNT TO AGENT, DESTINATION, SERVICE, TERMINAL OR APPLICATION. THE LAW OR FRAMEWORK AS HAS TRULY ENSHRINED NETWORK NEUTRALITY. FURTHERMORE, COMPANIES MAY NOT BLOCK, MONITOR, FILTER OR ANALYZE THE CONTENT OF DATA PACKAGES.
>THE CIVIL FRAMEWORK PROTECTS CITIZENS' PRIVACY IN THE ONLY IN THE RELATION WITH THE GOVERNMENTS BUT ALSO WITH RELATION WITH THE INTERNET COMPANIES. COMMUNICATIONS ARE, BY DEFINITION, NON-VIABLE EXCEPT BY A SPECIFIC COURT ORDER TO THAT EFFECT. THE RECENTLY PASSED LAW FURTHER CONTAINS CLEAR RULES GOVERNING WITHDRAWAL OF CONTENT FROM THE INTERNET. ALWAYS, OF COURSE, WITH A VIEW TO ENSURING THAT THE APPLICABLE COURT ORDERS BE AVAILABLE.
>THE CIVIL NETWORK IS AN EXAMPLE OF THE FACT THAT THE INTERNET DEVELOPMENT CANNOT DO IT WITHOUT A DISCUSSION PROCESS AND THE INVOLVEMENT OF NATIONAL STATES. AS SUCH, IT STANDS AS AN INNOVATIVE BENCHMARK MILESTONES BECAUSE IN ITS DEVELOPMENT PROCESS, WE HEARD THE VOICES OF THE STREETS, THE NETWORKS AND OF DIFFERENT INSTITUTIONS.
>FOR ALL OF THE ABOVE, IT IS OUR FIRM CONVICTION THAT ON A NETWORK, EACH NODE MATTERS. THE LARGE NODES SUCH AS THE MEGA PORTALS TO WHICH A SUBSTANTIAL AMOUNT OF WORLD TRAFFIC CONVERGES AND SMALL NODES ARE EQUALLY IMPORTANT.
>AT THIS TIME, I WOULD LIKE TO BRING TO THE FORE A KEY FUNDAMENTAL ISSUE AND TALK ABOUT THE FACT THAT THIS COUNTRY HAS TAKEN A MAJOR STEP FORWARD AS PART OF THE ONGOING PROCESS WHEREBY WE NOT ONLY INCLUDE BUT ALSO GUARANTEE A STEADY STREAM OF INCOME TO A SUBSTANTIAL SHARE OF THE POPULATION.
>INCOME AND ACCESS ARE EQUALLY IMPORTANT. WE BELIEVE THAT IT IS EQUALLY IMPORTANT TO ENSURE WE HAVE PLACE IN SOCIETY WHERE CITIZENS HAVE THEIR OWN VIEWS AND THEY ARE ABLE TO VOICE THEIR VIEWS FREELY. HENCE, THE INVALUABLE DEGREE OF IMPORTANCE WE ATTACH TO THE INTERNET IN OUR SOCIETY.
>WE ALSO HAVE YET ANOTHER MAJOR ASSET. I'M TALKING ABOUT BRAZIL'S ETHNIC CULTURAL, POLITICAL AND RELIGIOUS DIVERSITY. IT IS OURS TO NOT ONLY RESPECT BUT ALSO PROMOTE AND FOSTER OUR CULTURAL DIVERSITY. WE DO NOT WISH TO IMPOSE BELIEFS, CUSTOMS, VALUES OR POLITICAL VIEWS ON ANYONE.
>MAY I PARTICULARLY HIGHLIGHT THE THOUSANDS OF USERS THAT MULTIPLY ON A DAY-TO-DAY BASIS NOT ONLY HERE BUT IN ALL THE DEVELOPING COUNTRIES IN THE OUTSKIRTS OF LARGE URBAN AREAS AND ALSO IN TRADITIONAL COMMUNITIES OUT THERE. ALL OF THESE NEW USERS ENRICH THE NETWORK WITH NEW ALTERNATIVE IDEAS AND ACCOUNTS OF THE WORLD, NEW WORLD VISIONS. THESE PEOPLE MAKE THE INTERNET A STRONGER AND MORE UNIVERSAL PLATFORM.
>AND IT IS ON THEIR BEHALF AND BECAUSE OF THEM, THAT I WOULD LIKE TO AGAIN VOICE MY THANKS TO ALL OF YOU FOR ATTENDING THIS MEETING IN SAO PAULO. FOR US, THE INTERNET IS A MODERN-DAY PRO EMANCIPATION, PRO TRANSFORMATION TOOL THAT CHANGES SOCIETY. SWEEPING CHANGES ARE INTRODUCED THROUGH THE INTERNET. YOU ARE ALL MOST WELCOME. AND I HOPE YOU WILL ALL COME BACK FOR THE WORLD CUP OF ALL CUPS. IF NOT, MAKE SURE YOU WATCH IT THROUGH THE INTERNET. THANK YOU VERY MUCH AGAIN.
>[APPLAUSE ]
>>> LADIES AND GENTLEMEN, WE THANK YOU FOR THE PRESENCE OF YOU ALL. WE CLOSE NOW THIS CEREMONY.
>
>
>
>

Surveillance was mentioned by a few brave souls. Two peaceful, silent - and rather effective - protests broke out during the opening speeches; one, against the data retention clause in Brazil's otherwise path-breaking and brand-new law for civil rights on the Internet, Marco Civil, and another for honouring US NSA whistleblower Edward Snowden and urging action against surveillance. Sadly for Brazilian civil society, the Marco Civil protestations went unheard, and Rousseff signed the bill into law in full.

There were lots of speeches. Lots. If you missed them, here's a handy visualisation you can use to catch up quickly: just add some prepositions and conjunctions, and you'll have a perfectly anodyne and universally acceptable bureaucrat/politician keynote address.

The afternoon was given over to assimilating previously received comments on the outcome document and adding new ones from people in the room. Much contention, much continuity, lots of hard work, lots of nitpicking (some of it even useful) and lots of ambiguity; after more consultation - the slog goes on until tomorrow afternoon - the outcome document will be laid to rest. Lunch was excellent: there's a reason the Grand Hyatt São Paulo costs as much as it does.

Our quest to plumb the depths of multi-stakeholderism continued: we thank the kind folks who gave us their time and allowed us to record them.

Q: What does "multi-stakeholder" mean? What is "multi-stakeholderism"?

Multi-stakeholderism to me is the ability to engage with every stakeholder and have them in the room, and have them understand that it is not an equal opportunity for all. I also understand that civil society and academia will never be at the same place as business, which has far more resources, or governments, which have the sovereign right to make laws, or even the technical community, which is often missing from the policy dialogue. There are three things which are important to me: (1) Will I be able to make interventions not just in the dialogue but in the decision making process? For me, that is key. (2) Do I have recourse in a process which might be multilateral or inter-governmental - do I have recourse when international treaties are  ratified or signed, because they become binding national laws? and (3) What is it that happens to dissent in a process that is not multi-stakeholder? I think even the ITU (the International Telecommunications Union) has taken cognizance of multi-stakeholderism. So it's not new, but it's also not old or accepted, which is why we contest it. We will never have equal stakeholders. And who gets to represent the stakeholder communities? I don't think power imbalances get resolved, and I think it's a deeply flawed process. It's not perfect. But what worries me is the alternative. So give me a better alternative.
Subi Chaturvedi, Media for Change/ Lady Shriram College  (India)

Simply put, multi means many components, and stakeholders are people who have the stakes. So multi-stakeholder means many people who are informed to take the process forward. The process is still on: it's evolving. The idea is that everyone who has an interest should bring it forward, and the dialogue must be balanced. Proof of concept is important - it's not about taking a dogmatic position but a scientific position. Business is concerned about the justification around return on investment.
Jimson Olufuye, Africa ICT Alliance (Nigeria)

Everyone who has a stake in the use and operation of the Internet should have a stake in the way it is managed. I think we shouldn't be considering this as a power game - it's not winner takes all. Decision making should be as much as possible consensual, where no one has a veto power.
Getachew Engida, Deputy Director-General, UNESCO (France)

It is very simple. I think people are complicating matters. It's not a power game. The Internet is fundamentally a global network of interconnected computers. People have become not only consumers of information but providers of information, so the stakes in the media/ICT world are massive. Unprecedented. Therefore, around major issues confronting the Internet, decision making should be as participatory as possible.
Indrajit Banerjee, Director, UNESCO (France)

---

Additional Links

• Watch Brazilian President Dilma Rousseff's speech at the opening of NETmundial
• Follow Swedish foreign minister Carl Bildt on Twitter

Marco Civil, on which we blogged previously, includes provisions for the protection of privacy and freedom of expression of all users, rules mandating net neutrality, etc. Brazil celebrated the beginning of NETmundial, a momentous first day about which Achal Prabhala blogs, with President Rousseff’s approval of the Marco Civil.

At about the same time, news broke that the US Federal Communications Commission is set to propose new net neutrality rules. In the wake of the Verizon net neutrality decision in January, the proposed new rules will prohibit Internet service providers such as Comcast from slowing down or blocking traffic to certain websites, but permit fast lane traffic for content providers who are willing to pay for it. This fast lane would prioritise traffic from content providers like Netflix and Youtube on commercially reasonable terms, and result in availability of video and other content at higher speeds or quality. An interesting turn-around, as Marco Civil expressly mandates net neutrality for all traffic.

Created by Sumandro using Google Charts. Google Terms of Use and Data Policy. Data compiled by Sumandro and Jyoti. Download the data.

This scatter plot shows the number of times the word *multistakeholder* (including *multi-stakeholder* and *multistakeholderism*) appears across contributions submitted to NETmundial. X axis (horizontal) gives the serial number of contributions and Y axis (vertical) gives the number of times the word appears on a contribution. Click on the types of organisation below the chart to highlight the corresponding organisations on the chart.

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Panday, and with data entry suport from Chandrasekhar.

Built on Bootstrap by Sumandro

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

For all the talk of an inclusive global meeting, there was exactly one governmental submission from the African continent, and it was from Tunisia; and the overall rate of submissions from Africa and West Asia were generally very low.

The outcome document perfectly reflects the gloss that the "multi-stakeholder" model was designed to achieve: an outcome that is celebrated by businesses (and by all embedded institutions like ICANN) for being harmless, met with relief by governments for not upsetting the status quo, all of it lit up in the holy glow of "consensus" from civil society.

Of course there was no consensus. Civil society groups who organised on Day 0 put up their position: the shocking omission of a strong case for net neutrality, ambiguous language on surveillance, weak defences of free expression and privacy. All valid points. But it's striking that civil society takes such a pliant position towards authority: other than exactly two spirited protests (one against the data retention in Marco Civil, and the other against the NSA's mass surveillance program) there was no confrontation, no provocation, no passionate action that would give civil society the force it needs to win. If we were to compare this to other international struggles, the gay rights battle, or its successor, the AIDS medicines movement, for instance - what a difference there is. People fought to crush with powerful, forceful action. Only after huge victories with public and media sympathy, and only after turning themselves into equals of the corporations and governments they were fighting, did they allow themselves to sit down at the table and negotiate nicely. Internet governance fora are marked by politeness and passivity, and perhaps - however sad - it's no wonder that the least powerful groups in these fora always come away disappointed.

It's also surprising that there is no language in the outcome document that explicitly addresses the censorious threat posed by the global expansion of a sovereign application of copyright, as seen most vividly in the proposed SOPA/PIPA legislation in the United States. The outcome document has language that seems to more or less reflect the civil society proposal, and it's possible that a generous interpretation of the language could mean that it opposes the selective, restrictive and damaging application of what the intellectual property industries want to accomplish on the Internet. But it's puzzling that the language isn't stronger or more explicit, and even more puzzling that civil society doesn't seem to want to fight for such language.

This seems like an appropriate time to end the multi-stakeholder diaries. Hasn't the word been used enough? Here is one last instalment. We thank the kind folks who gave us their time.

Q: What does "multi-stakeholder" mean? What is "multi-stakeholderism"?

A large part of the discourse prior to the NETmundial conference has been centered around the issue of what is the best structural system to regulate a global network – this has commonly been portrayed as a choice between a multistakeholder system – which broadly speaking, aims to place ‘all stakeholders’ on equal footing – against multilateralism – a recognized concept in International law / the Comity of Nation States, where a nation state is recognized as the representative of its citizens, making decisions on their behalf and in their interests.

In our opinion, the issue is not about the dichotomy between multilateralism and multistakeholderism; it is about what functions or issues can legitimately be dealt with through each of the processes in terms of adequately protecting civil liberties and other public interest principles – including the appropriate enforcement of norms. For instance, how do you deal with something like cyber warfare without the consent of states? Similarly, how do we address regulatory issues such as determining (and possibly subsidizing) costs of access, or indeed to protect a right of a country against unilateral disconnection?

.....The crux of the matter rests in deciding which is the best governance ‘basket’ to include a particular issue within – taken from both a substantive and enforcement perspective. The challenge is trying to demarcate issues to ensure that each is dealt with effectively by placing it in an appropriate bucket. (The full post can be accessed here).
Rishab Bailey from the Society for Knowledge Commons (India)

If I would have signed the campaign http://wepromise.eu as a candidate to the European Parliament I would have made it an election promise to defend "the principle of multistakeholderism".

That means that I "support free, open, bottom-up, and multi-stakeholder models of coordinating the Internet resources and standards - names, numbers, addresses etc" and that I "support measures which seek to ensure the capacity of representative civil society to participate in multi-stakeholder forums." Further, I "oppose any attempts by corporate, governmental or intergovernmental agencies to take control of Internet governance."

My very rudimentary personal view is basically that it's a bad idea to institutionalise conflicting competences.
Erik Josefsson, Adviser on Internet policies for the Greens/EFA group in the European Parliament

---

And so it ends.

To sum up the previous post: under Article 12 of the Constitution, fundamental rights can be enforced only against the State, or State-like entities that are under the functional, financial and administrative control of the State. In the context of net neutrality, it is clear that privately-owned ISPs do not meet the exacting standards of Article 12. Nonetheless, we also found that the Indian Supreme Court has held private entities, which do not fall within the contours of Article 12, to an effectively similar standard of obligations under Part III as State organizations in certain cases. Most prominent among these is the case of education: private educational institutions have been required to adhere to standards of equal treatment which are identical in content to Article 14, even though their source lies elsewhere. If, therefore, we are to impose obligations of net neutrality upon private ISPs, a similar argument must be found.

I will suggest that the best hope is by invoking the free speech guarantee of Article 19(1)(a). To understand how an obligation of free speech might operate in this case, let us turn to the case of Marsh v. Alabama, an American Supreme Court case from 1946.

Marsh v. Alabama involved a “company town”. The “town” of Chickasaw was owned by a private company, the Gulf Shipbuilding Corporation. In its structure it resembled a regular township: it had building, streets, a sewage system, and a “business block”, where stores and business places had been rented out to merchants and other service providers. The residents of the “town” used the business block as their shopping center, to get to which they used the company-owned pavement and street. Highway traffic regularly came in through the town, and its facilities were used by wayfarers. As the Court noted:

“In short the town and its shopping district are accessible to and freely used by the public in general and there is nothing to distinguish them from any other town and shopping center except the fact that the title to the property belongs to a private corporation.”

Marsh, who was a Jehovah’s Witness, arrived in Chickasaw with the intention of distributing religious literature on the streets. She was asked to leave the sidewalk, and on declining, she was arrested by the police, and charged under an anti-trespassing statute. She argued that if the statute was applied to her, it would violate her free speech and freedom of religion rights under the American First Amendment. The lower Courts rejected her argument, holding that since the street was owned by a private corporation, she had no constitutional free speech rights, and the situation was analogous to being invited into a person’s  private house. The Supreme Court, however, reversed the lower Courts, and found for Marsh.

Four (connected) strands of reasoning run through the Supreme Court’s (brief) opinion. First, it found that streets, sidewalks and public places have historically been critically important sites for dissemination and reception of news, information and opinions, whether it is through distribution of literature, street-corner oratory, or whatever else. Secondly, it found that private ownership did not carry with it a right to exclusive dominion. Rather, “the owners of privately held bridges, ferries, turnpikes and railroads may not operate them as freely as a farmer does his farm. Since these facilities are built and operated primarily to benefit the public and since their operation is essentially a public function, it is subject to state regulation.” Thirdly, it noted that a large number of Americans throughout the United States lived in company towns, and acted just as other American citizens did, in their duties as residents of a community. It would therefore be perverse to deny them rights enjoyed by those who lived in State-municipality run towns. And fourthly, on balance, it held that the private rights of property-owners was subordinate to the right of the people to “enjoy freedom of press and religion.”

No one factor, then, but a combination of factors underlie the Court’s decision to impose constitutional obligations upon a private party. It mattered that, historically, there have been a number of spaces traditionally dedicated to public speech: parks, squares and streets – whose public character remained unchanged despite the nature of ownership. It mattered that individuals had no feasible exit option – that is, no other place they could go to in order to exercise their free speech rights. And it mattered that free speech occupied a significant enough place in the Constitutional scheme so as to override the exclusionary rights that normally tend to go with private property.

The case of the privately-owned street in the privately-owned town presents a striking analogy when we start thinking seriously about net neutrality. First of all, in the digital age, the traditional sites of public discourse – parks, town squares, streets – have been replaced by their digital equivalents. The lonely orator standing on the soap-box in the street corner now tweets his opinions and instagrams his photographs. The street-pamphleteer of yesteryear now updates his Facebook status to reflect his political opinions. Specialty and general-interest blogs constitute a multiplicity of town-squares where a speaker makes his point, and his hearers gather in the comments section to discuss and debate the issue. While these examples may seem frivolous at first blush, the basic point is a serious one: the role of opinion formation and transmission that once served by open, publicly accessible physical infrastructure, held – in a manner of speaking – in public trust by the government, is now served in the digital world, under the control of private gatekeepers. To that extent, it is a public function, undertaken in public interest, as the Court held in Marsh v. Alabama.

The absence of an exit option is equally important. The internet has become not only a space of exchanging information, but it has become a primary – non-replaceable source – of the same. Like the citizens of Chickasaw lacked a feasible alternative space to exercise their public free speech rights (and we operate on the assumption that it would be unreasonably expensive and disruptive for them to move to a different town), there is now no feasible alternative space to the internet, as it exists today, where the main online spaces are owned by private parties, and access to those spaces is determined by gatekeepers – which are the ISPs.

The analogy is not perfect, of course, but there is a case to be made that in acting as the gatekeepers of the internet, privately-owned ISPs are in a position quite similar to the corporate owners of they public streets Company Town.

In the last post, we saw how it is possible – constitutionally – to impose public obligations upon private parties, although the Court has never made its jurisprudential foundation clear. Here, then, is a thought: public obligations ought to be imposed when the private entity is providing a public function and/or when the private entity is in effectively exclusive control of a public good. There is an argument that ISPs satisfy both conditions. Of course, we need to examine in detail how precisely the rights of free expression are implicated in the ISP context. That is the subject for the next post.

---

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and presently an LLM student at the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he will be blogging on issues of online freedom of speech and expression.

It is within this realm of the social transaction that there exists an unending conflict between the Right to Privacy of an individual and the overbearing hand of the State as a facilitator of public interest. This right thus acts as a safety valve providing individuals with a sacred space within which their interactions in their personal capacity have no bearing on their conduct in the public sphere. The preservation of this space is incredibly important in order to ensure a willingness of individuals to engage and cooperate with the State in its fulfillment of public welfare measures that would otherwise be deemed as intrusive. It is in this regard that the Right to Privacy, one of the last sustaining rights that an individual holds against a larger State interest, ought to be protected by the law.

There are numerous dimensions to the idea of the Right to Privacy. These include but are not limited to the privacy of person, privacy of communication, personal privacy, transactional privacy, privacy of information and the privacy of personal data.

The Supreme Court of India has come to the rescue of individuals, time and again by construing "Right to Privacy" as an extension of the Fundamental Right to “Protection of Life and Personal liberty” under Article 21 of the Constitution. This has been reflected in the adjudicatory jurisprudence of the Constitutional courts in the country. However, there exists no Constitutional remedy to redress the breach of privacy by a nongovernmental actor, except under tortuous liability. The power and authority of public and private institutions to use an individual’s personal data for larger interests of national security or effectuation of socio-economic policies is still under extensive scrutiny. It is in this regard that we have compiled a number of sectoral legislations, regulating domains ranging from Finance and Telecom to Healthcare, Freedom of Expression, Consumer rights and Procedural codes. The highlighted provisions under each Act pertain to the mechanisms embodied within the legislation for the regulation of privacy within their respective sectors. Through this we aim to determine the threshold for permissible collection of confidential data and regulatory surveillance, provided a sufficient need for the same has been established. The determination of such a threshold is imperative to formulating a consistent and effective regime of privacy protection in India.

---

Click to download the below resources:

Legislations
Master Circulars
Finance and Privacy
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

Case Laws
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

The article was published in the Hoot on April 15, 2014.

---

Privacy evades definition and for this reason sits uneasily with law. The multiplicity of everyday privacy claims and transgressions by ordinary people, and the diversity of situations in which these occur, confuse any attempt to create a common meaning of privacy to inform law. Instead, privacy is negotiated contextually, and the circumstances that permit a privacy claim in one situation might form the basis for its transgression in another.

It is easy to understand privacy when it is claimed in relation to the body; it is beyond argument that every person has a right to privacy in relation to their bodies, especially intimate areas. It is also accepted that homes and private property secure to their owners a high degree of territorial privacy. But what of privacy from intrusive stares, or even from camera surveillance, when in a public place? Or of biometric privacy to protect against surreptitious fingerprint capturing or DNA collection from the things we touch and the places we visit every day? Or the privacy of a conversation in a restaurant from other patrons? Clearly, there are multiple meanings of privacy that are negotiated by individuals all the time.

Law has, where social custom has demanded, clothed some aspects of human activity with an expectation of privacy. In relation to bodily privacy, this is achieved by both ordinary common law without reference to privacy at all, such as the offences of battery and rape; and, by special criminal law that is premised on an expectation of privacy, such as the discredited offences regarding women’s modesty in sections 354 and 509 of the Indian Penal Code, 1860 (IPC), and the new offences of voyeurism and stalking contained in sections 354C and 354D of the IPC.

The law also privileges communications that are made through telephones, letters, and emails by regulating the manner of their interception in special circumstances. Conditional interception provisions with procedural safeguards – which, for several reasons, are flawed and ineffective – exist to protect the privacy of such communications in section 5(2) of the Indian Telegraph Act, 1885, section 26 of the Indian Post Office Act, 1898, and section 69 of the Information Technology Act, 2000.

Territorial privacy, which is afforded by possession of private property, is ordinarily protected by the broad offence of trespass – in India, these are the offences of criminal trespass, house trespass, and lurking house-trespass contained in sections 441 to 443 of the IPC – and house-breaking, which is akin to the offence of breaking and entering in other jurisdictions, in section 445 of the IPC.

Some measure of protection is provided to biometric information, such as fingerprints and DNA, by limiting their lawful collection by the state: sections 53, 53A, and 54 of the Code of Criminal Procedure, 1973 permit collections of biometric information from arrestees in certain circumstances; this is in addition to a colonial-era collection regime created by the Identification of Prisoners Act, 1920. However, nothing expressly prohibits the police or anybody else from non-consensually developing DNA profiles from human material that is routinely left behind by our bodies, for instance, saliva on restaurant cutlery or hair at the barbershop.

Physical surveillance, by which a person is visually monitored to invade locational privacy, is also inadequately regulated. Besides man-on-woman stalking, which was criminalised only one year ago, no effective measures exist to otherwise protect locational privacy. Indian courts regularly employ their injunctive power but have been loath to issue equitable remedies such as restraining orders to secure privacy. Police surveillance, which is usually covert, is an executive function that is practised with wide latitude under every state police statute and government-issued rules and regulations thereunder with little or no oversight. The risk of misuse of these powers is compounded by the increasingly widespread use of surveillance cameras sans regulation.

Other technologies too compromise privacy: GPS-enabled mobile phones offer precise locational information, presumably consensually; cell-tower tracking, almost always non-consensually, is ordered by Indian police without any procedurally built-in safeguards; radio frequency identification to locate vehicles is sought to be made mandatory; and, satellite-based surveillance is available to intelligence agencies, none of which are registered or regulated unlike in other liberal democracies.

No uniform privacy standard in law

None of these laws applies a uniform privacy standard nor are they measured against a commonly understood meaning of privacy. The lack of a statutory definition is not the issue; the lack of a statute that expresses the legislative will of a democracy to forge a common understanding of privacy to inform all kinds of human activity is the concern. Ironically, the impetus to draft a privacy law has come from abroad. Foreign senders of personal information – credit card data, home addresses, phone numbers, and the like – to India’s information technology and outsourcing industry demand institutionalised protection for their privacy.

Pressure from the European Union, which has the world’s strongest information privacy standards and with which India is currently negotiating a free trade agreement, to enact a data protection regime to address privacy has not gone unanswered. The Indian government – specifically, the Department of Personnel and Training, the same department that administers the Right to Information Act, 2005 – is currently drafting a privacy law to govern data protection and surveillance. At stake is the continued growth of India’s information technology and outsourcing sectors that receive significant amounts of European personal data for processing, which drives national exports and gross domestic product.

An inferred right

For its part, the Supreme Court has examined more than a few privacy claims to find, intermittently and unconvincingly, that there is a constitutional right to privacy, but the contours of this right remain vague. In 1962, the Supreme Court rejected the existence of a privacy right in Kharak Singh’s case which dealt with intrusive physical surveillance by the police.

The court was not unanimous; the majority of judges expressly rejected the notion of locational privacy while declaring that privacy was not a constituent of personal liberty, a lone dissenting judge found the opposite to be true and, furthermore, held that surveillance had a chilling effect on freedom. In 1975, in the Gobind case that presented substantially similar facts, the Supreme Court leaned towards, but held short of, recognising a right to privacy. It did find that privacy flowed from personal autonomy, which bears the influence of American jurisprudence, but subjected it to the interests of government; the latter prevailed.

However, in the PUCL case of 1997 that challenged inadequately regulated wiretaps, the Supreme Court declared that phone conversations were protected by a fundamental right to privacy that flowed from Article 21 of the Indian Constitution. To intrude upon this right, the court said, a law was necessary that is just, fair, and reasonable. If this principle were to be extended beyond communications privacy to, say, identity cards, the Aadhar project, which is being implemented without the sanction of an Act of Parliament, would be judicially stopped.

But what does “law” mean? Is it only the law of our Constitution and courts? What of the law that governed Indian societies before European colonisation brought the word ‘privacy’ to our legal system? Classical Hindu law – distinct from colonial and post-independence Hindu law – also recognises and enforces expectations of privacy in different contexts. It recognised the sanctity of the home and family, the autonomy of the community, and prescribed penalties for those who breached these norms. So, too, does Islamic law: all schools of Islamic jurisprudence – ‘fiqh’ – recognise privacy as an enforceable right.

Different words and concepts are used to secure this right, and these words have meanings and connotations of their own. But, the hermeneutics of privacy notwithstanding, this belies the common view that privacy is not an Indian value. Privacy may or may not be a cultural norm, but it has existed in India and South Asia in different forms for millennia.

---

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

The source of pressure for strict legal regulations addressing data protection are both the growing recognition of the importance of privacy rights, as well as the risk of falling behind on international standards on data protection, which would hamper the potential of developing countries as destinations for outsourcing industries which depend largely on processing of information.[1] The Protection of Personal Information Act enacted by South Africa is an example of a policy which enables a comprehensive framework for data security and privacy and is a model for other developing nations which are weighing the costs and benefits of establishing a secure data protection regime.

The South African law traces the right to protection of personal information back to Section 14 of the South African Constitution, which provides for a right against the unlawful collection, retention, dissemination and use of personal information. The law establishes strict restrictions and regulations on the processing of personal information, which includes information including relating to race, gender, sexual orientation, medical information, biometric information and personal opinion. The processing of personal information under the Act must comply with 8 principles, namely - accountability, lawful purpose for processing and processing limitation, purpose specification, information quality, openness and notice of collection, openness, reasonable security safeguards and subject participation, in line with the international standards for fair information practices.[2] The Act also recognizes ‘special personal information’, including religious or political beliefs, race, sexual orientation and trade union membership, as well as any personal information of children below the age of 18, which require stricter safeguards for processing,. Similar to the draft Indian legislation on privacy, the Act contemplates an independent regulatory mechanism, the information regulator, which would have all the necessary powers to effectively monitor compliance under the Act, including the power for punishing offences under the Act.

The Protection of Personal Information Act contains 115 Sections and is meant to be an exhaustive and heavily detailed policy to bring South Africa’s laws in line with EU and international regulations on data protection.[3] Though such progressive policies should be a model for policy changes in other developing nations, one aspect in which the law fails is to address increasing privacy concerns arising from widespread government-enabled surveillance and data retention. The POPI excludes from its application the processing of information related to national security, terrorist related activities and public safety, combating of money laundering, investigation of proof of offences, the prosecution of offenders, execution of sentences or other security measures, subject to adequate safeguards being established by the legislature for protection of personal information. Unfortunately, the ambiguous wording of the exclusions, especially in determining “adequate safeguards”, leaves its interpretation and application open for governments to engage in mass surveillance in the name of public security. Over the past few years, governments have taken to using technology and information, particularly through mass surveillance, to collect comprehensive information on their citizens and violate their liberties and privacy. In India, particularly with programs like the Central Monitoring System being implemented, any policy which purportedly aims at the protection of privacy must not only seek bare minimal compliances with the current international standards for data protection, but should also address the mass, unrestricted surveillance and data retention which is taking place in the name of public security.

Developing nations like South Africa and India face significant challenges in ensuring individual privacy, particularly the lack of sufficient legal safeguards for the protection of privacy. The right to privacy is often dismissed as an elitist or western concept, which does not have value in the context of developing nations, without engaging with the realities and the nuances of the right. Further, the costs of expensive technical safeguards means private and public bodies are required to spend significant resources in maintaining data security and these factors often outweigh privacy considerations in policy debates. The South African Act, hence, serves both as an important model for legislation and as an indication that the right to privacy is valuable to recognize in developing countries as well.

---

[1]. Article 25 of the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC) prohibits the transfer of data to non-member states which do not comply with adequate data protection norms.

[2]. http://oecdprivacy.org/

[3]. Link to Act: www.gov.za/documents/download.php?f=204368