In the year 2012 Lokniti, a Non Governmental Organization filed a public interest litigation in the Supreme Court of India asking the government to establish a DNA database in respect of unidentified dead bodies as well as for those individuals for whom missing persons reports have been filed so that DNA of unidentified dead bodies can be matched against missing persons - arguing that the right to be identified is a part of the right to dignity, and that such systems have been adopted across the globe. The case has come up a few times since 2012 and parties have been given time to file their replies in these instances. Prior to the 2012 Public Interest Litigation filed by Lokniti, in 2009 a Public Interest Litigation was filed by a Haryana based doctor. The PIL petitioned for the DNA profiling of unidentified bodies to be made mandatory - arguing that thousands of individuals die with their identity being unknown. During the hearing the Bench asked a number of questions including why the Ministry of Health was not brought into the case, given the fact that a number of labs that conduct DNA profiling function under the ministry.

While the case is still pending, the Supreme Court on 22^nd September 2014 gave another interim order which was a little more detailed. On this date the Ministry of Science and Technology of the Government of India, through the Department of Biotechnology stated that they are piloting a DNA profiling Bill that would establish a DNA Profiling Board and a National DNA Data Bank. The National DNA Data Bank is envisaged to maintain the following indices for various categories of data:

I. a crime scene index;

II. a suspects' index;

III. an offenders' index;

IV. a missing persons' index;

V. unknown deceased persons' index

VI. a volunteers' index; and

VII. such other DNA indices as may be specified by regulations made by the Board.

One of the Ministry's plans under this Bill is to create DNA profiles of individuals whose relatives have gone missing, on a voluntary basis to help the relatives identify missing persons and unidentified dead bodies. They also stated that cross-matching of DNA profiling data in the database would require specialized software and the CDFB, Hyderabad is in the process of acquiring the same from the Federal Bureau of investigation, USA.

The advocate for Lokniti responded to this saying that the DNA profiling Bill has been pending for a long time and has not seen the light of day for the last seven years. To this the response of the government was that it was a complex Bill involving a number of issues which take a long time to resolve.

At this point the Supreme Court, without going into the details of the Bill asked the advocate for the Union of India to obtain instructions regarding the following two aspects:

(1) Whether pending the Bill coming into force the concerned Department can constitute a Data Bank in respect of dead persons who are not identifiable; and

(2) when there are missing reports in respect of persons to collect the DNA from the permissible sources like siblings or others so that in case any unidentified dead body is found to match the DNA to arrive at the conclusion about the missing persons who are dead; or as an ancillary the missing person who is a victim of the crime of kidnapping or where any child, who is not able to find out his parents, can be in a position to find out through the DNA.

Thus it seems that the Supreme Court, recognizing its limitations in directing the legislature to pass a law and the fact that the passing of the DNA profiling Bill may take a long time to become law, has tried to find a way out in which the concerns of the petitioner regarding a DNA Databank for missing persons and unidentified dead bodies could be addressed without the passage of the DNA profiling Bill. However since the case is still pending in the Supreme Court no final directions have been given in this regard. Thus, the Court has left the government with the responsibility to address the question of whether a DNA Databank can be established without the passing of a legislation providing legal basis for the collection, profiling, databasing, and use of DNA samples.

Pranlal N. Soni v. State of Gujarat, C/SCA/14389/2014

In the year 2013 the media widely reported that a female civil services officer was regularly spied upon in 2009 due to her acquaintance with the then Chief Minister of Gujarat (and current Prime Minister of India) Mr. Narendra Modi. It was reported that the surveillance was being supervised by the current president of the BJP, Mr. Amit Shah at the behest of Mr. Modi. The case took another twist when the officer and her father said that they had no problems with such surveillance, and had repeatedly conveyed to various statutory authorities including the National Commission for Women, the State Commission for Women, as also before the Hon’ble Supreme Court of India, that they never felt that their privacy was being interfered with by any of the actions of the State Authorities. Infact, para 3.5 of the petition indicated that it was at the behest of the father of the female officer that the State government had carried out the surveillance on his daughter as a security measure.

Inspite of the repeated claims of the subject of surveillance and her father, the Gujarat Government passed a Notification under the Commissions of Inquiry Act, 1952 appointing a two member Commission of Inquiry to enquire into this incident without jeopardizing the identity or interest of the female officer. This Notification was challenged in the Gujarat High Court by the very same female officer and her father on the ground that it violated their fundamental right to life and liberty. The petitioners claimed that they had to change their residential accommodation four times in the preceding few months due to the constant media glare. The print, electronic and social media, so called social workers and other busybodies constantly intruded into the private life of the petitioners and their family members. The petitioner's email accounts were hacked and scores of indecent calls were received from all over. Under the guise of protecting the petitioner's privacy, every action undertaken by the so called custodians for and on behalf of the petitioners resulted into a breach of privacy of the petitioners, making life impossible for them on a day to day basis.

After hearing the arguments of the petitioners, including arguments on technical points the Court struck down the Notification issued by the State government to enquire into the issue of the alleged illegal surveillance. However the Court also briefly touched upon the issue of violation of the privacy of the female officer in this whole episode. However, instead of enquiring into whether there was any breach of privacy in the facts of the case, the Court relied upon the statement made by the female officer that whatever surveillance was done did not cause any invasion into her privacy, rather it was the unwelcome media glare that followed the revelations regarding the surveillance which had caused an invasion of her privacy.

Thus we see that even though the whole snoopgate episode started out as one of “alleged” unwarranted and illegal surveillance this particular judgment is limited only to challenging the validity of the Inquiry Commission appointed by the State Government. In order to challenge the Notification in a PIL the female officer had to show that some fundamental right of hers was violated and in such circumstances privacy is the most obvious fundamental right which was violated.

Although this judgment talks about privacy, it does not have enough legal analysis of the right to privacy to have any significant ramifications for how privacy is interpreted in the Indian context. The only issue that could possibly be of some importance is that the we could interpret the Court’s reliance on the statement of the female officer that there was no breach of privacy rather than its own examination of facts to mean that in cases of breach of privacy, if the person whose privacy has been breached did not feel his or her privacy to have been invaded then the Courts would rely on the person’s statements rather than the facts. However this is only an interpretation from the facts and it does not seem that the Court has spent any significant amount of time to examine this issue, therefore it may not be prudent to consider this as establishing any legal principle.

Note: The details of the case as well as the judgment can be found at http://gujarathc-casestatus.nic.in/gujarathc/tabhome.jsp

At the 2014 Plenipotentiary Conference (‘PP-14’ or ‘Plenipot’) of the International Telecommunications Union (ITU), India has tabled a draft proposal on “ITU’s Role in Realising Secure Information Society” [Document 98, dated 20 October 2014] (“Draft Resolution”). India’s proposal has incited a great deal of concern and discussion among Plenipot attendees, governments and civil society alike. Before offering my concerns and comments on the Draft Resolution, let us understand the proposal.

Our Draft Resolution identifies 3 security concerns with exchange of information and resource allocation on the Internet:

• First, it is troubling for India that present network architecture has “security weaknesses” such as “camouflaging the identity of the originator of the communication”;[1] random IP address distribution also makes “tracing of communication difficult”;[2]
• Second, India is concerned that under the present allocation system of naming, numbering and addressing resources on the Internet, it is impossible or at the very least, cumbersome to identify the countries to which IP address are allocated;[3]
• Third, India finds it insecure from the point of view of national security that traffic originating and terminating in the same country (domestic traffic) often routes through networks overseas;[4] similarly, local address resolution also routes through IP addresses outside the country or region, which India finds troubling.[5]

In an effort to address these concerns, the Draft Resolution seeks to instruct the ITU Secretary General:

• First, to develop and recommend a ‘traffic routing plan’ that can “effectively ensure the traceability of communication”;[6]
• Second, to collaborate with relevant international and intergovernmental organisations to develop an “IP address plan” which facilitates identification of locations/countries to which IP addresses are allocated and coordinates allocation accordingly;[7]
• Third, to develop and recommend “a public telecom network architecture” that localizes both routing[8] as well as address resolution[9] for local/domestic traffic to “within the country”.

Admittedly, our Draft Resolution is intended to pave a way for “systematic, fair and equitable allocation” of, inter alia, naming, numbering and addressing resources,[10] keeping in mind security and human rights concerns.[11] In an informal conversation, members of the Indian delegation echoed these sentiments. Our resolution does not, I was told, raise issues about the “concentration of control over Internet resources”, though “certain governments” have historically exercised more control. It also does not, he clarified, wish to make privacy or human rights a matter for discussion at the ITU. All that the Draft Resolution seeks to do is to equip the ITU with the mandate to prepare and recommend a “roadmap for the systematization” of allocation of naming, numbering and addressing resources, and for local routing of domestic traffic and address resolution. The framework for such mandate is that of security, given the ITU’s role in ‘building confidence and security in the use of ICTs’ under Action Line C5 of the Geneva Plan of Action, 2003.

Unfortunately, the text of our Draft Resolution, by dint of imprecision or lack of clarity, undermines India’s intentions. On three issues of utmost importance to the Internet, the Draft Resolution has unintended or unanticipated impacts. First, its text on tracing communication and identity of originators, and systematic allocation of identifiable IP address blocks to particular countries, has impacts on privacy and freedom of expression. Given Edward Snowden’s NSA files and the absence of adequate protections against government incursions or excesses into privacy,[12] either in international human rights law or domestic law, such text is troublesome. Second, it has the potential to undermine multi-stakeholder approaches to Internet governance by proposing text that refers almost exclusively to sovereign monopolies over Internet resource allocation, and finally, displays a certain disregard for network architecture and efficiency, and to principles of a free, open and unified Internet, when it seeks to develop global architecture that facilitates (domestic) localization of traffic-routing, address resolution and allocation of naming, numbering and addressing.

In this post, I will address the first concern of human rights implications of our Draft Resolution.

Unintended Implications for Privacy and Freedom of Expression:

India’s Draft Resolution has implications for individual privacy. At two different parts of the preamble, India expresses concerns with the impossibility of locating the user at the end of an IP address:

• Pream. §(e): “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”;
• Pream. §(h): “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

The concerns here surround difficulties in tracking IP addresses due to the widespread use of NATs, as also the existence of IP anonymisers like Tor. Anonymisers like Tor permit individuals to cover their online tracks; they conceal user location and Internet activity from persons or governments conducting network surveillance or traffic analysis. For this reason, Tor has caused much discomfort to governments. Snowden used Tor while communicating with Laura Poitras. Bradley (now Chelsea) Manning of Wikileaks fame is reported to have used Tor (page 24). Crypto is increasingly the safest – perhaps the only safe – avenue for political dissidents across the world; even Internet companies were coerced into governmental compliance. No wonder, then, that governments are doing all they can to dismantle IP anonymisers: the NSA and GCHQ have tried to break Tor; the Russian government has offered a reward to anyone who can.

Far be it from me to defend Tor blindly. There are reports suggesting that Tor is being used by offenders, and not merely those of the Snowden variety. But governments must recognize the very obvious trust deficit they face, especially after Snowden’s revelations, and consider the implications of seeking traceability and identity/geolocation for every IP address, in a systematic manner. The implications are for privacy, a right guaranteed by Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Privacy has been recognized by the UN General Assembly as applicable in cases of surveillance, interception and data collection, in Pream. §4 of its resolution The Right to Privacy in the Digital Age. But many states do not have robust privacy protections for individuals and data. And while governments may state the necessity to create international policy to further effective criminal investigations, such an aim cannot be used to nullify or destroy the rights of privacy and free speech guaranteed to individuals. Article 5(1), ICCPR, codifies this principle, when it states that States, groups or persons may not “engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms recognized herein…”.

Erosion of privacy has a chilling effect on free speech [New York Times v. Sullivan, 376 U.S. 254], so free speech suffers too. Particularly with regard to Tor and identification of IP address location and users, anonymity in Internet communications is at issue. At the moment, most states already have anonymity-restrictions, in the form of identification and registration for cybercafés, SIM cards and broadband connections. For instance, Rule 4 of India’s Information Technology (Guidelines for Cyber Cafe) Rules, 2011, mandates that we cannot not use computers in a cybercafé without establishing our identities. But our ITU Draft Resolution seeks to dismantle the ability of Internet users to operate anonymously, be they political dissidents, criminals or those merely acting on their expectations of privacy. Such dismantling would be both violative of international human rights law, as well as dangerous for freedom of expression and privacy in principle. Anonymity is integral to democratic discourse, held the US Supreme Court in McIntyre v. Ohio Elections Commission [514 U.S. 334 (1995)].[13] Restrictions on Internet anonymity facilitate communications surveillance and have a chilling effect on the free expression of opinions and ideas, wrote Mr. Frank La Rue, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (¶¶ 48-49).

So a law or international policy for blanket identification and traceability of IP addresses has grave consequences for and prima facie violates privacy, anonymity and freedom of speech. But these rights are not absolute, and can be validly restricted. And because these human rights are implicated, the ITU with its lack of expertise in the area may not be the adequate forum for discussion or study.

To be valid and justified interference, any law, policy or order interfering with privacy and free speech must meet the standards of reasonableness and proportionality, even if national security were the government’s legitimate aim, laid down in Articles 19(3) and 17 of the Covenant on Civil and Political Rights (CCPR) [Toonen v. Australia, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994), ¶6.4]. And as the European Court of Human Rights found in Weber & Saravia v. Germany [Application no. 54934/00, 29 June 2006 (ECHR), ¶95], law or executive procedure that enables surveillance without sufficient safeguards is prima facie unreasonable and disproportionate. Re: anonymity, in Delfi AS v. Estonia [Application no. 64569/09, 17 February 2014, ¶83], while considering the liability of an Internet portal for offensive anonymous comments, the ECHR has emphasized the importance of balancing freedom of expression and privacy. It relied on certain principles such as “contribution to a debate of general interest, subject of the report, the content, form and consequences of the publication” to test the validity of government’s restrictions.

The implications of the suggested text of India’s Draft Resolution should then be carefully thought out. And this is a good thing. For one must wonder why governments need perfect traceability, geolocation and user identification for all IP addresses. Is such a demand really different from mass or blanket surveillance, in scale and government tracking ability? Would this not tilt the balance of power strongly in favour of governments against individuals (citizens or non-citizens)? This fear must especially arise in the absence of domestic legal protections, both in human rights, and criminal law and procedure. For instance, India’s Information Technology Act, 2000 (amended in 2008) has Section 66A, which criminalizes offensive speech, as well as speech that causes annoyance or inconvenience. Arguably, arrests under Section 66A have been arbitrary, and traceability may give rise to a host of new worries.

In any event, IP addresses and users can be discerned under existing domestic law frameworks. Regional Internet Registries (RIR) such as APNIC allocate blocks of IP addresses to either National Internet Registries (NIR – such as IRINN for India) or to ISPs directly. The ISPs then allocate IP addresses dynamically to users like you and me. Identifying information for these ISPs is maintained in the form of WHOIS records and registries with RIRs or NIRs, and this information is public. ISPs of most countries require identifying information from users before Internet connection is given, i.e., IP addresses allocated (mostly by dynamic allocation, for that is more efficient). ISPs of some states are also regulated; in India, for instance, ISPs require a licence to operate and offer services.

If any government wished, on the basis of some reasonable cause, to identify a particular IP address or its user, then the government could first utilize WHOIS to obtain information about the ISP. Then ISPs may be ordered to release specific IP address locations and user information under executive or judicial order. There are also technical solutions, such as traceroute or IP look-up that assist in tracing or identifying IP addresses. Coders, governments and law enforcement must surely be aware of better technology than I.

If we take into account this possibility of geolocation of IP addresses, then the Draft Resolution’s motivation to ‘systematize’ IP address allocations on the basis of states is unclear. I will discuss the implication of this proposal, and that of traffic and address localization, in my next post.

[1] Pream. §(e), Draft Resolution: “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”.

[2] Pream. §(h), Draft Resolution: “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

[3] Op. §1, Draft Resolution: “instructs the Secretary General… to collaborate with all stakeholders including International and intergovernmental organizations, involved in IP addresses management to develop an IP address plan from which IP addresses of different countries are easily discernible and coordinate to ensure distribution of IP addresses accordingly”.

[4] Pream. §(g), Draft Resolution: “recognizing… that communication traffic originating and terminating in a country also many times flows outside the boundary of a country making such communication costly and to some extent insecure from national security point of view”.

[5] Pream. §(f), Draft Resolution: “recognizing… that even for local address resolution at times, system has to use resources outside the country which makes such address resolution costly and to some extent insecure from national security perspective”.

[6] Op. §6, Draft Resolution: “instructs the Secretary General… to develop and recommend a routing plan of traffic for optimizing the network resources that could effectively ensure the traceability of communication”.

[7] Op. §1, Draft Resolution; see note 3.

[8] Op. §5, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures that effectively the traffic meant for the country, traffic originating and terminating in the country remains within the country”.

[9] Op. §4, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures effectively that address resolution for the traffic meant for the country, traffic originating and terminating in the country/region takes place within the country”.

[10] Context Note to Draft Resolution, ¶3: “Planning and distribution of numbering and naming resources in a systematic, equitable, fair and just manner amongst the Member States…”

[11] Context Note to Draft Resolution, ¶2: “…there are certain areas that require critical attention to move in the direction of building the necessary “Trust Framework” for the safe “Information Society”, where privacy, safety are ensured”.

[12] See, for instance, Report of the Office of the High Commission for Human Rights (“OHCHR”), Right to Privacy in the Digital Age, A/HRC/27/37 (30 June 2014), ¶34-35, http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf. See esp. note 30 of the Report, ¶35.

[13] Many thorny political differences exist between the US and many states (including India and Kenya, who I am told has expressed preliminary support for the Draft Resolution) with regard to Internet governance. Irrespective of this, the US Constitution’s First Amendment and judicial protections to freedom of expression remain a yardstick for many states, including India. India, for instance, has positively referred to the US Supreme Court’s free speech protections in many of its decisions; ex. see Kharak Singh v. State of Uttar Pradesh, 1963 Cri. L.J. 329; R. Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264.

Disclaimer and update (2 November 2014): India's Draft Resolution was discussed during the meeting of the Ad Hoc Working Group on Internet-related Resolutions at the ITU Plenipot on the evening of November 1, 2014 (KST). After the discussion, India revised the text of the resolution, seeking to address concerns raised by ITU member states. The revised resolution may be found here. However, this blog post was written with reference to the original text of India's Draft Resolution.

***

As I mentioned in my last post, India’s Draft Resolution on ‘ITU’s Role in Realising Secure Information Society’ raises security and equity concerns. The Draft Resolution has 3 security concerns: (i) security weaknesses in the network architecture that permit “camouflaging the identity of the originator of the communication” and make “tracing of communication difficult”; (ii) non-systematic, non-contiguous allocation of naming, numbering and addressing resources on the Internet, which makes it difficult to identify both the users and what states the IP addresses are located in; (iii) non-local routing and address resolution relating to traffic originating and terminating in the same country. Op. §§1, 3-7 seek to address these. It also identifies the present system of allocation of naming, numbering and addressing resources as inequitable, unfair, unjust and undemocratic (Op. §2 of the Draft Resolution offers a solution). I discussed some human rights implications of India’s Draft Resolution in my last post.

In this post, I explore the implications of the Draft Resolution for Internet governance and multi-stakeholder approaches (most notably, an equal footing model).[1] Given the uncertainties around defining multi-stakeholderism for Internet governance, this is rather ambitious. So I will try to point to concerns with certain textual interpretations of the Draft Resolution, map that against the positions India’s representatives have taken on Internet governance in the past, and the motivations/concerns that underlie the tabling of the Draft Resolution. This Resolution may not be the best way to allay India's concerns, for there are technical and rights implications. But the concerns it raises are worth discussion and knowledge, and at forums where concerns are heard, acknowledged and discussed collectively. The text of the Draft Resolution and its attendant implications are not, then, the sole subjects of this post.

The Draft Resolution and Internet governance:

The text of the Draft Resolution is problematic. Many of its clauses may be seen as taking positions against multi-stakeholder approaches to Internet governance. Introducing such a resolution at the ITU may itself bring back memories of the controversies surrounding Resolution 3 of the World Conference on International Telecommunications (WCIT), 2012.[2] In 3 ways, the text of the Draft Resolution has indications for multi-stakeholder approaches.

First, the Draft Resolution frames issues primarily from the perspective security. In its preamble, the Draft Resolution makes several references to security threats posed by and on the Internet. For instance, it points to the ability of the network to “camouflage the identity of the originator of the communication” (Pream. §(e) [recognizing]), as well as national security concerns in the present-day system of routing Internet traffic through multiple countries (Pream. §§(f) and (g), [recognizing]). The apparent difficulty in tracing IP addresses, due to their random allocation, is another concern (Pream. §(h), [recognizing]). Among the “significant public policy issues” identified in telecom/ICT management, “security and safety of the Telecom/ICTs” is specifically noted (Pream. §(i) [considering]). In the Context note to the Draft Resolution and in several places in the Preamble, there are references to ITU Resolution 130 (‘Strengthening the role of ITU in building confidence and security in the use of information and communication technologies’) and ITU’s Cyber-security Agenda. Given the (legitimate or otherwise) disproportionate involvement of governments and not other stakeholders in matters of cyber-security, the framing of issues from a security perspective may lend itself to worries for multi-stakeholderism. Specifically, the Draft Resolution notes: “ensuring security of ICT networks is sovereign right of Member States” (Pream. §(b) [recognizing]).

Second, the Draft Resolution emphasizes the sovereign right of states to regulate and control telecom/ICT. It says, for instance, “it is the sovereign right of each state to regulate its telecommunication” (Pream. §(b) [considering]). With regard to the Internet, the Context note to the Draft Resolution (page 1) considers the Internet to be synonymous with telecom/ICTs: “the Telecom/ICTs, which in common lexicon is used interchangeably many times as Internet…”. Public telecom networks managed by telecom service providers, interconnected with other networks, are necessary for  “proper functioning of a telecom network resources namely, among others, naming, numbering and addressing” (Pream. §(k) [considering]). It is worth noting that the sovereign authority of states over Internet public policy issues is settled text from §35 of the Tunis Agenda, though expressing it as synonymous with telecom may lead to possibilities of licensing and registration, which Bulgaria, for instance, does not do.

Third, the Draft Resolution identifies issues of equity and fairness in the allocation of Internet resources such as naming, numbering and addressing (Pream. §(g) [consdering], Op. §2). It states that to correct this inequity, “facilitation and collaboration among international, inter-governmental organizations and individual member states to ensure planning, implementation, monitoring and cooperation in its policies” is required (Pream. §(g) [considering]). In operative paragaphs, our Draft Resolution calls for collaboration with “all the concerned stakeholders including International and intergovernmental organizations to develop policies for allocation, assignment and management of IP resources including naming, numbering and addressing which is systematic, equitable, fair, just, democratic and transparent” (Op. §2). One may pay attention to the oversight over implementation and the necessity of inter-governmental involvement in planning and monitoring as problematic to iterations of multi-stakeholderism.

These concerns are valid and legitimate, and it is desirable that the text of the resolution be altered to address them. The text should also be altered to address the human rights concerns I point out in my previous post. But human rights enforcement or implementation is within the domain of states, though civil society may be a careful watchdog. The Draft Resolution's text, most certainly, will face certain oppositions: for instance, that it is outside the scope and mandate of the ITU. That the ITU does not deal with content regulation – and this issue touches upon content – will be mentioned. That Internet governance is already being discussed and performed in multiple other multi-stakeholder fora, such as ICANN, the NRO and RIRs, IGF and WSIS, will be emphasized. That the Draft Resolution implicates national security concerns will be mentioned as well. But as an aside, on national security: under international law, states always mention their prerogative over national security, and so as a matter of international custom, national security is outside the scope of agreements unless expressly surrendered.

At the same time, debates around the role of ITU in Internet governance are not new, and those familiar will remember the ITU’s views right before the creation of ICANN (also see Mueller, Ruling the Root 145-48 (2002)), Resolution 3 of the WCIT, and the constant tug-of-war since then. The new Secretary-General of the ITU, Mr. Houlin Zhao, wrote a note in October 2004, before the Tunis phase of the WSIS, justifying ITU’s involvement in Internet governance, advocating that IPv6 address blocks be allocated to countries. Mr. Zhao describes, with specific examples, ITU's role in the development and widespread growth of the Internet. He takes the examples of standards developed within the ITU and ITU's policy role in liberalisation and spread of telecommunications (such as Articles 4 & 9 of the 1988 ITRs).

Mr. Zhao’s concrete proposals are rendered inapplicable by the creation of the NRO and RIRs, and the growth and entrenchment of ICANN. But it may be argued that his principled justifications for ITU involvement remain. It is these that India hopes to highlight, I was told, along with the inequities in resource allocation (IPv4 was spoken of), and the disproportionate weight some states enjoy in Internet governance. Her concerns are, I am told, also shared by some other states. Given that the text exhibits a less-than-friendly approach to multi-stakeholderism, India's previous positions on the issue are of interest. While this would not correct the snags in the Draft Resolution's text, allaying these concerns may be ideal to craft an inclusive and transparent multi-stakeholder model for Internet governance.

India and Multi-stakeholderism in Internet Governance:

India’s position on multi-stakeholder models for Internet governance is a matter of some obscurity. Statements at various forums exhibit a certain disagreement – or at the least, lack of engagement – among India’s ministries on our position on multi-stakeholder approaches, particularly the Ministry of External Affairs (MEA), the Department of Telecommunications (DOT) and the Department of Electronics and Information Technology (DeitY), both within the Ministry of Communications and Information Technology (MCIT). While both the MEA and DOT have been cautious supporters of a diluted form of multi-stakeholderism (they have repeatedly emphasized §35 of the Tunis Agenda), DeitY has been more open in entertaining multi-stakeholder approaches for Internet governance.

At the 66^th session of UN General Assembly, Mr. Dushyant Singh, Member of India’s Parliament from the Bharatiya Janata Party, presented our proposal for a Committee on Internet-related Policies. The proposal sought the establishment of a UN committee comprising 50 member-states, with advisory groups including the private sector and civil society, to deal with Internet-related matters.[3] Though India was not opposed to multi-stakeholder advisories in its CIRP proposal, it was less than inviting in this regard.

At NETmundial (April 2014), the Indian government’s contribution document highlighted §35 of the Tunis Agenda, which delineates ‘roles and responsibilities’ of ‘respective stakeholders’ – i.e., governments (with whom reside “sovereign policy authority”), the private sector (technical and economic development of the Internet) and civil society (grassroots participation). At NETmundial, Mr. Vinay Kwatra of the MEA echoed this, also noting the lack of consensus on what multi-stakeholderism means for Internet governance (page 64).

Admittedly, this is a legitimate concern. Internet governance at various fora does not seem to have a clear answer on what multi-stakeholderism means. The debate was/is alive, for instance, at NETmundial 2014, the ICANN-convened IANA transition process, the World Economic Forum’s new NETmundial Initiative, and in the many calls and suggestions (pages 38-46) made over the years on strengthening the IGF (see also, Malcolm, Multi-stakeholder Governance and the IGF (2008), chapter 6). It is hardly surprising then, that India and other states raise this as a concern.

With regard to multi-stakeholderism, the DeitY in India has been the outlier. Speaking at the 2014 IGF in Istanbul, Mr. R.S. Sharma, Secretary (DeitY), expressed “no doubt that Internet Governance mechanism require the involvement of all the stakeholders, since the evolution of Internet has been a product of many different diverse groups working together in a loosely coordinated manner”, advocating strengthening of the IGF and pointing to India’s proposed India-IGF as an example of multi-stakeholderism at home. Most interestingly, Mr. Sharma did not focus on international Internet-related policies being the “sovereign policy authority of states”. Also in the transcripts of the four meetings of the Working Group on Enhanced Cooperation under the Committee for Science, Technology and Development (CSTD), I have been unable to find outright rejections of multi-stakeholder approaches, though India has not advocated multi-stakeholderism unequivocally either.

But this – the emphasis on “sovereign policy authority of states” in Internet governance – has been a consistent position for India, especially the MEA and DOT. Here at the ITU PP-14 as well, members of the Indian delegation also emphasized states’ sovereign monopoly over policy matters. “Why not take this to the ITU”, I was asked, as “many governments are uncomfortable” with the way Internet governance is being conducted at other fora. There are grave concerns, I was told, about the possibility of excessive control some governments have over both user and government data of other states (government-speak, of course, for the Snowden revelations).

These are, of course, concerns similar to those of authoritarian governments, or those reluctant to open up to multi-stakeholderism and looking for excuses to retain/increase government control. But it is equally possible that these concerns need not be limited only to such states. Perhaps for developing countries as well, these are real concerns. In conversation with members of the Indian delegation at the ITU Plenipot, I was able to discern 3 broad concerns. First, the definition of multi-stakeholderism in Internet governance. India has not shown herself comfortable with an all-out endorsement of multi-stakeholderism. This is troubling. Civil society and the private sector in India will attest to the difficulties in engaging with our government at all levels. For instance, seeking a place on India's delegation for the Plenipot proved a disheartening exercise for some members of India's civil society.

But there are also conflicting indications. India is in the process of instituting an India-IGF, and CIS' Executive Director, Sunil Abraham, is on the MAG. India expressed agreement, at least in informal conversation, to opening up ITU documents to the public on grounds of public interest. The Law Commission of India  recently conducted a multi-stakeholder consultation on media laws in India, and Telecom Regulatory Authority of India (TRAI) regularly conducts consultations, though the private sector is more active there. What is lacking in India, however, is a set of clear procedures and processes for multi-stakeholder engagement, particularly on Internet issues. Clear, public, accessible, foreseeable and predictable set of rules or processes on participation from civil society, private sector and academia would make a world of difference to multi-stakeholderism within India. But this lack should not blind states or other stakeholders to the genuineness of privacy/security or equity concerns - for instance, of the protection of our information from mass surveillance or the feasibility and actual participation of developing countries at many Internet governance fora.

Second, members of the delegation expressed concern over inequalities in the allocation of naming, numbering and addressing resources. While I am uncertain how IPv6 allocation falls within this concern, the inequalities of IPv4 allocations are well documented. To gather a sense of this, it would be useful to read chapter 5 of Professor DeNardis’ Protocol Politics, and to glance at Figure 5.7 (page 173). Africa controls, for instance, a mere 1% of all available IPv4 addresses, while North America and Europe control about 63%. A study on engagement from the Asia-Pacific in Internet standards organisations shows, for instance, greater participation from Western countries and from some states like Japan.[4] India and other states from Asia and Africa have lesser participation. Even at ICANN, with efforts to increase participation, meaningful engagement is still from a majority of Western countries. Perhaps states and other stakeholders on the other side of the table can address these concerns through clear, inclusive, non-discriminatory commitments and implementation.

Third, India emphasized how the Draft Resolution does not propose that ITU be involved in content management or resources control, but only seeks to systematize allocation by asking the ITU Secretary General to collaborate and coordinate with other Internet governance organisations to create a set of principles for fair, equitable, transparent and democratic - as well as secure - allocation of resources. ITU Resolution 101 already instructs the Secretary General to collaborate with relevant Internet governance organisations, and the Draft Resolution merely seeks to spell out his tasks. However, as I pointed out in my previous post, the text of the Draft Resolution is at odds with this intention of India's. By dint of its drafting, it gravely implicates human rights, as well as touching upon resource allocation oversight ("needs to be adhere to" in Op. §2). To reflect the above stated intention, the Draft Resolution would need to be redrafted.

Finally, the text of the Draft Resolution exhibits, unfortunately, a certain disregard for existing network architecture and efficiency within the Internet, and to the principles of a free, open and inter-operable and unified Internet, when it seeks to develop a network architecture that facilitates (domestic) localization of traffic-routing, address resolution and allocation of naming, numbering and addressing. An argument may, of course, be made in favour of efficiency and costs, including reduced latency. But it is clear that this has the potential to increase domestic surveillance capabilities and government censorship of content. In any case, traffic localization (if not local address resolution) can be achieved without ITU coordination: through Internet Exchange Points, and through more efficient and better-negotiated peering and transit arrangements (pages 14-17). Internationally coordinated rules for localized traffic routing is not necessary; you just need to have a more efficient Internet Exchange Point. How to get more ISPs to interconnect through India’s National Internet Exchange (NIXI) is one of the very questions that India’s Telecom Regulatory Authority has taken up in its recent consultation on expanding broadband access (page 49). So it is possible that India's concerns could be addressed without ITU involvement, though I am unsure of its impact on the global Internet.

The Draft Resolution will be discussed at the ITU Plenipot today. The discussion will allow India and sympathetic countries to raise several of their concerns relating to the present system of Internet governance, and the direction of its progress. I will report on these discussions upon their completion.

A Note on Limitations:

The aim of this post is to clarify. I would caution against its being the last word on anything, much less India’s positions on Internet governance. An issue as important as this needs far greater access to and confirmation from India’s government – and a more in-depth understanding of the politics – than I do, at the moment.

At the same time, India has not been a model for civil society engagement, as illustratively, the Narmada Bachao Andolan and/or P. Sainath’s evaluation of government policies in Everybody Loves a Good Drought reveal. It has been harder to effectively engage with India’s government than in many states in North America, Latin America and Europe. But I believe the complex dynamics of that is not unique to India. The NSA and GCHQ revelations (as an example of governmental trust deficit of unmatched proportions) have shown that where governments want to keep everyone out and oblivious, they do it well.

I am not in favour of a purely multilateral approach to Internet governance. But at the same time, I share concerns over definition and the evolution of processes as well, as I am sure others in civil society also do. Particularly on the issue of Internet governance and multi-stakeholderism, evidence reveals inconsistency among India’s various ministries. Until this is addressed by our government (hopefully in consultation with all concerned stakeholders), an open mind would probably be the best thing we - including states - could keep.

Acknowledgements: I would like to thank Sunil Abraham, Pranesh Prakash, Rishabh Dara, Arun Sukumar, Anja Kovacs and Parminder Jeet Singh for the freedom to bounce ideas, feedback and the many discussions about multi-stakeholder approaches and Internet governance. I also wish to acknowledge Samir Saran’s article in CFR, which offers an interesting perspective on India’s Draft Resolution.

[1] For this post, I will use ‘multi-stakeholder approaches’ as an umbrella term, but would urge readers to keep in mind the many uncertainties and disagreements about defining multi-stakeholderism for Internet governance. These disagreements exist among and within all stakeholders, including government and civil society. In addition to various iterations of the ‘equal footing model’, the model proposed in §35 of the Tunis Agenda is also multi-stakeholder, albeit in a different – and for many in civil society, less desirable – sense.

[2] For those unacquainted with WCIT, see Mueller, ITU Phobia: Why WCIT was derailed, Internet Governance Blog (18 December 2012), http://www.internetgovernance.org/2012/12/18/itu-phobia-why-wcit-was-derailed/; Kleinwächter, WCIT and Internet governance: Harmless resolution or Trojan horse?, CircleID Blog (17 December 2012), http://www.circleid.com/posts/20121217_wcit_and_internet_governance_harmless_resolution_or_trojan_horse/.

[3] For a commentary, see Mueller, A United Nations Committee for Internet-related Policies? A Fair Assessment, Internet Governance Blog (29 October 2011), http://www.internetgovernance.org/2011/10/29/a-united-nations-committee-for-internet-related-policies-a-fair-assessment/.

[4] Contreras, Divergent Patterns of Engagement in Internet Standardization: Japan, Korea and China. I am unable to find this paper online. Please email me for information.

"Chairman of Working Group Plenary, Mr Musab Abdulla, Head of Delegations, delegates, ladies and gentlemen, good morning/afternoon to you all. I was indeed impressed with the camaraderie with which discussions were held inspite of the fact that delegates discussing the issues have different cultures, languages, nuances, impressions and sometime interests.

"Governance of packet-switched data telecom Networks based on Internet Protocol (IP), popularly known as Internet, has become an important and contentious issue due to several reasons known to all of us. We put up a draft resolution to address some of these key issues pertaining to IP based networks. When we put up the proposal, I had thought that the proposal would contribute in diminishing some of the differences. These issues and their probable solutions are given in our draft resolution, document 98, about which we were ready to take constructive inputs.

"Information is power these days. The wise Lord Acton said about hundred and fifty years ago that Power tends to corrupt and absolute power corrupts absolutely. The countries in modern times have become great on the principles of equality, liberty and justice. As and when these principles were compromised great powers lost their hold. Broadband penetration and connectivity has been the important running theme of this conference. We believe this, like great empires, can only be built on the principles of fairness, justice, and equality. No Telecom Network whether IP based or otherwise can function without naming and numbering, which is the lifeline of a network. Their availability in a fair, just and equitable manner, therefore, is an important public policy issue and need to be dealt that way. We believe that respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.

"There are number of existing Internet related resolutions, but they only touch the issue in general and, therefore, without focus concrete action does not happen. Our Resolution was with a view to deal with the issues in a focused manner. Some countries supported our draft resolution, while some other were not able to support it. Some stated since the proposal is a comprehensive one, dealing with number of important issues, more time is needed for them to develop a view on it. Due to the number of proposals with Ad Hoc Group lined up before our draft resolution, there was no time left for detailed discussion on the proposal. Therefore, India agreed not to press the resolution for discussion due to paucity of time, with an understanding that for these issues of concerns for many Member States, contributions can be made in various fora dealing with development of IP based networks and future networks, including ITU. India would like that discussion should take place on these issues and look forward to these discussions. We would request that this Statement is included in the records of Plenipotentiary-14 meeting.

"We would like to thank for the cooperation extended by various Member States, particularly USA, for appreciating our concerns and all those who shared our concerns and supported the draft resolution. I would also like to thank Mr. Fabio Bigi, Chairman of Ad Hoc Working Group for giving patient hearing to all us and tolerating all our idiosyncrasies and still arriving at consensus. This is because of his wisdom, which comes with experience.

Thank you all."

Introduction

Although the right to information is not specifically spelt out in the Constitution of India, 1950, it has been read into Articles 14 (right to equality), 19(1)(a) (freedom of speech and expression) and 21 (right to life) through cases such as Bennet Coleman v. Union of India,[1] Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd.,[2] etc. The same Articles of the Constitution were also interpreted in Kharak Singh v.State of U.P.,[3] Govind v. State of M.P., [4] and a number of other cases, to include within their scope a right to privacy. At the very outset it appears that a right to receive information -though achieving greater transparency in public life - could impinge on the right to privacy of certain people. The presumed tension between the right to privacy and the right to information has been widely recognized and a framework towards balancing the two rights, has been widely discussed across jurisdictions. In India, nowhere is this conflict and the attempt to balance it more evident than under the Right to Information Act, 2005 (the "RTI Act").

Supporting the constitutional right to information enjoyed by the citizens, is the statutorily recognized right to information granted under the RTI Act. Any potential infringement of the right to privacy by the provisions of the RTI Act are sought to be balanced by section 8 which provides that no information should be disclosed if it creates an unwarranted invasion of the privacy of any individual. This exception states that there is no obligation to disclose information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information. [5] The Act further goes on to say that where any information relating to or supplied by a third party and treated by that party as confidential, is to be disclosed, the Central Public Information Officer or State Public Information Officer has to give written notice to that party within five days of receiving such a request inviting such third party (within ten days) to make its case as to whether such information should or should not be disclosed.[6]

A plain reading of section 11 suggests that for the section to apply the following three conditions have to be satisfied, i.e. (i) if the PIO is considering disclosing the information (ii) the information relates to the third party or was given to a Public Authority by the third party in confidence; and (iii) the third party treated the information to be a confidential. It has been held that in order to satisfy the third part of the test stated above, the third party has to be consulted and therefore a notice has to be sent to the third party. Even if the third party claims confidentiality, the proviso to the section provides that the information cannot be withheld if the public interest in the disclosure outweighs the possible harm or injury that may be caused to the third party, except in cases of trade or commercial secrets.[7] The Courts have also held that section 11 should be read keeping in mind the exceptions contained in section 8 (discussed in detail later) and the exceptions contained therein. [8]

This principle of non disclosure of private information can be found across a number of common law jurisdictions. The United Kingdom's Freedom of Information Act, 2000 exempts the disclosure of information where it would violate the data protection principles contained in the Data Protection Act, 1998 or constitute an actionable breach of confidence.[9] The Australian Freedom of Information Act, 1982 categorizes documents involving unreasonable disclosure of personal information as conditionally exempt i.e. allows for their disclosure unless such disclosure would be contrary to public interest.[10] The Canadian Access to Information Act also has a provision which allows the authorities to refuse to disclose personal information except in accordance with the provisions of the Canadian Privacy Act. [11]

An overview of the RTI Act, especially sections 6 to 8 seems to give the impression that the legislature has tried to balance and harmonize conflicting public and private rights and interests by building sufficient safeguards and exceptions to the general principles of disclosure under the Act. [12] This is why it is generally suggested that section 8, when applied, should be given a strict interpretation as it is a fetter on not only a statutory right granted under the RTI Act but also a pre-existing constitutional right. [13] Logical as this argument may seem and appropriate in some circumstances, it does present a problem when dealing with the privacy exception contained in section 8(1)(j). That is because the right to privacy envisaged in this section is also a pre-existing constitutional right which has been traced to the same provisions of the Constitution from which the constitutional right of freedom of information emanates.[14] Therefore there is an ambiguity regarding the treatment and priority given to the privacy exception vs. the disclosure mandate in the RTI Act, as it requires the balancing of not only two competing statutory rights but also two constitutional rights.

The Privacy Exception

As discussed earlier, the purpose of the RTI Act is to increase transparency and ensure that people have access to as much public information as possible. Such a right is critical in a democratic country as it allows for accountability of the State and allows individuals to seek out information and make informed decisions. However, it seems from the language of the RTI Act that at the time of its drafting the legislature did realize that there would be a conflict between the endeavor to provide information and the right to privacy of individuals over the information kept with public authorities, which is why a privacy exception was carved into section 8(1)(j) of the Right to Information Act. The Act does not only protect the privacy of the third party who's information is at risk of being disclosed, but also the privacy of the applicant. In fact it has now been held that a private respondent need not give his/her ID or address as long as the information provided by him/her is sufficient to contact him/her.[15]

It is interesting to note that although the RTI Act gives every citizen a right to information, it does not limit this right with a stipulation as to how the information shall be used by the applicant or the reason for which the applicant wants such information. [16] This lack of a purpose limitation in the Act may have privacy implications as non sensitive personal information could be sought from different sources and processed by any person so as to convert such non-sensitive or anonymous information into identifiable information which could directly impact the privacy of individuals.

The exception in S. 8(1)(j) prohibits the disclosure of personal information for two reasons (i) its disclosure does not relate to any public activity or interest or (ii) it would be an unwarranted invasion into privacy. The above two conditions however get trumped if a larger public interest is satisfied by the disclosure of such information.

One interesting thing about the exception contained in section 8(1)(j) is that this exception itself has an exception to it in the form of a proviso. The proviso says that any information which cannot be denied to the central or state legislature shall not be denied to any person. Since the proviso has been placed at the end of sub-section 8(1) which is also the end of clause 8(1)(j), one might be tempted to ask whether this proviso applies only to the privacy exception i.e. clause 8(1)(j) or to the entire sub-section 8(1) (which includes other exceptions such as national interest, etc.). This issue was put to rest by the Bombay High Court when it held that since the proviso has been put only after clause 8(1)(j) and not before each and every clause, it would not apply to the entire sub-section 8(1) but only to clause 8(1)(j), thus ensuring that the exceptions to disclosure other than the right to privacy are not restricted by this proviso.[17]

Scope of Proviso to section 8(1)(j)
Though the courts have agreed that the proviso is applicable only to section 8(1)(j), the import of the proviso to section 8(1)(j) is a little more ambiguous and there are conflicting decisions by different High Courts on this point. Whereas the Bombay High Court has laid emphasis on the letter of the proviso and derived strength from the objects and overall scheme of the Act to water down the provisions of section 8(1)(j), [18] the Delhi High Court has disagreed with such an approach which gives "undue, even overwhelming deference" to Parliamentary privilege in seeking information. Such an approach would render the protection under section 8(1)j) meaningless, and the basic safeguard bereft of content.[19] In the words of the Delhi High Court:

" The proviso has to be only as confined to what it enacts, to the class of information that Parliament can ordinarily seek; if it were held that all information relating to all public servants, even private information, can be accessed by Parliament, Section 8(1)(j) would be devoid of any substance, because the provision makes no distinction between public and private information. Moreover there is no law which enables Parliament to demand all such information; it has to be necessarily in the context of some matter, or investigation. If the reasoning of the Bombay High Court were to be accepted, there would be nothing left of the right to privacy, elevated to the status of a fundamental right, by several judgments of the Supreme Court. "

The interpretation given by the Delhi High Court thus ensures that section 8(1)(j) still has some effect, as otherwise the privacy exception would have gotten steamrolled by parliamentary privilege and all sorts of information such as Income Tax Returns, etc. of both private and public individuals would have been liable to disclosure under the RTI Act.

Unfortunately, the RTI Act does not describe the terms "personal information" or "larger public interest" used in section 8(1)(j), which leaves some amount of ambiguity in interpreting the privacy exception to the RTI Act. Therefore the only option for anyone to understand these terms in greater depth is to discuss and analyse the case laws developed by the Hon'ble Supreme Court and the High Courts which have tried to throw some light on this issue.

We shall discuss some of these landmark judgments to understand the interpretations given to these terms and then move on to specific instances where (applying these principles) information has been disclosed or denied.

Personal Information
The RTI Act defines the term information but does not define the term "personal information". Therefore one has to rely on judicial pronouncements to understand the term a more clearly. Looking at the common understanding and dictionary meaning of "personal" as well as the definition of "information" contained in the RTI Act it could be said that personal information would be information, information that pertains to a person and as such it takes into its fold possibly every kind of information relating to the person. Now, such personal information of the person may, or may not, have relation to any public activity, or to public interest. At the same time, such personal information may, or may not, be private to the person. [20]

The Delhi High Court has tried to draw a distinction between the term "private information" which encompasses the personal intimacies of the home, the family, marriage, motherhood, procreation, child rearing and of the like nature and "personal information" which would be any information that pertains to an individual. This would logically imply that all private information would be part of personal information but not the other way round. [21] The term 'personal information' has in other cases, been variously described as "identity particulars of public servants, i.e. details such as their dates of birth, personal identification numbers",[22] and as including tax returns, medical records etc.[23] It is worth noting that just because the term used is "personal information" does not mean that the information always has to relate to an actual person, but may even be a juristic entity such as a trust or corporation, etc.[24]

Larger Public Interest
The term larger public interest has not been discussed or defined in the RTI Act, however the Courts have developed some tests to determine if in a given situation, personal information should be disclosed in the larger public interest.

Whenever a Public Information Officer is asked for personal information about any person, it has to balance the competing claims of the privacy of the third party on the one hand and claim of public interest on the other and determine whether the public interest in such a disclosure satisfies violating a person's privacy. The expression "public interest" is not capable of a precise definition and does not have a rigid meaning. It is therefore an elastic term and takes its colors from the statute in which it occurs, the concept varying with the time and the state of the society and its needs. This seems to be the reason why the legislature and even the Courts have shied away from a precise definition of "public interest". However, the term public interest does not mean something that is merely interesting or satisfies the curiosity or love of information or amusement; but something in which a class of the community have some interest by which their rights or liabilities are affected.[25]

There have been suggestions that the use of the word "larger" before the term "public interest" denotes that the public interest involved should serve a large section of the society and not just a small section of it, i.e. if the information has a bearing on the economy, the moral values in the society; the environment; national safety, or the like, the same would qualify as "larger public interest".[26] However this is not a very well supported theory and the usage of the term "larger public interest" cannot be given such a narrow meaning, for example what if the disclosure of the information could save the lives of only 10 people or even just 5 children? Would the information not be released just because it violates one person's right to privacy and there is not a significant number of lives at stake? This does not seem to be what all the cases on the right to privacy, right from Kharak Singh[27] all the way to Naz Foundation, [28] seem to suggest. Infact, in the very same judgment where the above interpretation has been suggested, the Court undermines this argument by giving the example of a person with a previous crime of sexual assault being employed in an orphanage and says that the interest of the small group of children in the orphanage would outweigh the privacy concerns of the individual thus requiring disclosure of all information regarding the employee's past.

In light of the above understanding of section 8(1)(j), there seem to be two different tests that have been proposed by the Courts, which seem to connote the same principle although in different words:

1. The test laid down by Union Public Service Commission v. R.K. Jain:

(i) The information sought must relate to „Personal information‟ as understood above of a third party. Therefore, if the information sought does not qualify as personal information, the exemption would not apply;

(ii) Such personal information should relate to a third person, i.e., a person other than the information seeker or the public authority; AND

(iii) (a) The information sought should not have a relation to any public activity qua such third person, or to public interest. If the information sought relates to public activity of the third party, i.e. to his activities falling within the public domain, the exemption would not apply. Similarly, if the disclosure of the personal information is found justified in public interest, the exemption would be lifted, otherwise not; OR (b) The disclosure of the information would cause unwarranted invasion of the privacy of the individual, and that there is no larger public interest involved in such disclosure. [29]

2. The other test was laid down in Vijay Prakash v. Union of India, but in the specific circumstances of disclosure of personal information relating to a public official:

(i) whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization;

(ii) whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case; and

(iii) whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources. [30]

Constitutional Restrictions
Since there is not extensive academic discussion on the meaning of the term "larger public interest" or "public interest" as provided in section 8(1)(j), one is forced to turn to other sources to get a better idea of these terms. One such source is constitutional law, since the right to privacy, as contained in section 8(1)(j) has its origins in Articles 14,[31] 19(1)(a) [32] and 21[33] of the Constitution of India. The constitutional right to privacy in India is also not an absolute right and various cases have carved out a number of exceptions to privacy, a perusal of which may give some indication as to what may be considered as 'larger public interest', these restrictions are:

a) Reasonable restrictions can be imposed on the right to privacy in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence; ^[34]

b) Reasonable restrictions can be imposed upon the right to privacy either in the interests of the general public or for the protection of the interests of any Scheduled Tribe;^[35]

c) The right to privacy can be restricted by procedure established by law which procedure would have to satisfy the test laid down in the Maneka Gandhi case.^[36]

d) The right can be restricted if there is an important countervailing interest which is superior; ^[37]

e) It can be restricted if there is a compelling state interest to be served by doing so; ^[38]

f) It can be restricted in case there is a compelling public interest to be served by doing so; ^[39]

g) The Rajagopal tests - This case lays down three exceptions to the rule that a person's private information cannot be published, viz. i) person voluntarily thrusts himself into controversy or voluntarily raises or invites a controversy, ii) if publication is based on public records other than for sexual assault, kidnap and abduction, iii) there is no right to privacy for public officials with respect to their acts and conduct relevant to the discharge of their official duties. It must be noted that although the Court talks about public records, it does not use the term 'public domain' and thus it is possible that even if a document has been leaked in the public domain and is freely available, if it is not a matter of public record, the right to privacy can still be claimed in regard to it.^[40]

Section 8(1)(j) in Practice

The discussion in the previous chapter regarding the interpretation of section 8(1)(j), though (hopefully) helpful still seems a little abstract without specific instances and illustrations to drive home the point. In this chapter we shall endeavor to briefly discuss some specific cases regarding information disclosure where the issue of violation of privacy of a third party was raised.

Private Information of Public Officials
Some of the most common problems regarding section 8(1)(j) come up when discussing information (personal or otherwise) regarding public officers. The issue comes up because an argument can be made that certain information such as income tax details, financial details, medical records, etc. of public officials should be disclosed since it has a bearing on their public activities and disclosure of such information in case of crooked officers would serve the interests of transparency and cleaner government (hence serving a larger public interest). Although section 8(1)(j) does not make any distinction between a private person and a public servant, a distinction in the way their personal information is treated does appear in reality due to the inherent nature of a public servant. Infact it has sometimes been argued that public servants must waive the right to privacy in favour of transparency.[41] However this argument has been repeatedly rejected by the Courts, [42] just because a person assumes public office does not mean that he/she would automatically lose their right to privacy in favour of transparency.

If personal information regarding a public servant is asked for, then a distinction must be made between the information that is inherently personal to the person and that which has a connection with his/her public functions. The information exempted under section 8(1)(j) is personal information which is so intimately private in nature that the disclosure of the same would not benefit any other person, but would result in the invasion of the privacy of the third party.[43] In short, the Courts have concluded that there can be no blanket rule regarding what information can and cannot be disclosed when it comes to a public servant, and the disclosure (or lack of it) would depend upon the circumstances of each case.

Although the earlier thinking of the CIC as well as various High Courts of the country was that information regarding disciplinary proceedings and service records of public officials is to be treated as public information in order to boost transparency,[44] however this line of thinking took almost a U-turn in 2012 after the decision of the Supreme Court in Girish Ramchandra Deshpande v. Central Information Commissioner,[45] and now the prevailing principle is that such information is personal information and should not be disclosed unless a larger public interest is would be served by the disclosure.

It would also be helpful to look at a list of the type of information regarding public servants which has been disclosed in the past, gleaned from various cases, to get a better understanding of the prevailing trends in such cases:

(i) Details of postings of public servants at various points of time, since this was not considered as personal information; [46]

(ii) Copies of posting/ transfer orders of public servants, since it was not considered personal information; [47]

(iii) Information regarding transfers of colleagues cannot be exempted from disclosure, since disclosure would not cause any unwarranted invasion of privacy and non disclosure would defeat the object of the RTI Act;[48]

(iv) Information regarding the criteria adopted and the marks allotted to various academic qualifications, experience and interview in selection process for government posts by the state Public Service Commission;[49]

(v) Information regarding marks obtained in written test, interview, annual confidential reports of the applicant as well as the marks in the written test and interview of the last candidate selected, since this information was not considered as personal information; [50]

(vi) Information relating to the appointment and educational certificates of teachers in an educational institution (which satisfies the requirements of being a public authority) was disclosed since this was considered as relevant to them performing their functions. [51]

The performance of an employee/officer in an organization is primarily a matter between the employee and the employer and normally those aspects are governed by the service rules which fall under the expression "personal information", the disclosure of which has no relationship to any public activity or public interest. To understand this better below is a brief list of the type of information that has been considered by the Courts as personal information which is liable to be exempt from disclosure under section 8(1)(j):

(i) (a) Salary details, (b) show cause notice, memo and censure, (c) return of assets and liabilities, (d) details of investment and other related details, (e) details of gifts accepted, (f) complete enquiry proceedings, (g) details of income tax returns;[52]

(ii) All memos issued, show cause notices and orders of censure/punishment etc. are personal information. Cannot be revealed unless a larger public interest justifies such disclosure;[53]

(iii) Disciplinary information of an employee is personal information and is exempt under section 8(1)(j); [54]

(iv) Medical records cannot be disclosed due to section 8(1)(j) as they come under "personal information", unless a larger public interest can be shown meriting such disclosure;[55]

(v) Copy of personnel records and service book (containing Annual Confidential Reports, etc.) of a public servant is personal information and cannot be disclosed due to section 8(1)(j);[56]

(vi) Information regarding sexual disorder, DNA test between an officer and his surrogate mother, name of his biological father and step father, name of his mother and surrogate step mother and such other aspects were denied by the Courts as such information was considered beyond the perception of decency and was an invasion into another man's privacy.[57]

It is not just the issue of disclosure of personal details of public officials that raises complicated questions regarding the right to information, but the opposite is equally true, i.e. what about seemingly "public" details of private individuals. A very complicated question arose with regard to information relating to the passport details of private individuals.

Passport Information of Private Individuals
The disclosure of passport details of private individuals is complicated because for a long time there was some confusion because of the treatment to be given to passport details, i.e. would its disclosure cause an invasion of privacy since it contains personally identifying information, specially because photocopies of the passport are regularly given for various purposes such as travelling, getting a new phone connection, etc. The Central Information Commission used a somewhat convoluted logic that since a person providing information relating to his residence and identity while applying for a passport was engaging in a public activity therefore such information relates to a public activity and should be disclosed. This view was rejected by the Delhi High Court in the case of Union of India v. Hardev Singh,[58] and the view taken inHardev Singh was later endorsed and relied upon in Union of India v. Rajesh Bhatia, [59] while hearing a number of petitions to decide what details of a third party's passport should be disclosed and what should be exempt from disclosure.

A list of the Courts conclusions is given below:

Information that can be revealed:

(i) Name of passport holder;

(ii) Whether a visa was issued to a third party or not;

(iii) Details of the passport including dates of first issue, subsequent renewals, dates of application for renewals, numbers of the new passports and date of expiry;

(iv) Nature of documents submitted as proof;

(v) Name of police station from where verification for passport was done;

(vi) Whether any report was called for from the jurisdictional police;

(vii) Whether passport was renewed through an agent or through a foreign embassy;

(viii) Whether it was renewed in India or any foreign country;

(ix) Whether tatkal facility was availed by the passport holder;

Information that cannot be revealed:

(i) Contents of the documents submitted with the passport application;

(ii) Marital status and name and address of husband;

(iii) Whether person's name figures as mother/guardian in the passport of any minor;

(iv) Copy of passport application form;

(v) Residential address of passport holder;

(vi) Details of cases filed/pending against passport holder;

(vii) Copy of old passport;

(viii) Report of the police and CID for issuing the passport;

(ix) Copy of the Verification Certificate, if any such Verification Certificate was relied upon for the issue of the passport.

Other Instances

Apart from the above two broad categories of information that has been the subject of intense judicial discussion, certain other situations have also arisen where the Courts have had to decide the issue of disclosure under section 8(1)(j), a brief summary of such situations is given below:

(i) names and details of people who received money as donations from the President out of public funds was considered as information which has a definite link to public activities and was therefore liable to be disclosed;[60]

(ii) information regarding the religion practiced by a person, who is alleged to be a public figure, collected by the Census authorities was not disclosed since it was held that the quest to obtain the information about the religion professed or not professed by a citizen cannot be in any event; [61]

(iii) information regarding all FIRs against a person was not protected under section 8(1)(j) since it was already a matter of public record and Court record and could not be said to be an invasion of the person's privacy;[62]

(iv) information regarding the income tax returns of a public charitable trust was held not to be exempt under section 8(1)(j), since the trust involved was a public charitable trust functioning under a Scheme formulated by the District Court and registered under the Bombay Public Trust Act as such due to its character and activities its tax returns would be in relation to public interest or activities.[63]

Conclusion

A discussion of the provisions of section 8 and 11 of the RTI Act as well as the case laws under it reveals that the legislature was aware of the dangers posed to the privacy of individuals from such a powerful transparency law. However, it did not want the exceptions carved out to protect the privacy of individuals to nullify the objects of the RTI Act and therefore drafted the legislation to incorporate the principle that although the RTI Act should not be used to violate the privacy of individuals, such an exception will not be applicable if a larger public interest is to be served by the disclosure. This principle is in line with other common law jurisdictions such as the U.K, Austalia, Canada, etc. which have similar exceptions based on privacy or confidentiality.

However it is disappointing to note that the legislature has only left the legislation at the stage of the principle which has left the language of the exception very wide and open to varied interpretations. It is understandable that the legislature would try to keep specifics out of the scope of the section to make it future proof. It is obvious that it would be impossible for the legislature or the courts to imagine every single circumstance that could arise where the right to information and the right to privacy would be at loggerheads. However, such wide and ambiguous drafting has led to cases where the Courts and the Central Information Commission have taken opposing views, with the views of the Court obviously prevailing in the end. This was illustrated by the issue of disclosure of passport details of private individuals with a large number of CIC cases taking different views till the High Court of Delhi gave categorical findings on the issue in the Hardev Singh and Rajesh Bhatia cases. Similar was the issue of service details of public officials since before the decision of the Supreme Court in the case of Girish Ramchandra Deshpande in 2012 the prevailing thinking of the CIC was that details of disciplinary proceedings against public officials are not covered by section 8(1)(j), however this thinking has now taken a U-turn as the Supreme Court's understanding of the right to privacy has taken stronger roots and such information is now outside the scope of the RTI Act, unless a larger public interest in the disclosure can be shown.

The ambiguity that arises in application when trying to balance the right to privacy against the right to information is a drawback in incorporating only a principle and leaving the language ambiguous in any legislation. This paper does not advocate that the legislature try to list out all the instances of this problem that are possibly imaginable, this would be too time consuming and may even be counterproductive. However, it is possible for the legislature to adopt an accepted practice of legislative drafting and list certain instances where there is an obvious balancing required between the two rights and put them as "Illustrations" to the section. This device has been utilised to great effect by some of the most fundamental legislations in India such as the Contract Act, 1872 and the Indian Penal Code, 1860. An alternative to this approach could be to utilize the approach taken in the Australian Freedom of Information Act, where the Act itself gives certain factors which should be considered to determine whether access to a particular document would be in the public interest or not.

List of References

Primary Sources

1. Australia Freedom of Information Act, 1982.

2. Bennet Coleman v. Union of India, AIR 1973 SC 106.

3. Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

4. Calcutta High Court, WP (W) No. 33290 of 2013, dated 20-11-2013.

5. Canadian Access to Information Act.

6. Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667

7. Constitution of India, 1950.

8. Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

9. Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

10. Jamia Millia Islamia v. Sh. Ikramuddin, Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

11. Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

12. Kharak Singh v. State of U.P., AIR 1963 SC 129.

13. Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978.

14. Naz Foundation Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

15. P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

16. Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82.

17. President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

18. Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

19. R. Rajagopal v. Union of India, Supreme Court of India, dated 7-10-1994.

20. Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

21. Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

22. Right to Information Act, 2005

23. Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

24. Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

25. Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

26. Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

27. Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd., (1995) 5 SCC 139.

28. U.K. Freedom of Information Act, 2000.

29. UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

30. Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151

31. Union of India v. Hardev Singh WP(C) 3444 of 2012 dated 23-08-2013.

32. Union of India v. Rajesh Bhatia WP(C) 2232/2012 dated 17-09-2013.

33. Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

34. Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

Secondary Sources

1. "Country Report for U.K.", Privacy International, available at https://www.privacyinternational.org/reports/united-kingdom.

2. "Country Report for Australia", Privacy International, available at https://www.privacyinternational.org/reports/australia.

3. "Country Report for Canada", Privacy International, available at https://www.privacyinternational.org/reports/canada.

The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The third Privacy and Surveillance Roundtable was held in New Delhi at the India International Centre by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and Vahura, legal Partner on the 1^st of September, 2014.

The aim of the discussion was to gain inputs on what would constitute an ideal surveillance regime in India working with theCIS Draft Privacy Protection Bill, the Report of the Group of Experts on Privacy prepared by the Justice Shah committee, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context: Privacy and Surveillance in India

The discussion began with the chair giving an overview of the legal framework that governs communications interception under Indian Law in the interest of the participants since many were there for the first time.

The legal system to govern the manner in which communications are intercepted in India are defined under three main acts

1. Interception of Telephonic Calls : The Telegraph Act 1885

2. Interception of Posts : The Indian Post Office Act,1898

3. Interception of Electronic communication like e-mails etc :The IT Act, 2000

While the interception of postal mail is governed by Section 26 of the Post Office Act, 1898, the interception of modern forms of communication that use electronic information and traffic data are governed under Sections 69 and 69B of the Information Technology Act, 2000, while interception of telephonic conversations are governed by section 5(2) of the Indian Telegraph Act 1885 and subsequent rules under section 419A.

The main discussion of the meeting revolved around the Telegraph Act since it is the main Act which covers the interception of telecommunications. In 1968 the 30th Law Commission Report studying Section 5(2) of this Act came to the conclusion that the standards in the Act may be unconstitutional given factors such as 'public emergency' & 'public safety' were too wide in nature and called for a relook at the provision.

Objective of Round Table Meetings

The objective of the round table meetings is to, be prepared with the proposals on the Privacy Bill which the new government intends to split into separate Bill for Surveillance and Data privacy. Thus these submissions once out in the public domain would further deliberate more discussion and shape the course of the Bill.

Discussion

Authorisation

The chair initiated the discussion continuing from the last meeting about the two models of authorisation for Interception 1. The Judiciary & 2. The Executive

The chair explained why the earlier proposed Judiciary based model, based on the efficient experience of separation of power, would not fit into the Indian context. The main reason for this being that the lower judiciary in India is not competent enough to take decisions of this nature. Providing examples, the chair explained how in many cases the lower Judiciary overlooks essential human rights in their decisions, and such rights are only addressed when the case is appealed in Higher courts. While participants felt that High Court judges would be favourable, it was expressed that the immense backlog at the High Court level and the lack of judges is a challenge and risks being inefficient. Thus an additional responsibility for the High Court would not be a feasible model. Furthermore, adopting a judicial based model would mean that the existing model of executive would need to be entirely replaced. Owing to these practical implementation issues consensus was built over adoption of the existing executive model, but with more safeguards.

Safeguards proposed:

1. A redressal tribunal: Establishing a tribunal for the redressal of interception complaints. The tribunal could be a non-active body. Such a model would be different from other models adopted around the world - for example e in UK a designated tribunal suo-motu reviews cases on a regular basis. The tribunal could also have judicial review authority, to which one of the participants raised an issue that the tribunals usually will not have the power of Judicial review, however the chair assured him that the delegation of Judicial review to a tribunal does exist in Indian law.

2. A review commission: Establishing a commission to review the interceptions carried out on the orders of home secretary. For such an overseeing body, the commissioner should be appointed independently. The commissioner must be a Judge or a senior Lawyer and should report to the Parliament.

Content data and Metadata

In the next session the chair explained the difference between content data and metadata while initiating discussion on provisions addressing them in the proposed Bill. Content data, also called as payload data, is the actual content of the communication which takes place between X and Y.

Example 1: In the VOIP call the voice is packetized and sent in different packets to the destination, the content of that packet is the content data whereas the information of this content i.e the header, footer and checksum of the packet is the metadata.

Example 2: In the serial communication of the normal phone call the content data will be what the communication happened between two or more people over the call and the metadata will be who were involved in the call, on what date and time the call was made from which place, and under which tower.

It was noted that generally it is easier to intercept metadata than content data. In the proposed bill, section 2 (C) refers to the definition of content data and section 2(E) to metadata.

Participants also pointed out that often it is with metadata that concerned governmental authorities are able to carry out tracking. Thus, when determining procedural safeguards for surveillance - and specifically for interception - the question of whether or not content data and meta data should be treated the same under law must be addressed. Participants suggested looking into German laws, which have procedure to deal with this question. Despite differences over the exact level of protection meta data should legally be afforded, participants agreed that a higher authority should be responsible for the interception, collection, and access to metadata and content data.

In India, because the existing legal framework in India has different standards for different modes of communication, it is proposed that a uniform legal framework be created by harmonizing the three Acts through amendments or overriding existing legislation regulating surveillance in India, and establishing a new framework under a Privacy legislation.

Big Data, Cloud & OTT

In this session a participant raised the issue of Big data and Cloud services, and asked whether the CIS Privacy Protection Bill or the draft Privacy Bill from the government addresses this issue. This question was of particular relevance because a number of the cloud data centres are located in locations outside India. Thus a question of jurisdiction arises. The participant opined that in the coming years and with the new government's vision to have space for every citizen in cloud and data localisation being priority, he stressed that the Bill should clearly address issues related to the cloud, big data, outsourcing, and questions of jurisdiction. Responding to this the chair was of the view that the crimes committed outside the territory of India come under Extra-territorial law, section 4 of IPC and Section 188 Cr. P.C. But it was noted that due to the fact that the crime is committed outside the territory of India, despite the provision, it is practically not implementable unless there is a contract between countries or a treaty signed. The solution could be data localisation, hosting the cloud servers in India, but that again has its own pros & cons. In response participants indicated that if a choice had to be made about data localization - the best option would be one that would be economical for Indian business and the government.

OTT (Over the Top) Services

Another participant brought to the notice of the meeting that most of the networks of service provider's are adopting IP (Internet Protocol). In the context of surveillance, this means that for an interception to take place, Deep Packet Inspection (DPI) must be adopted by service providers. This is currently placing a burden on service providers, as it is costly and the connection time of the calls for the number under surveillance increases - though not enough to be noticed by customers.

Telephone Tapping Process

In India the process of intercepting telephones can be broken down into the following three steps:

1. Authorization

a. The Home Secretary issues an authorization for an interception request.

b. The Authorization is handed over to Police Officer in charge of the investigation.

c. The Police Officer serves the order to the nodal officer in the relevant service provider.

2. The service provider conducts the interception.

3. The intercepted data is handed over to the Police officer.

Under Rule 419A, a committee to review the authorization exists, comprising of officials such as the Cabinet Secretary, Secretary of the Department of Telecommunications, Secretary of the Department of Law and Justice and the Secretary of Information Technology and Communication ministry at the Centre and the Chief Secretary, the Law Secretary and an officer not below the rank of a Principal secretary at the State level.

Since the current infrastructure of telecom and broadband is with private service providers, the government is dependent on service providers to carry out surveillance. As national security is a concern of the government and because in the past intercepted material has been leaked by various sources, the government has proposed to replace the existing system. In this regard the government has proposed to set up a Central Monitoring System (CMS) for the interception of voice and data communications.

It is proposed that the CMS infrastructure will be positioned at the service provider's facilities, and will allow governmental agencies to directly intercept traffic on the network of service providers - thus there would no longer be a need for the government to reply on service providers to carry out interception requests. During the meeting it was discussed how this system has pros & cons

Pros

1. For private companies it eliminates an entire level of compliance.

2. It will reduce the possibility of unlawful, extra legal, & fraudulent authorizations of interception requests.

3. The interception carried out would be maintained in a log, which would clearly recorded, making the interception process becomes accountable.

Cons

1. Even though the existing system gives room for leaks, ironically it is the only way through which a person who is tapped will come to know, hence accounting for some transparency eg: Nira Radia & Amar Singh phone Tap case.

2. CMS will be built upon an existing interception framework, which is not procedurally fair - because of issues such as Internal Authorization, Adhoc procedure, that it is not under the ambit of RTI etc. This will result in a system with no transparency and accountability.

To this last point the Chair noted that in 2011 there were 7.5 Lakh phone taps by a single agency which was reportedly illegal. In an attempt to minimize such brazen violations a Privacy Bill is mooted and the round table conference is a step towards making it possible.

Immunity to TSP's & ISP's

Participants also raised the issue of difficulties that TSPs face while engaged in the process of interception, as they are caught between the customers and government authorities and subjected to harassment sometimes. This places service providers in a position where they must often make a number of compromises as they are expected to store traffic data for a specified period of time, but sometimes a judge might ask for access to data that is dated past the specific retention period. In such a scenario, service providers must provide it by accessing backup data.

The question of who should be the custodian of intercepted data was raised by participants as well as who should be held accountable if intercepted data is leaked into the public domain. The chair responded that the officers investigating the case should be held accountable for the intercepted data. This would be analogous to the system under the Right to Information Act whereby the Information officer is named and held accountable for the data or information he provides. Similarly, for the case of intercepted material, an officer should be named and held accountable for the data and ensuring that it reaches those that it is legally intended to.

It was also expressed that a market regulator, responsible for the safeguarding the interest of communication service providers, could be appointed for handling the personal data. Such a role could be merged with the traditional role of a Data Protection Authority and could be the first step towards an information security and assurance regime.

Legal immunity given to service providers was also discussed, as there was a general concern about the position service providers find themselves in - being held legally liable for not complying with orders from the government and being taken to court by citizens.

Format of Interception Orders and Interception as a service

A question was also posed to participants about what information ideally - apart from the intended duration of the order - should be incorporated into interception orders. Participants suggested that the order should be as specific and precise as possible, which the existing format to a large extent confirms. On the topic, a participant noted that in some cases, despite DoPT guidelines, interception orders are issued in regional languages. This can pose as a problem as the nodal officer might not know the language, thus leading to possible ambiguity & misinterpretation of the order. Participants suggested that orders should be in English.

Participants also pointed out that in most European countries - like France and Italy - a fee for the compliance cost arising out of implementing an interception order is paid to service providers by the government. In India, huge costs are involved in carrying out interceptions which service providers presently have to bare. As law enforcement and security agencies ask for more and more accuracy in surveillance, the charges of carrying out surveillance. To address this, participants suggested that interception as a service should be accommodated in the proposed Bill.

Conclusion

The discussions in the Surveillance and Privacy Roundtable in New Delhi mainly revolved around the authorization model and the process of interception. Overall, participants agreed on an organised executive model with an established accountability and review system. Also discussed was how to ensure that service providers are legally protected from disproportionate and unwarranted penalties. Towards this, the interception process should be viewed as a service rather than an obligation.

Five days ago, CIS received a detailed list of ICANN’s revenues from domain name sales and renewals for the fiscal year ending June 2014. The document, sent to us by ICANN’s India head Mr. Samiran Gupta, lists payments received by ICANN from registrars, registries, sponsors and other entities such as the NRO and Country Code TLD administrators. Such granular information is not available at the moment on ICANN’s website as part of its financial transparency disclosures. A summary has also been provided by ICANN.

This revenue disclosure from ICANN comes on the heels of public and email correspondence between CIS and ICANN staff. At the Asia Pacific Regional IGF (August 3-6, 2014), CIS’ Sunil Abraham sought granular data – both current and historical – on ICANN’s revenues from the domain name industry.

Again, at the ICANN Open Forum at IGF (4 September 2014), Sunil sought “details of a list of legal entities that give money to ICANN and how much money they give to ICANN every year”. In emails to Kuek Yu-Chuang (ICANN’s Asia Pacific head) and Xavier Calvez (ICANN CFO), CIS had asked for historical data as well.

The global domain name industry is a multi-billion dollar industry, and ICANN sits at the centre of the web. ICANN is responsible for the policy-making and introduction of new Top Level Domains (TLDs), and it also performs technical coordination and maintenance of the Internet’s unique identifiers (domain names and IP addresses). For each domain name that is registered or renewed, ICANN receives payment through a complex contractual network of registries and registrars. The domain name industry is ICANN’s single largest revenue source.

Given the impending IANA transition and accountability debates at ICANN, and the rapid growth of the global domain name industry, one would imagine that ICANN is held up to the same standard of accountability as laid down in the right to information mechanisms of many countries. At the ICANN Open Forum (IGF Istanbul), Sunil raised this very point. Had a Public Information Officer in India failed to respond to a request for information for a month (as ICANN had to CIS’ request for granular revenue data), the officer would have been fined and reprimanded. Since there are no sufficiently effective accountability or reactive transparency measures at ICANN, such penalties are not in place.

In any event, CIS received the list of ICANN’s current domain name revenues after continual email exchanges with ICANN staff. This is undoubtedly heartening, as ICANN has shown itself responsive to repeated requests for transparency. But it remains that ICANN has shared revenue data only for the fiscal year ending June 2014, and historical revenue data is still not publicly available. Neither is a detailed list (current and historical) of ICANN’s expenditures publicly available. Perhaps ICANN could provide the necessary information during its regular Quarterly Stakeholder Reports, as well as on its website. This would go a long way in ascertaining and improving ICANN’s accountability and transparency.

**

The documents:

1. ICANN’s domain name revenues in FY14.
2. Summary of revenue information.

The article was published in the Economic Times on November 18, 2014.

Due to the work of activists, popular media coverage, pro-net neutrality technology companies, and John Oliver, eventually the FCC received 1.1 million responses. Text analysis by the Sunlight Foundation using natural language processing found that only 1% of the responses were clearly opposed to net neutrality. So millions of people in the US are both aware and care about this issue. But the general response in India would be: what is net neutrality and why should I be concerned?

Net neutrality is commonly described as the principle of ensuring that there is no discrimination between the different ‘packets’ that an Internet service provider (ISP) carries. That means that the traffic from NDTV should be treated equally by Reliance Infocomm as the traffic from Network 18’s CNNIBN; that even if Facebook wants to pay Airtel to deliver Whatsapp’s packets faster than Viber’s, Airtel may not do so; that peer-to-peer traffic is not throttled; that Facebook will not be able to pay Airtel to keep its subscribers bound within its walled gardens; and also that Airtel can’t claim to be providing Internet access while restricting that to only Facebook or Whatsapp.

The counter to this by telecom companies the world over, which has little evidence backing it, is primarily two-fold: first, one of equity — that it is ‘unfair’ for the likes of YouTube to get a ‘free ride’ on Airtel networks, hogging up bandwidth but not paying them; and second, that of economic incentives — networks are bleeding money due to services like WhatsApp and Skype replacing SMS and voice, and not being able to charge them will lead to a decrease in profitability and network expansion. The first claim is based on a myth of the ‘free ride’, while the reality is that subscribers who download more also pay the ISP more, while contentemitting companies also have to pay their network providers as per the traffic they generate, and those network providers, in turn, have to enter into ‘transit’ or ‘peering’ agreements with the ISPs that eventually provide access to consumers. The second claim has little evidence to back it up. Efficient competition is the best driver of both profit as well as network expansion. VSNL complained about services like Net2Phone in the 1990s and even filtered all voice-over-IP (VoIP) traffic — and illegally blocked a number of VoIP websites — to preserve its monopoly over international telephony. Instead, removing VSNL’s monopoly only benefited our nation. As for network expansion, it is inability of networks to profit from sparsely populated rural areas that poses a major roadblock. Fixing those problems require smart pricing by telecom companies and intelligent regulation, including exploring policy options like shared spectrum, but they do not necessarily require the abandoning of net neutrality.

However, the fact that the reasons telecom companies often provide against net neutrality are bogus doesn’t mean that it’s easy to ensure net neutrality. The Trai has been exploring this issue by holding a seminar on OTT services. However, the main focus of the discussions were not whether and how India should ensure net neutrality: it was on whether the government should regulate services like WhatsApp and bring them under the licence Raj. Yes, the debate going around in the regulatory circles is whether India should implement rules to ensure net non-neutrality so as favour telecom companies! Net neutrality is a difficult issue in regulatory terms since there is no common understanding among academics and activists of what all should fall under its ambit: only the ‘last mile’ or interconnection as well?

The policy dialogue in India is far removed from this and from considering the nuanced positions of anti-net neutrality scholars, such as Christopher Yoo, who raise concerns about the harms to innovation and the free market that would be caused by mandating net neutrality. The situation in India is much more dire, since blatant violations of net neutrality — howsoever defined — are already happening with Airtel launching its ‘One Touch Internet’, a limited walled garden approach that lies about offering access to the ‘Internet’ while only offering access to a few services based on secretive agreements with other companies. Mark Zuckerberg, the founder of Facebook, recently toured India talking about his grand vision of providing connectivity to the bottom half of the pyramid yet did not talk about how that connectivity would not be to the Internet, but will be limited to only a few services — including Facebook.

Even if we had good laws in favour of net neutrality, without effective monitoring and forceful action by the government, they will amount to little. s. Undoubtedly the contours of the conversation that needs to happen in India over net neutrality will be different from that happening in more developed countries with higher levels of Internet penetration.

However it is a cause of grave concern that while net neutrality is being brutally battered by telecom companies in the absence of any regulation, they are also seeking to legitimize their battery through regulation. It is time the direction of the conversation changed. Perhaps we should invite John Oliver over.

Following the NTIA’s announcement of its decision to not renew the IANA Functions contract, ICANN instituted a process in search of an alternative oversight mechanism. The IANA Stewardship Transition Coordination Group (ICG), comprising 30 individuals, is the body set up to accept and coordinate proposals for IANA transition, and after this, to make a final proposal to the NTIA. ICANN claims that the ICG comprises individuals representing 13 different communities and the interests of different stakeholders (direct and indirect), including those of governments, technical community and non-commercial users.

The communities represented in the ICG are as follows:

• ALAC – At-Large Advisory Committee to ICANN
• ASO – Policy making body of ICANN w.r.t. IP addresses
• ccNSO – Policy making body of ICANN w.r.t. ccTLDs
• GNSO – Makes recommendations on gTLDs to the ICANN Board
• IAB – Deals with technical and engineering aspects of the ISOC
• IETF – Deals with the development of standards under the ISOC
• NRO – Policy Advisor to ICANN w.r.t. IP addresses
• SSAC – Advisory body of ICANN, w.r.t. security of naming systems
• RSSAC – Advisory body of ICANN, w.r.t. operation, security and integrity of the Internet’s Root Server System

Now, the ICG has been set up to devise and present to the NTIA, an IANA transition proposal that incorporates views and concerns of diverse stakeholders of the global Internet community. The composition of the ICG is, for this purpose, an indicator of the nature of proposals that may find final favour.

At CIS, we examined the affiliations of ICG members with this in mind. Our assumptions are two-fold: (1) greater the diversity in ICG membership, greater the chance of diverse views being heard and represented, including those departing from the status quo; (2) conversely, if the ICG members have histories of affiliations to existing centres of power in global Internet governance (say, the I* organisations), chances of status quo being maintained are greater.

Our findings are presented in tabular format below:

(X – Unknown number of years spent in the organization)

(† - To serve on the GNSO Council from November 2015.)

As you will have noticed, 20 out of 30 ICG members (66.67%) have occupied positions in seemingly different organizations, but in actuality, these are organisations with very close links to each other. We see not 13, but 2 organizations that all the communities seem to be affiliated to, i.e., ICANN and ISOC. It seems all too ironic that the body that has been allocated the task of the IANA functions’ transition, in line with the ‘multi-stakeholder’ model, is itself representative of only 2 organizations.

A prodding into the histories of these 30 members from ‘varied’ backgrounds reveals that most of them have rotationally served in the I-Star organizations. A close reading of their bio-data (from their ICANN and LinkedIn pages) reveals our findings on the number of years several of the members of the IANA Stewardship Transition Cooperation Group, have spent at the I-Star organizations.

It is not rocket science to recognise the power the I* organisations have over Internet governance today. Indeed, ICANN tells us that the I* run the Internet. They are the leaders of the status quo.

But the IANA transition is anything but an affirmation of the status quo. Stakeholders and participants in IANA transition (in the CWG, CRISP and IETF) have raised serious concerns about the desirability of IANA continuing within ICANN, and about ICANN’s (inadequate) accountability and transparency. True, ICANN has instituted processes to enable discussion on these issues, and the ICG is part of the process. It is entrusted with the momentous task of shifting from the status quo of the IANA Functions contract to a new mechanism of oversight. Given its composition, an assumption that the ICG may have vested interests in maintaining status quo is not out-of-the-way. In fact, some members of the ICG have previously made statements to the effect that Internet is not broken, and it does not need fixing. This poses a real danger to the IANA transition process and the global Internet community must demand safeguards.

Lakshmi Venkataraman performed the revolving door analysis on the ICG. She is a IV year at NALSAR University of Law and an intern at CIS during December 2014. Geetha Hariharan assisted in writing this post.

Introduction:

The Information Technology Act, 2000 (“IT Act”) is no stranger to litigation or controversy. Since its enactment in 2000, the IT Act has come under stringent criticism, both for the alleged Constitutional infirmities of its provisions and Rules, as well as for the way it is implemented. In recent years, Sections 66A (re: criminal liability for offensive, annoying or inconveniencing online communications), 67A (re: obscene 69A (re: website-blocking) and 79 (re: intermediary liability) have all come under attack for these reasons.

Today, these Sections and several others have been challenged before the Supreme Court. A total of ten cases, challenging various Sections of the IT Act, are being heard together by the Supreme Court. This is a welcome occasion, for the IT Act desperately needs judicial review. Nikhil Pahwa over at Medianama provides an update and the list of cases.

Among the challenged provisions are Section 66A, Section 79 and Section 69A. Section 66A was and continues to be used wantonly by the State and police. A student was recently arrested for a Twitter comment regarding Cyclone Hudhud, while anti-Modi comments led to several arrests earlier in the year (see here, here and here). At CIS, we have previously subjected Section 66A to constitutional analyses. Pranesh Prakash traced the genealogy of the Section and its import in targeting offensive, annoying and inconveniencing communications and spam, while Gautam Bhatia examined the Section’s overbreadth and vagueness. The casual wording and potential for misuse of Section 79 and the Information Technology (Intermediaries Guidelines) Rules, 2011 led Ujwala Uppaluri to offer strong arguments regarding their violation of Part III of the Constitution.

Similar infirmities also handicap Section 69A and its Rules. This provision empowers the Central government and officers authorised by it to order the blocking of websites or webpages. Website-blocking is permissible for reasons enumerated in Section 69A, and in accordance with the process laid out in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public (sic)) Rules, 2009 (“Blocking Rules”). In our view, Section 69A and the Blocking Rules are also unconstitutional, and liable to be declared as such by the Supreme Court. We provide our analysis in this post and the next.

Section 69A, IT Act:

Section 69A and the Blocking Rules provide for website-blocking in accordance with enumerated reasons and process. The Section reads as follows:

69A. Power to issue directions for blocking for public access of any information through any computer resource.-

(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-sections (2) for reasons to be recorded in writing, by order direct any agency of the Government or intermediary to block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource.

(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed.

(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

As you will notice, the Central government may block any information that is “generated, transmitted, received, stored or hosted” in any computer. This will extend, clearly, to any webpage available and/or hosted in India. The Government can order website-blocks if it is satisfied of the necessity or expedience for this on the basis of (any of) six reasons. These reasons are:

1. Sovereignty and integrity of India,
2. Defense of India,
3. Security of the State,
4. Friendly relations with foreign states,
5. Public order,
6. Preventing incitement to the commission of any cognizable offence relating to above.

If the Central government is convinced it has a valid reason, then it must follow the blocking procedure set out in the Blocking Rules, which were notified on 27 October 2009. Before entering into an analysis of the Blocking Rules, let us understand the blocking procedure.

The Blocking Procedure:

I will explain the blocking procedure in 4 steps: (1) Relevant designations and committees; (2) Procedure to make and examine a blocking request, and issue blocking direction; (3) Blocking in special circumstances; and (4) Review of blocking directions.

(1) Relevant designations and committees:

Designated Officer (“DO”): The Central government notifies an officer not below the rank of Joint Secretary as the Designated Officer, who will issue the blocking direction ot the relevant intermediary or agency [Rule 3]. By a notification dated 20 January 2010, the DO is the Group Coordinator, Cyberlaw Division, Department of Information Technology (DIT). Unfortunately, I was unable to locate the Group Coordinator, Cyberlaw Division on the website of the Department of Electronics and Information Technology (DeitY, the name to which DIT was renamed in 2012). I am also unable to find a notification updating the designation of the DO. Presumably, Dr. Gulshan Rai, Director General (Cyberlaws & E-security), DeitY, continues to be the DO.

Nodal Officer (“NO”): Every organization designates one of its officers as a Nodal Officer, who will receive blocking requests and forward them to the DO [Rule 4]. ‘Organisation’ is defined in Rule 2(g) as Ministries or Departments of the Government of India, State governments and Union Territories, and any Agency of the Central government notified in the Official Gazette. I am unable to find on the DeitY website a notification explaining which government Agencies are ‘organisations’ under Rule 2(g).

Intermediary Contact: Every intermediary also designates one person to receive and handle blocking directions from the DO [Rule 13].

Committee for Examination of Request (“CER”): The 5-membered CER comprises the DO as Chairman, along with officers not below the rank of Joint Secretary from the Ministries of Law & Justice, Home Affairs, Information & Broadcasting and CERT-In [Rule 7]. The CER examines each blocking request, before issuing recommendations to the DO to block or not to block. Regrettably, I am unable to identify the current membership of the CER, as no document is available that gives this information. However, the CER’s composition in 2010 may be gleaned (see Annexure III).

Review Committee (“RC”): Rule 2(i) defines the RC as the body set up under Rule 419A, Indian Telegraph Rules, 1951. As per Rule 419A(16), the Central RC is constituted by the Cabinet Secretary, Secretary to the Government of India (Legal Affairs) and Secretary (Department of Telecom).

(2) Blocking procedure:

The Blocking Rules stipulate that the entire blocking procedure, from examining a blocking request to issuing a blocking direction, must be carried out within 7 days from the date on which the DO receives the blocking request from the NO [Rule 11].

(a) Making a blocking request: Any person may send a request for a website-block to an NO of any ‘organisation’ (“outside request”). Alternatively, the NO may himself raise a blocking request. The organization has to examine each outside request and be satisfied that it meets the requirements of Section 69A(1), IT Act. Once it is satisfied, the NO forwards the blocking request to the DO. Outside requests must be approved by the Chief Secretary of the State or Union Territory, before they are sent to the DO. [See Rule 6 for this procedure]

(b) Examining a blocking request: Once the DO receives a blocking request, he/she places it before the CER. The DO tries to identify the person/intermediary hosting the troubling information, and if identified, issues a notice seeking their representation before the CER. Foreign entities hosting the information are also informed over fax/email. The person/intermediary has 48 hours from the date of receiving the DO’s notice to make its representation.

After this, the CER will examine the blocking request. It will “consider whether the request is covered within the scope of Section 69A(1)”, and whether it is justifiable to block [Rule 8(4)].

(c) Blocking direction: The DO then places the CER’s recommendation to block or not to block before the Secretary (DeitY) for his/her approval. If and once approval is granted, the DO directs the relevant Agency or intermediary to block the website/page.

(3) Blocking in special circumstances:

(a) Emergencies [Rule 9]: In an emergency “when no delay is acceptable”, the DO passes over the blocking procedure described above. With written recommendations, the DO directly approaches the Secretary (DeitY) for approval of blocking request. If satisfied, the Secretary (DeitY) issues the blocking direction as an interim measure. Nevertheless, the DO is required to place the blocking request before the CER at the earliest opportunity (in any case, not later than 48 hours after blocking direction).

(b) Court orders [Rule 10]: If a court has ordered a website-block, the DO follows a procedure similar to an Emergency situation. He/she submits the certified copy of order to the Secretary (DeitY), and then initiates action as ordered by the court.

(4) Review of blocking directions:

The RC is to meet once in 2 months to evaluate whether blocking directions issued under the Blocking Rules are in compliance with Section 69A(1) [Rule 14]. No other review or appeal mechanism is provided under the Blocking Rules. Nor are aggrieved parties afforded any further opportunities to be heard. Also note that Rule 16 mandates that all requests and complaints received under the Blocking Rules are to the kept strictly confidential.

In the next post, I will subject Section 69A and the Blocking Rules to a constitutional analysis.

Blocking procedure poster:

CIS has produced a poster explaining the blocking procedure (download PDF, 2.037MB).

I. Introduction

The nuances of privacy have been deliberated by numerous scholars till date, without arriving at a definite answer. It has been perceived as a right to be left alone, as mere secrecy, as the right to a legitimate area of seclusion and solitude. Privacy is a particularly nebulous concept, with a tendency of resting on intuitionist arguments. However, finding refuge in intuitionist arguments has not lent to a clear understanding of the term itself. This presents a peculiar predicament; while privacy is demanded, nobody seems to have a clear understanding of what it truly means. Daniel Solove opines that privacy is a concept in disarray, it is about everything and hence it seems to be about nothing. Solove finds agreement in a variety of literature, where privacy has been described as a "chameleon-like word", a term suffering from an "embarrassment of meanings", a "powerful rhetorical battle cry".

Traditional notions such as bodily privacy, privacy within one's home, or privacy resulting out of private property are received with far less scepticism than more recent aspects of privacy. With the burgeoning increase in information exchange, the ambit of privacy concerns is widened but not always understood. While earlier notions of privacy confined themselves to physical intrusions, it is now possible to invade a person's privacy without physically intruding on their space. As capabilities to intrude on privacy increase, the demand for respecting privacy grows stronger. In their historic article, Warren and Brandeis referred to privacy as an incorporeal notion, referring to cases of defamation, proprietary harms, contractual harms, breach of confidence to conclude that all such cases belonged to an umbrella principle of the right to privacy.

I.II Aspects of Privacy

William Prosser, a torts scholar, in 1860 attempted to classify privacy comprehensively. He contemplated four kinds of activities as impinging on a person's privacy. They were
1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs.
2. Public disclosure of embarrassing private facts about the plaintiff.
3. Publicity which places the plaintiff in a false light in the public eye.
4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.
While this classification lent some structure to the understanding of privacy, it restricted itself to only tort law.

A wider taxonomy was offered by Daniel Solove, imbibing concerns of digital privacy and information technology. Focussing on activities that invade privacy, Solove argued that information collection, aggregation of information, dissemination of such aggregated information and invasion into people's private affairs are the aspects integral to understanding the privacy concerns of a data subject.

In its policy paper on privacy in India, the Data Security Council of India (DSCI) recognised privacy issues in the context of e-commerce, transactional privacy, cyber crime, national security, and cross border data flows. Similarly the Department of Personnel and Training (DoPT) in 2011 focussed on understanding privacy in the context of data protection and surveillance. Subsequently, in 2012, the Planning Commission of India set up the A.P. Shah Committee to look into issues of data protection. This Committee classified the dimensions of privacy into four main categories; interception and access, audio and video recording, access and use of personal identifiers, and bodily and genetic material.

The classification of privacy for the purpose of this paper is under the heads of bodily privacy, informational and communications privacy, and territorial and locational privacy. Bodily privacy stems from the notion of personal autonomy and inviolate personality. Battery, rape, voyeurism are all examples of the recognition of the need to protect the privacy of one's body. Communications and informational privacy refers to the protection of sensitive personal information, specific communications and private conversations. Interception of messages, spying, hacking or tapping phone lines are all activities that impinge on privacy under this head. India's ambitious biometric project, Aadhar, has brought to the fore concerns surrounding personal information. Territorial privacy is developed from the notion of private property, the tort of trespass being ample recognition of the same.

I.III Is India a Private Nation?

In October, 2010, the government published an approach paper for legislation on privacy. In explaining the need for privacy legislation in India, the paper states,

"India is not a particularly private nation. Personal information is often shared freely and without thinking twice. Public life is organized without much thought to safeguarding personal data. In fact, the public dissemination of personal information has over time, become a way of demonstrating the transparent functioning of the government."

The notion of privacy being a foreign construct carves the argument that legislation on privacy would mean subjecting India to an alien cultural value. However, this ignores the possibility of privacy being culturally subjective. Cultures have exhibited different measurements by which they measure public and private realms. This paper aims to demonstrate that while the word "privacy" does not find explicit reference in traditional Indian law, the essence of privacy as we understand it today has existed in traditional Indian culture, specifically Indian Islamic culture, pre-dating colonialism in India and modernity in India's legal system.

I.IV Displacement of traditional Indian Law

Contemporary Indian law functions within a rubric that was constructed after the "expropriation" of traditional law. India's colonial legacy rendered the displacement of traditional Indian law with a unified modern legal system abounding in European ideas of modernity and legal systems, leaving it is a state of "fractured modernity". Before the British rule, Indians were governed by their personal laws and these laws did not aim to unify the nation in ways that Western legal systems did.. The decision to establish a modern legal system stemmed from the desire to administer the law as a function of the state, which would have been impractical at best in the absence of a unified legal system.

Edward Said eloquently states that the colonial experience does not end when the last European flag comes down or when the last white policeman leaves. One cannot help but agree with Said, as the understanding of law in contemporary India is constructed on the principles of the English common law and on ideas of a modern legal system. While the word "privacy" does not arise in traditional law, this paper argues that the notions of privacy as we perceive it today did exist hitherto the modernization of India's legal system.

I.V Structure of the paper

While Part I has laid down the foundation of this paper and the arguments it endeavours to make, Part II explains the sources of Islamic law and attempts at locating privacy in them. It also explains certain pervasive concepts that will enhance an understanding of privacy in Islamic law. This paper restricts itself to Sunni Islamic law. Part III gives an indication of privacy rights in India's neighbouring Islamic countries (both predominantly Sunni), Pakistan and Bangladesh; and highlights the legal framework for privacy in these countries.

II. Privacy in Islamic Law

II.I Sources of Islamic Law

Before locating aspects of privacy in Islamic Law, an understanding of its structure and sources will be helpful. Islamic Law is composed of Shariah, and fiqh. Shariah indicates the path a faithful Muslim must undertake to attain guidance in the present world and deliverance to the next. Fiqh, the jurisprudence of Islam, refers to the rational understanding of Shariah and human reasoning to appreciate the practical implications of Islam. While Shariah is divine revelation, fiqh is the human inference of Shariah.

The principle tenet of Islam is unwavering obedience to the teachings of God. According to Muslim belief, the Quran is the divine communication from Allah to the Prophet of Islam. It is the foremost record of the word of God, and for this reason is considered the apex source of Islamic law. It is in the Quran that basic norms of Shariah are found, and it embodies the exact words of God as was revealed to the Prophet over a period of 23 years. Fiqh, or the understanding of Shariah, also finds its origins in the holy Quran.

The Sunnah or Prophetic traditions are the ingredients for the model behaviour of a Muslim as demonstrated by the Prophet. It is a "way, course, rule, mode, or manner, of acting or conduct of life." The Sunnah were compiled through the communications of Prophet Muhammad in the form of Hadiths which are communications, stories or conversations; and may be religious or secular; historical or recent. The narrators of the Hadith are known as "isnad" who convey the "matn" or the substance of the Prophet's actions or words as narrated through oral communications through the years. Due to its very nature, the accuracy of the Sunnah came under considerable scrutiny, with concerns as to its possible fabrication and dilution. However, with a well devised system of recording and verifying sources, the Sunnah accompanies the imperative source of Islamic law, the Quran.

The other sources of Islam are found in human reasoning, or ijtihad. Ijtihad assumes a variety of secondary sources such as analogical reasoning (Qiyas), unanimous consensus (Ijma), decisions in favour of public interest (isthihsan), and presumption of continuity (istishab).
Ijtihad entails a resilient effort; an exertion in interpreting the primary sources in order to understand Shariah, to infer the law which is not explicit or evident. The legitimacy of Ijma is found in the Prophetic tradition, which states that the followers of Islam would never agree on an error, and will never unite on misguidance.

The Quran and Sunnah lie at the pinnacle of Islamic jurisprudence and their authoritativeness lends a ready inference of legal principles derived from them. In exploring the concept of Privacy in Islamic Law, this paper will focus mainly on the material available in the Quran and Sunnah.

II.II The Public and Private in Islam

According to the doctrine of Shariah, every aspect of life is deemed to be private unless shown otherwise. The public sphere is that in which governmental authority operates, making it both transparent and open to scrutiny and observation. Since its inception, Islam has considered the idea of governance with reasonable scepticism, ascribing to the view that there is no concept of a human ruler beyond reproach. This perhaps gave impetus to the idea of a private sphere as one that is inhabited exclusively by an individual and the divine, excluding any interference of the State; except with permission from religious law. In Islamic belief, a pious individual had submitted himself to God, and not the worldly State. Hence, all aspects of his life will align with the tenets of Islamic law and in pursuance with the will of God. Any failure to perform religious duties on the part of a Muslim is beyond the scope of another; it is only a consideration between him and the divine. It is believed that the Prophet said, "Those, who acknowledge God in words, and not at heart, do not find fault with their fellow Muslims. The wrongdoing of those who do so become the subject of God's scrutiny, and when God looks into someone's wrongdoing then all shall be truly exposed" The individual is bestowed with complete freedom of action in the private sphere, subject only to the will of the divine. To govern another is wholly beyond the capacity of any individual, and this forms a pervasive theme in Islamic jurisprudence.

Islamic Law recognizes that it is inevitable for every society to impose certain requirements on individuals both by the law and by societal norms. In respect of a public domain, Islam prescribes an amalgam of requirements of a Muslim community and the teachings of Islam. While committing sins in private is beyond the scope of public or governmental scrutiny, committing a sin in public amounts to a crime, meriting worldly punishment.

Islamic law provides for an individual's obligations to the divine at all times, and to the state in matters within the public domain. This is the most striking difference between Islamic law and modern law, as the function of enforcement of the law and punishment are forfeited to the state in a modern legal system, by virtue of the social contract. However, in Islamic societies, the concept of social contract does not exist. Instead, an individual's obligations lie to the state only if acts meriting worldly punishment occur in the public sphere. It is this distinction in the obligations of individuals that leads to conflicts between the application of Islamic law and modern law.

The Quran is replete with rules for all believers to ordain good and forbid evil (al-amrbi al-Ma'rufwa al-nahy 'an al-munkar'). This divine injunction is a restriction of freedom in the private sphere. The notion of privacy in the public sphere was tested through the office of the muhtasib, or compliance officer. These officers were appointed to ensure that the quality of life is preserved in Islamic societies. Personal or private matters which were visible in the public realm were liable to scrutiny from the muhtasib as well. However, this does not extend to matters such as surveillance and spying even on the authority of the state. The Prophet, according to the hadith of Amir Mu'awiyah remarked, " If you try to find out the secrets of the people, then you will definitely spoil them or at least you will bring them to the verge of ruin." In fact, modern jurists admonish the idea of surveillance as "exactly what Islam has called as the root cause of mischief in politics."

II.III. Privacy in Islamic Law

Bodily Privacy

The sanctity of one's bodily privacy is well recognised in Islamic Law. The Quran (24:58) demarcates certain periods in a day which are times of privacy for an individual, and indicates the need for prior permission before one may enter the private sphere of another. These periods are before the prayer at dawn, during the afternoon where one rests, and after the night prayer. This verse also calls upon children who have not yet reached the age of puberty to get accustomed to asking for permission before entering rooms apart from their own.

As far as bodily seizure of individuals accused of crimes goes, the Traditions indicate a general disinclination towards pre-adjudication restraint of individuals. The very occurrence of it appears to be a cause of discomfort as recorded in the Traditions. One of the Prophet's closest companions, Umar, is believed to have encourages officials to speed up adjudication processes so that the accused could not be deprived of the comfort of their homes and families.

bodily privacy and modesty

Although the Quran stipulates gender equality, the norms of bodily privacy and modesty applicable to men are far less rigorous than the rules of modesty that apply to women. While staring is not contemplated as a crime in modern jurisdictions, the Quran directs "believing men to lower their gaze and be modest." At the same time, it directs women to adhere to strict rules of clothing and conduct, with directions on how to conduct oneself both in private as well as public. Interestingly, with the use of full-body scanners at airports around the world, the bodily privacy of Muslims came to the forefront with several Muslim scholars opining that such use of scanners was in direct violation of the tenets of Islam. According to the Quran, the modesty of a Muslim woman is an indication of her faith.

Communication and Informational Privacy

Privacy is, in many ways, inextricably linked to the notions of personal autonomy, and inviolate personality. Privacy in matters apart from those concerned with proprietary interests was only developed as a legal idea around the ninth century, although the Quran made ample references to it. Whilst the term "privacy" is not directly alluded to in the Quran, it contains verses emphasizing the importance of respecting personal autonomy. The Quran (49:12) rebukes those who wish to pry into matters which do not concern them, or harbour suspicions in respect of others, conceding that some suspicions can even be considered crimes. This implies an injunction against investigation; which complements the prohibition of circulation of information pertaining to an individual's private sphere (24:19). According to this verse, publication of immorality is desirous of punishment. A reasonable conclusion from the reading of these verses is that the Quran mandates respect for the private sphere, guaranteeing that a faithful believer will not violate it. The Prophet is reported to have said that non interference of individuals in matters that do not concern them is a sign of their good faith. Interestingly, the injunction against unwarranted search is for all members of a Muslim community, not just followers of Islam. An extension of the concept of informational privacy is the privacy of one's opinion, which is believed to be beyond reproach regardless of its contents. Deeds in the public sphere can be subject to worldly punishment, but thoughts and opinions everywhere, are not subject to it.

The Sunnah have also emphasized on privacy in communications. The Prophet once said, "He, who looks into a letter belonging to his brother, looks into the Hellfire" , indicating that private communications shall enjoy their privacy even in the public domain. This is evident from another saying of the Prophet,"Private encounters result in entrustment", which entails a restriction on communications arising out of private meetings.

Territorial Privacy

Domestic privacy is considered an important facet of Islamic life and this idea pervades different aspects of Shariah. Privacy in regard to proprietary interests was in fact the first legal conception of privacy recognised by Muslim jurists. The Quran (24:27-8) forbids entering another's house in lieu of permission to do the same. It seeks to ensure that a person visiting another's house is welcome in that house; reminding individuals of their rights during such visits. Further, the Quran (2:189) envisions visits made to other's houses only through the front door, indicating respect and transparency in visiting another's dwelling place. Muslim scholars are of the opinion that such rules were laid down in order to safeguard one's private sphere; to allow people to modify their behaviour to accommodate a visitor in a private domain. Clarifying the reasons for such rules, a jurist offered the following explanation, "The first greeting is for the residents to hear the visitor, the second is for the residents to be cautious( fa-ya khudhu hidhrahum),and the third is for them to either welcome the visitor or send him away."

Privacy in the domestic sphere extends to both physical privacy as well as intangible privacy. The Prophet opined that if one's gaze has entered into a private home before his body does, permission to enter the home would be redundant. This follows from the idea that if a person curiously peeps into another's home, it is equivalent to him entering it himself. The right to privacy is extended to absolve the home owner of any guilt in the event of attack on the intruder. Curiously, the right to privacy within one's home is extended to privacy in respect of sinful behaviour within his private sphere; the accountability of a Muslim to his fellow humans is only to be discerned in respect of his public actions. This is illustrated by an interesting story in the Hadith of Umar ibn al-Khattab. Khattab climbed the wall of a house on the suspicion of wine being consumed within the premises. On his suspicion being confirmed, he chided them for their conduct. They then reminded him that while he pointed out their sins, he himself was guilty of three sins; spying on them, failing to greet them and also not approaching their house through the front door. He agreed with them and walked away.

The rationale behind recognising privacy in the domestic sphere is not just illegal intrusion into one's physical space; it is also intrusion into matters of sensitivity which widens the scope for privacy in Islamic Law.

III Privacy in Shariah Based States

Locating aspects of privacy is Shariah-based states is particularly challenging due to the duality of obligations that exists in their legal framework. While Islamic law focuses on obligations of individuals to the divine in all affairs and the state only in public matters, legal obligations in modern states are understood vis-à-vis the state only. The incorporation of Islam into these modern legal systems represents the attempt at reconciling two distinct sources of law. This Part will consider the legal frameworks for privacy in Pakistan and Bangladesh.

III.I Pakistan

Islamic law has had a profound impact on the legal system of Pakistan. This Islamic Republic integrates Shariah law into its common law system, as is evident from Article 227(1) of the 1973 Constitution of Pakistan ("the 1973 Constitution"). It reads, " All existing laws shall be brought in conformity with the Injunctions of Islam as laid down in the Holy Quran and Sunnah, in this Part referred to as the Injunctions of Islam, and no law shall be enacted which is repugnant to such injunction". In addition to the Constitutional safeguards, General Zia-ul-Haq, between 1977 and 1988 provided great impetus to Pakistan's process of incorporating Islam into its common law system through the establishment of appellate religious courts and also enactment of the Hudood criminal law, which was consequently criticized for being discriminatory and arbitrary.

Constitutional Provisions

Enshrined in the 1973 Constitution is the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. While referring to the rights of individuals, Article 4(1) lays down, "To enjoy the protection of law and to be treated in accordance with law in the inalienable right of every citizen. Wherever he may be, and of every other person for the time being within Pakistan." While aspects of privacy can be read into this Article quite emphatically, the 1973 Constitution explicitly recognises the right to privacy, dignity and the inviolability of persons in Article 14(1),"The dignity of man, subject to law, the privacy of home, shall be inviolable". The sanctity of these rights is vigorously upheld as laws inconsistent with fundamental rights are declared to be void to the extent of their inconsistency.

Bodily Privacy

The 1973 Constitution recognises the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. The Pakistan Penal Code (Act XLV of 1860) refers to the protection of privacy of women in Section 509, upholding the modesty of women.

Communications and Informational Privacy

The Pakistan Telecommunication (Re-organisation) Act 1996 enables investigating authorities under the Act to take cognizance of illegalities in communications. These authorities submit their reports to the courts, ensuring the accountability of such events, as well as legitimising search and seizure in pursuance of intercepted communications. The Act also makes arrangements for authorised interception of communications in cases of national security, although the wide and sweeping powers bestowed under this Section are a cause for concern. Moreover, any person causing annoyance to another through a telephone is liable to criminal punishment under the Telegraph Act, 1885.

Medicaland Financial information is recognised as a unit of privacy in the legal system of Pakistan. The delicate balance between transparency of government action and extent of privacy of information is struck in the Freedom of Information Ordinance, which exempts divulging information regarding personal privacy of individuals, private documents and financial privacy.

As far as digital privacy is concerned, the law in Pakistan is still at a nascent stage. In 2000, Pakistan implemented the National Information Technology Policy and Action Plan, which provided for confidentiality of transactional information. In 2002, an Electronic Transactions Ordinance was passed with a view to recognise and protect electronic transactions, setting up a framework within which privacy of information can be guaranteed and authenticity can be verified. There is no devoted law on data protection yet, although a Draft Electronic Data Protection Bill was published by the Ministry of Information in 2005.

Territorial and Locational Privacy

Akin to notions of privacy of the home in Islamic law, criminal trespass is a punishable offence under the Pakistan Penal Code. Pakistan has an unfortunately intimate relationship with terrorism. The Anti Terrorism Act of 1997 incorporates some provisions which raise concerns as to the sanctity of individual privacy. The Act allows an officer of police, armed forces or civil armed forces to enter and search any premise, and to seize any property they suspect to be connected to a terrorist act, without a warrant. Perhaps what is more worrying is that the entry of an officer is not subject to review, unlike in other Islamic countries like the United Arab Emirates. The trade off between personal liberties and national security is acutely felt in Pakistan, with intelligence agencies carrying on mass surveillance, without any legal framework providing for the same.

III.II Privacy in Bangladesh

Bangladesh identifies itself as a secular nation, although Islam is the state religion. The Constitution of Bangladesh uses the word privacy in the context of both territorial and communications privacy.

Bodily Privacy

The Bangladesh Penal Code, similar to Pakistan's, contains a section guaranteeing the bodily privacy of a woman and prohibiting any form of outraging her modesty. It criminalises assault, and also provides for private defence in case of assault.

Communications Privacy

The privacy of communications is subject to interception for the purpose of public safety, as envisaged in the Telegraph Act, 1885. It also contains provisions regarding unlawful interception of messages, as well as tampering or damaging communications. The Telecommunications (Amendment) Act 2006 gives the police sweeping powers to intercept mobile communications as well. However, a notice was issued to the government after this amendment to demonstrate its legality. Bangladesh also has the Right to Information Act, 2009 to promote transparency in governance, although it has a considerable number of agencies exempt from the Act as well. Provisions for cyber crime are enshrined in the Information and Communication Technology Act, 2006.

Territorial Privacy

In the context of territorial privacy, the Bangladesh Penal Code recognises criminal trespass, house trespass, lurking house trespass and house breaking as offences under Bangladeshi law.

IV. Conclusion

Privacy is a comprehensive term that entails a plethora of claims, making an exact definition of the term difficult to come by. In the absence of an explicit reference to privacy in the Indian Constitution, the Supreme Court has brought the right to privacy within the penumbra of Article 21 through various case laws. In 2010, the Government in its approach paper on privacy claimed that India is not a particularly private nation. In order to comprehensively understand India's modern legal framework, it is imperative to analyze the concepts of traditional law as they existed hitherto the colonial era. Although the term "privacy" is a modern construct, this paper has sought to demonstrate that the notion of privacy was well recognized and protected in traditional Islamic law.

From the discussion above, it is evident that the concept of privacy in Shariah law rests convincingly within the taxonomy adopted in this paper. The Quran and Hadith accommodate concerns surrounding private property, personal autonomy, protection of private communications, domestic life, modesty and the modern idea of surveillance. In addition to this, Islamic jurisprudence ascribes to the idea of a public and private sphere. The public sphere is occupied by society and governmental action, being liable to scrutiny and observation. On the other hand, the private sphere is occupied by the individual and the divine alone, free from any interference except in accordance with Shariah law. Inspite of the term "privacy" not finding explicit mention in the Quran or Hadith, a closer analysis of Shariah reveals privacy as a pervasive theme in Islamic jurisprudence.

Written by Prachi  Arya and Kartik Chawla
Edited by: Vipul Kharbanda, Elonnai Hickok, Anandini Rathore, and Mukta Batra

Click to download the PDF

Executive Summary

India has one of the largest telecom subscriber base in the world, currently estimated at 898 Million users.^[1] With over 164.8 Million people accessing the internet ^[2] in the subcontinent as well, technology has concurrently improved to facilitate such access on mobile devices. In fact, the high penetration rate of the internet in the market can be largely attributed to mobile phones, via which over 80% of the Indian population access the medium.^[3]

While this is a positive change, concerns now loom over the expansive access that service providers have to the information of their subscribers. For the subscriber, a company's commitment to protect user information is most clearly defined via a privacy policy. Data protection in India is broadly governed by Rules notified under Section 43A of the Information Technology Act 2000.^[4] Amongst other things, the Rules define requirements and safeguards that every Body Corporate is legally required to incorporate into a privacy policy.

The objective of this research is to understand what standards of protection service providers in India are committing to via organizational privacy policies. Furthermore, the research seeks to understand if the standards committed to via organizational privacy policies align with the safeguards mandated in the 43A Rules. Towards this, the research reviews the publicly available privacy policies from seven different service providers - Airtel, Aircel, Vodafone, MTNL, BSNL, ACT, and Tata Teleservices.

The research finds that only Airtel, Vodafone, and Tata Teleservices fully incorporate the safeguards defined in the 43A Rules. Aircel, and ACT incorporate a number of such safeguards though not all. On the other hand BSNL minimally incorporates the safeguards, while MTNL does not provide a privacy policy that is publicly available.

Introduction

The Indian Telecom Services Performance Indicators report by the Telecom Regulatory Authority of India (TRAI) ^[5] pegs the total number of internet subscribers in India at 164.81 million and the total number of telecom subscribers at 898.02 million, as of March 2013. As mobile phones are adopted more widely, by both rural and urban populations, there is an amalgamation of telecommunications and internet users. Thus, in India, seven out of eight internet users gain access through mobiles phones. ^[6]

Though this rapid evolution of technology allows greater ease of access to digital communication, it also has led to an increase in the amount of personal information that is shared on the internet. Subsequently, a number of privacy concerns have been raised with respect to how service providers handle and protect and customer data as companies rely on this data not only to provide products and services, but also as a profitable commodity in and of itself. Individuals are thus forced to confront the possible violation of their personal information, which is collected as a quid pro quo by service providers for access to their services and products. In this context, protection of personal information, or data protection, is a core principle of the right to privacy.

In India, the right to privacy has been developed in a piecemeal manner through judicial intervention, and is recognized, to a limited extent, as falling under the larger ambit of the fundamental rights enshrined under Part III of the Constitution of India, specifically those under Article 21. ^[7] In contrast, historically in India there has been limited legislative interest expressed by the Government and the citizens towards establishing a statutory and comprehensive privacy regime. Following this trend, the Information Technology Act, 2000 (IT Act), as amended in 2008, provided for a limited data protection regime.

However, this changed in 2010 when, concerned about India's robust growth in the fields of IT industry and outsourcing business, an 'adequacy assessment' was commissioned by the European Union (EU), at the behest of India, which found that India did not have adequate personal data protection regime. ^[8] The main Indian legislation on the personal data security is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), enacted under Section 43A of the IT Act, which extends the civil remedy by way of compensation in case wrongful loss or gain under Section 43A to cases where such loss or gain results from inadequate security practices and procedures while dealing with sensitive personal data or information. In 2012, the Justice AP Shah group of Experts was set up to review and comment on Privacy,^[9] for the purpose of making recommendations which the government may consider while formulating the proposed framework for the Privacy Act.

Objective, Methodology, and Scope of the Study

Objective of Research

This research aims to analyse the Privacy Policies of the selected Telecommunications (TSP) and Internet Service Providers (ISP) (collectively referred to as 'service providers' for the purposes of this research) in the context of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ('Rules') in order to gain perspective on the extent to which the privacy policies of different types of service providers in India, align with the Rules. Lastly, this research seeks to provide broad recommendations about changes that could be incorporated to harmonize the respective policies and to bring them in line with the aforementioned Rules.

Methodology

The Privacy Policies^[10] of seven identified service providers are sought to be compared vis-a-vis - the requirements under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, (Rules) as notified by way of section 87(2) (ob) read with section 43A of the Information Technology Act, 2000.

Specifically, the Privacy Policies of each of the selected companies are compared against a template that is based on of the essential principles of the Rules respectively, and consists of a series of yes or no questions which are answered on the basis of the respective Privacy Policy. These responses are meant to fulfil the first aim of this research, i.e., provide a perspective into the extent to which these companies follow the Rules and the Principles, and thus the extent to which they respect the privacy of their customers. See Annex 1 for the survey template and the interpretation of the 43A Rules for the development of the survey.

Scope

Criteria for selection of companies being studied

For the purpose of the study the companies selected are limited to service providers - including Telecommunication Service Providers and Internet Service Providers. Four broad categories of companies have been selected, namely (i) State Owned Companies, (ii) Multinational Companies, (iii) Joint Venture companies where one party is an Indian company and the other party is a foreign based company and (iv) Domestic companies which have a localized user base. The companies have been selected on this basis of categorization to better understand if the quality of their respective privacy policies is determined by their market reach and user base.

The privacy policies of the following service providers have been analyzed:

1. State Owned Companies^[11]

a. BSNL^[12]: Bharat Sanchar Nigam Limited, better known as BSNL, is a state-owned telecommunications company that was incorporated by the Indian government in the year 2000, taking over the functions of Central Government departments of Telecommunications Services (DTS) and Telecom Operations (DTO). It provides, inter alia, landline, mobile, and broadband services, and is India's oldest and largest communication services provider. ^[13] It had a monopoly in India except for Mumbai and New Delhi till 1992.

b. MTNL^[14]: Mahanagar Telephone Nigam Limited is a state-owned telecommunications company which provides its services in Mumbai and New-Delhi in India, and Mauritius in Africa. It was set up by the Indian Government in the year 1986, and just like BSNL, it had a monopoly in the sector till 1992, when it was opened up to other competitors by the Indian government. It provides, inter alia, Telephone, Mobile, 3G, and Broadband services. ^[15]

2. Multinational Companies

a. Bharti Airtel Ltd:^[16] Bharti Airtel, more commonly referred to as Airtel, is the largest provider of mobile telephony and the second largest provider of fixed telephony in India. Its origins lie in the Bharti Group founded by Sunil Bharti Mittal in 1983, and the Bharti Telecom Group which was incorporated in 1986. It is a multinational company, providing services in South Asia, Africa, and the Channel Islands. Among other services, it offers fixed line, cellular, and broadband services. ^[17] The company also owns a submarine cable landing station in Chennai, connecting Chennai and Singapore.[18]

b. Vodafone^[19]: Vodafone is a British multinational telecom company. Its origins lie in the establishment of Racal Telecom in 1982 which then became Racal Vodafone in 1984, which was a joint venture between Racal, Vodafone and Hambros Technology Trust. Racal Telecom was demerged from Racal Electronics in 1991, and became the Vodafone group. ^[20] The Vodafone group started its operations in India with its predecessor Hutchison Telecom, which was a joint venture of Hutchison Whampoa and the Max Group, acquiring the cellular license for Mumbai in 1994^[21], and it bought out Essar's share in the same in the year 2007.^[22] As of today, it has the second largest subscriber base in India. After Airtel, ^[23] Vodafone is the largest provider of telecommunications and mobile internet services in India.^[24]

3. Joint Ventures

a. Tata Teleservices^[25] - Incorporated in 1996, Tata Teleservices Limited is an Indian telecommunications and broadband company, the origins of which lie in the Tata Group. A twenty-six percent equity stake was acquired by the Japanese company NTT Docomo in Tata Docomo, a subsidiary of Tata Teleservices, in 2008. ^[26] Tata Teleservices provides services under three brand names, Tata DoCoMo, Virgin Mobile, and T24 Mobile. As a whole, these brands under the head of Tata Teleservices provide cellular and mobile internet services, with the exception of the Tata Sky teleservices brand, which is a joint venture between and Tata Group and Sky. ^[27]

b. Aircel^[28]: Aircel is an Indian mobile headquarter, which was started in Tamil Nadu in the year 1999, and has now expanded to Tamil Nadu, Assam, North-east India and Chennai. It was acquired by Maxis Communication Berhard in the year 2006, and is currently a joint venture with Sindya Securities & Investments Pvt. Ltd. ^[29] Aircel provides telecommunications and mobile internet services in the aforementioned regions.

4. India based Companies/Domestic Companies -

a. Atria Convergence Technologies (ACT)^[30]: Atria Convergence Technologies Pvt. Ltd is an Indian cable television and broadband services company. Funded by the India Value Fund Advisor (IVFA), it is centered in Bangalore, but also provides services in Karnataka, Andhra Pradesh, and Madhya Pradesh.

Overview of Company Privacy Policy and Survey Results

This section lays out the ways in which each company's privacy policy aligns with the Rules found under section 43A of the Information Technology Act. The section is organized based on company and provides both a table with the survey questions and yes/no/partial ratings and summaries of each policy. The rationale and supporting documentation for each determination can be found in Annexure 2.

Vodafone

Vodafone's privacy policy partially incorporates the safeguards found in the Rules under 43A.

Vodafone's privacy policy is accessible online, however, it does not include a copy of its policy with a customer application form. The policy merely lists the type of information collected with no categorization as to SPD/I. The information collected includes contact information, location based information, browsing activity and persistent cookies.

There is no provision for consent or choice within the policy. Disclosure of personal information to third parties extends to Vodafone's group companies, companies that provide services to Vodafone, credit reference agencies and directories.

The policy mentions an email address for grievance redressal. In addition, the policy does not lay down any mechanism for correcting personal information that is held with Vodafone.

Vodafone has a non-exhaustive list of purposes of information usage, though these primarily relate to subscriber services, personnel training, and legal or regulatory requirements.

With regard to security practices, Vodafone follows the ISO 27001 Certification as per its 2012 Sustainability Report, however this goes unmentioned under its privacy policy

Tata Teleservices Limited

Tata Teleservices Limited's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

The Tata Teleservices Limited privacy policy is accessible on their website, though when applying for a subscription, the terms and conditions do not include the privacy policy. The privacy policy is easy to understand although there are several elements of the 2011 Rules that are unaddressed.

The policy does not make any distinction regarding sensitive personal data or information. As per the policy, TTL collects contact and billing information, information about the equipment the subscriber is using, and information and website usage from its customers.

The purposes of information collection are broadly for managing customer services and providing customized advertising. Information is also collected for security issues, illegal acts and acts that are violative of TTL's policy. TTL's directory services use a customer's name, address and phone number, however a customer may ask for his/her information to not be published on payment of a fee.

As per the policy, the disclosure of information to third parties is limited to purposes such as identity verification, bill payments, prevention of identity theft and the performance of TTL's services. Third parties are meant to follow the guidelines of TTL's privacy policy in the protection of its user information. The consent of subscribers is only required when third parties may use personal information for marketing purposes. Consent is precluded under the previous conditions. Disclosure of information to governmental agencies and credit bureaus is for complying with legally authorised requests such as subpoenas, court orders and the enforcement of certain rights or claims. The policy provides for a grievance officer and in addition, TTL, has a separate Appellate Authority to deal with consumer complaints.

TTL does not follow any particular security standard for the protection of subscriber information, however, it establishes other measures such as limited access to employees, and encryption and other security controls. Although TTL Maharashtra follows the ISO 27001 ISMS Certification, TTL does not seem to follow a security standard for data protection for other regions of its operations.

Airtel

Airtel's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

Airtel's privacy policy incorporates a number of the requirements stipulated in the Rules. Airtel's privacy policy is easily accessible on its website and is clear and easy to understand. The policy defines sensitive personal information, and states that information collected will be used for specified regulatory and business purposes, though it adds that it may be used for other purposes as well. The policy does allow for the withdrawal of consent for providing information, in which case, certain services may be withheld. In addition, Airtel has provided for a grievance officer and abides by the IS/ISO/IEC 27001 security standards. While Airtel allows for the disclosure of information including sensitive personal information to third parties, its policy states that such third parties will follow reasonable security practices in this regard. Concerning disclosure to the government, Airtel shares user information only when it is legally authorised by a government agency. Airtel's policy also provides for an opt-out provision. Such choice remains after subscription of Airtel's services as well. However, withdrawal of consent gives Airtel the right to withdraw its services as well. In terms of disclosure, sharing of user information with third parties is regulated by its Airtel's guidelines on the secrecy of information.

While Airtel lists the purposes for information collection, it states that such collection may not be limited to these purposes alone. In addition, the policy states that user's personal information will be deleted, although it does not state when this will happen. Thus, the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information.

Aircel

Aircel's Privacy Policy partially complies with the safeguards in the Rules under 43A.

Aircel's privacy policy is accessible online through its website, though it is not included under the terms and conditions of its customer application. The privacy policy lists the kinds of information that is collected from subscribers, including relevant contact details, call records, browsing history, cookies, web beacons, server log files and location details. The policy does not demarcate information into SPD/I or personal information. Aircel provides subscribers with the right to withdraw consent from the provision of information before and after subscribing, while reserving the right to withdraw its services in this regard. The policy provides the name and contact details of a grievance officer.

In the privacy policy, the stated purposes for use of subscriber information is limited to customer services, credit requirements, market analyses, legal and regulatory requirements, and directory services by Aircel or an authorised third party.

In the policy, the provision on disclosure to governmental agencies is vague and does not mention the circumstances under which personal information would be disclosed to law enforcement. The policy provides for correction of information of a subscriber in case of error and deletion after the purpose of the information is served but does not specify when. Although Aircel follows the ISO 27001 standard, it does not mention this under its policy. It does however, provide for accountability in cases of breach or privacy.

Atria Convergence Technologies

Though Atria Convergence Technologies provides a privacy policy on its website, it does not broadly incorporate the safeguards in the Rules under 43A. ACT's privacy policy is easily accessible online and is easy to understand as well. The information collected from subscribers is limited to contact details along with information on whether a subscriber has transacted with any of ACT's business partners. Though the privacy policies refers to disclosing information for the purpose of assisting with investigating, preventing, or take action on illegal behaviour - there is no specific provision concerning disclosure to government and regulatory agencies. The policy does not provide information on any security practices and procedures followed. Provisions for withdrawal of consent or correction of personal information are absent from the policy as well.

BSNL

BSNL's Privacy Policy broadly does not incorporate the safeguards in the Rules under 43A .

BSNL's privacy is accessible online, though not on the website, and is easy to understand. The policy does not however, categorize SPD/I but defines personal information vaguely as information that helps BSNL identify its customers. As per its policy, subscriber information is used for subscriber services such as identification, assistance etc., credit-worthiness and marketing communications. The policy does not contain any provision on consent and with respect to marketing communications and a customer implicitly agrees to third party usage of personal information. Third parties under the policy are those that provide services on behalf of BSNL, which extend mailing and billing services and market research services.

As per its policy, BSNL may disclose personal information on the basis of legal requirements to credit organisations, BSNL's consultants, government agencies.

With respect to access and correction, BSNL reserves the right to modify its privacy policy without notice to its customers. What is presumably a grievance officer email address has been provided for queries and corrections on personal information, however no further contact details are given.

MTNL

MTNL does not provide a publicly available Privacy Policy.

Observations

This section highlights key trends observed across the privacy policies studied in this research by contrasting the applicable Rule against the applicable provision in the policy.

1. Access and Location of Privacy Policy

Applicable Rule and Principle: According to Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, a Body Corporate must provide a privacy policy on their website. Under Rule 5, all bodies corporate have to convey the purpose(s) for which SPD/I are collected prior to the collection and they can, under certain circumstances, move forward with the collection regardless of consent. While this does not entirely violate the Notice Principle of the National Privacy Principles, it does not meet the rather higher standards of the Principle, which recommends that notice must be provided prior to any form of collection of personal information. In addition, the Rules do not contain provisions regulating bodies corporate, regarding changes to their privacy policies.^[36]

Observation : In the survey, it was found that the location and accessibility of a service provider's privacy policy varied. For example:

a. Privacy Policy on main website: Airtel, Aircel, and Vodafone provide a privacy policy that is accessible through the main website of each respective company.

b. Privacy Policy not on website : MTNL does not provide a Privacy Policy on the main website of each of its respective branches across India.

c. Privacy Policy not accessible through main website : TTL and BSNL have a Privacy Policy, but it is not accessible through the main website. For example, The Privacy Policy found on TTL's website is only accessible through the "terms and services" link on the homepage. Similarly, the BSNL privacy policy can only be found through its portal website. ^[37]

d. Privacy Policy not included in Customer Application form : Almost all of the Service Providers do not include/refer to their Privacy Policy in the Customer Application Form, and some do not display their privacy policy or a link to it on its website's homepage. For example, Airtel is the only Service Provider that refers to their privacy policy in the Customer Application Form for an Airtel service.

e. Collection of personal information before Privacy Policy: In some cases it appears that service providers collect private information before the privacy policy is made accessible to the user. For example, before the homepage of ACT's website is shown, a smaller window appears with a form asking for personal information such as name, mobile and email Id. Although the submission of this information is not mandatory, there is no link provided to the privacy policy at this level of collection of information.

2. Sharing of information with Government

Applicable Rule and Principle: Rule 6, specifically the proviso to Rule 6, and the Disclosure of Information Principle respectively govern the disclosure of information to third parties. Yet, while the proviso to Rule 6 directly concerns the power of the government to access information with or without consent for investigative purposes, the Disclosure of Information Principle only says that disclosure for law enforcement purposes should be in accordance with the laws currently in force.

Observation : Though all service providers did include statements addressing the potential of sharing information with law enforcement or governmental agencies, how this was communicated varied. For example:

a.) Listing circumstances for disclosure to law enforcement : The Privacy Policy of ACT states "We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person". ^[38] The Privacy Policy of Airtel on the other hand states "Government Agencies: We may also share your personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences." ^[39] Lastly, TTL states " To investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person" or "To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay". ^[40]

b.) Listing authorities to whom information will be disclosed to : The privacy policy of Aircel states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to: …8. Persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services".^[41] Similarly, Vodafone states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services and any person or organisation as authorised by laws and regulations applicable in India." ^[42] While BSNL states "Apart from the above, BSNL may divulge your personal information to: Government bodies, Regulatory Authorities, and other organizations in accordance with the law or as authorised by law…".^[43]

3. Readability of Privacy Policies

Applicable Rule and Principle : In subsection (i) of Rule 4 body corporate must provide a privacy policy that is "clear and accessible". Similarly, the Notice Principle requires that the data controller give a " simple-to-understand notice of its information practices to all individuals, in clear and concise language".

Observation : It was found that, particularly with respect to clauses on the collection and disclosure of information, most Privacy Policies use:

a. Vague terminology: For example, in the Privacy Policy of ACT, it states as a purpose of collection "conduct research" while for the collection and disclosure of information it states ,"The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you." ^[44] Similarly, with regards to the collection of information, Vodafone's Privacy Policy states that it may collect "any other information collected in relation to your use of our products and services". ^[45]

b. Undefined terminology: On disclosure of information TTL's privacy policy states disclosure is "Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI)" ^[46] Confusingly, although TTL defines CPNI it does not mention what legal restriction it is referring to, and CPNI is in fact an American term and similar legal restrictions could not be found in India.

4. Information about security practices

Applicable Rule and Principle: The parameter for 'reasonable security practices and procedures' has been detailed comprehensively under Rule 8 of the Rules. The same is also covered in detail under the Openness Principle read with Security Principle. While the Security Principle recommends that the data controller protect the information they collect through reasonable security safeguards, the Openness Principle recommends that information regarding these should be made available to all individuals in clear and plain language.

Observation : With the exception of Airtel, no service provider has comprehensively followed the legal requirements for the purpose of their privacy policy. Thus, while most service providers do mention security practices, many do not provide specific or comprehensive details about their security practices and procedures for data protection, and instead assure users that 'reasonable security' procedures are in place. For example:

a. Comprehensive information about security practices in privacy policy: Airtel and Aircel have provided comprehensive information about their security practices in the companies Privacy Policy.

b. Information about security practice, but not in privacy policy: Vodafone has specified its security standards only in its latest 'Sustainability Report' available on its website. In the case of TTL, the specific security standard it follows is available only for its Maharashtra branch (TTLM) through its annual report.

c. Broad reference to security practices: Many service providers broadly reference security practices, but do not provide specifics. For example, TTL states only "we have implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL." ^[47]

d. No information about security practices: Some service providers do not mention any details about their security practices and procedures, or whether they even follow any security practices and procedures or not. An example of this would be ACT, which does not mention any security practices or procedures in its Policy.

5. Grievance mechanisms

Applicable Rule and Principle: Rule 5 of the Rules mandates that applicable bodies corporate must designate a 'Grievance Officer' for redressing grievances of users regarding processing of their personal information, and the same is also recommended by the Ninth Principle, i.e., Accountability.

Observation : It was found that adherence with this requirement varied depending on service provider. For example:

a. No Grievance Officer: ACT and MTNL do not provide details of a grievance officer on their websites.

b. Grievance Officer, but no process details: Airtel, TTL, and Vodafone provide details of the Grievance Officer, but no further information about the grievance process is provided.

c. Grievance Officer and details of process: Aircel provides details of the grievance officer and grievance process.

As a note: All service providers with the exception of ACT have a general grievance redressal mechanism in place as documented on TRAI's website. ^[48] It is unclear whether these mechanisms are functional, and furthermore it is also unclear if these mechanisms can be used for complaints under the IT Act or the Rules, or complaints on the basis of the Principles. It should be further noted that the multiplicity of grievance redressal officers is a cause for concern, as it may lead to confusion.

6. Consent Mechanism

Applicable Rule and Principle : Rules 5 and 6 of the Rules^[49] on Collection and Disclosure of information, respectively, require applicable bodies corporate to obtain consent/permission before collecting and disclosing personal information. The Choice and Consent Principle of the National Privacy Principles, as enumerated in the A.P. Shah Report, deals exclusively with choice and consent. ^[50] Withdrawal of consent is an important facet of the choice and consent principle as evidenced by the Rules^[51] and the National Privacy Principles ^[52].

Observation: Methods of obtaining consent and for what consent was obtained for varied across service providers. For example:

a. Obtaining consent: Some service providers give data subjects with the choice of submitting their personal information (with some exceptions such as for legal requirements) and obtaining their consent for its collection and processing. For example, the policies of Airtel, Aircel, and TTL are the only ones which provide information on the mechanisms used to obtain consent. ACT provides for targeted advertisements based on the personal information of the user. The viewing or interaction of the user of such targeted advertisements is however, considered an affirmation to this third party source, that the user is the targeted criteria. Thus, there appears to be lack of consent in this regard.

b. No Consent or choice offered: Some service providers do not mention consent. For example, Vodafone, and BSNL do not make any mention of choice or consent in their respective privacy policies.

c. Consent for limited circumstances: Some service providers only provide consent in limited circumstances. For example, ACT mentions consent only in relation to targeted advertising. However, this information is potentially misleading, as discussed earlier in the survey.

There is also a certain degree of assumption in all the policies regarding consent, as noted in the survey. Thus, if you employ the services of the company in question, you are implicitly agreeing to their terms even if you have not actually been notified of them. And the vague terminology used by most of the policies leaves quite a lot of wiggle room for the companies in question, allowing them to thereby collect more information than the data subject has been notified of without obtaining his or her consent.

7. Transparency mechanism :

Applicable Rule and Principle: The Openness Principle specifically recommends transparency in all activities of the data controller. ^[53] The Rules provide a limited transparency mechanism under Rule 8 which require bodies corporate to document their security practices and procedures and Rule 4 which requires them to provide such information via a privacy policy. As a note, these fall short of the level of 'transparency' espoused by the Openness Principle of the National Privacy Principles.

Observation: All service providers fail in implementing adequate mechanisms for transparency.

8. Scope :

Applicable Rule and Principle : Though the Openness Principle does not directly speak of the scope of the policies in question, it implies that policies regarding all data collection or processing should be made publically available. The same is also necessary under Rule 4, which mandates that any body corporate which " collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. "

Observation : Though most of the companies mention the scope of their Privacy Policy and include the information collected through the websites, WAP Services, and use of the company's products and services, some companies do not do so. For instance, the scope of the policy is given rather vaguely in the Airtel's Policy, and the scope of ACT's policy is restricted to the information collected during the usage of their products and services, and not their website. BSNL's privacy policy is worrisome as it seems to restrict its scope to the information collected through the website only, but does not at the same time state that it does not apply to other methods of data collection and processing.

International Best Practices

Canada

The privacy regulation regime in Canada is a mixture of the federal regulations and the provincial regulations. Of the former, the Privacy Act is applicable to the public sector, while the Personal Information Protection and Electronic Documents Act ('PIPEDA') applies to the private sector. There are also federal level sectoral regulations, of which the Telecommunications Act is relevant here. The PIPEDA covers the activities of all businesses and federally regulated industries regarding their collection, use, disclosure, safeguarding and provision of access to their customers' personal information. Further, in 2009, the Canadian Radio-television and Telecommunications Commission ('CRTC'), by virtue of the 'Telecom Regulatory Policy CRTC 2009-657' ^[54] made ISPs subject to privacy standards higher than the standards given under the PIPEDA, while at the same time allowing them to use Internet Traffic Management Practices ('ITMPs'). ^[55]

The 2009 policy is progressive as it balances the economic needs of Internet Traffic Management Providers vis-à-vis the privacy concerns of consumers. The need to identify ITMP's is integral in the protection of online privacy, as ITMP's most commonly employ methods such as deep packet inspection which can be used to burrow into personal information of consumers as well.

Recognising that this may not be the current practice, but a possibility in the future, the policy makes certain guidelines for ITMPs. It permits ITMP's that block bad traffic such as spam and malicious software. Nearly all other ITMPs however, require the prior notice of 30 days or more before initialising the ITMP.^[56]

ITMP's are to be used only for the defined need of the ISP and not beyond this, and must not be used for behavioural advertising. Secondary ISPs in their contracts with Primary ISPs must agree to the same duties of the latter, that is the personal information entrusted to them is meant for its purpose alone and is not to be disclosed further.

Australia

The central privacy regulation in Australia is the Privacy Act, 1988. The Act defines two sets of privacy principles, the Information Privacy Principles which apply to the public sector, and the National Privacy Principles which apply to the private sector.^[57] These principles govern the following: collection,^[58] use and disclosure,^[59] data quality,^[60] security,^[61] openness,^[62] access and correction,^[63] identifiers,^[64] anonymity,^[65] trans-border data flows,^[66] and sensitive information. ^[67]

The Telecommunications Act, 1997, is also relevant here, as it also governs the use or disclosure of information by telecommunication services providers, ^[68] but such information is only protected by the Telecommunications Act if it comes to a person's knowledge or possession in certain circumstances. An example of this is Section 276 of the same, which providers that the information protected by that section will be protected only if the person collecting the information is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person's business as such a carrier, provider or contractor; or if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.

European Union

The most important source of law in the European Union ('EU') regarding Data Privacy in general is the Data Protection Directive ('Directive'). ^[69] The Directive has a broad ambit, covering all forms of personal data collection and processing, and mandating that such collection or processing follow the Data Protection Principles it sets out.^[70] The Directive differentiates between Personal Data and Sensitive Personal Data, ^[71] with the collection and processing of the latter being subject to more stringent rules. The telecommunications service providers and internet service providers are included in the definition of 'Controller' as set out in the Directive, and are hence subject to the regulations enforced by the member states of the EU under the same. ^[72] The Directive will soon be superseded by the General Data Protection directive, which is scheduled to come into force in late 2014, with a two-year transition period after that. ^[73]

In addition to the above, ISPs are also subject to the Directive on Privacy and Electronic Communications^[74] and the Data Retention Directive. ^[75] The Directive on Privacy and Electronic Communications ('E-Privacy Directive') sets out rules regarding processing security, confidentiality of communications, data retention, unsolicited communications, cookies, and a system of penalties set up by the member states under the title of 'Control'. The E-Privacy Directive supplements the original Data Privacy Directive, and replaces a 1997 Telecommunications Privacy directive. The Data Retention Directive does not directly concern the collection and processing of data by a service provider, but only concerns itself with the retention of collected data. It was an amendment to the E-Privacy Directive, which required the member states to store the telecommunications data of their citizens for six to twenty-four months, and give police and security agencies access to details such as IP addresses and time of use of e-mails.

The established practices considered above have the following principles, relevant to the study at hand, in common:

1. Notice

2. Collection Limitation

3. Use Limitation

4. Access and Corrections

5. Security

6. Data Quality and Accuracy

7. Consent

8. Transparency

And the following principles are common between two of the three regimes discussed above:

1. The PIPEDA and the Privacy Act both mention rules regarding Disclosure of collecting information, but the Data Protection Directive does not directly govern disclosure of collected information.

2. The Principles of Accountability is covered by the Data Protection Directive and the PIPEDA, but is not directly dealt with by the Privacy Act

3. The PIPEDA and the Data Protection Directive directly mention the principle of Enforcement, but it is not directly covered by the Privacy Act.

Recommendations

Broadly, service providers across India could take cognizance of the following recommendations to ensure alignment with the Rules found under section 43A and to maximize the amount of protection afforded to customer data.

1. Access and location of privacy policy: Service providers should ensure that the privacy policy is easily accessible through the main page of the company's website. Furthermore, the Privacy Policy should be accessible to users prior to the collection of personal information. All 'User Agreement' forms should include a written Privacy Policy or a reference to the Privacy Policy on the service provider's website.

2. Scope of privacy policy: The privacy policy should address all practices and services offered by the service provider. If a service requires a different or additional privacy policy, a link to the same should be included in the privacy policy on the main website of the service provider.

3. Defining consent: The Privacy Policy should clearly define what constitutes 'consent'. If the form of consent changes for different types of service, this should be clearly indicated.

4. Clear language: The language in the Privacy Policy should be clear and specific, leaving no doubt or ambiguity with regards to the provisions.

5. Transparent security practices: The Privacy Policy should include comprehensive information about a company's security practices should be included in the Privacy Policy. Information pertaining to audits of these procedures should be made public.

6. Defined and specified third parties: The Privacy Policy should define 'third party' as it pertains to the company's practices and specify which third parties information will be shared with.

7. Comprehensive grievance mechanism: The Privacy Policy should include relevant details for users to easily use established grievance mechanisms. This includes contact details of the grievance officers, procedure of submitting a grievance, expected response of the grievance officer (recognition of the grievance, time period for resolution etc.), and method of appealing decision of the grievance officer.

8. Specify laws governing disclosure to governmental agencies and law enforcement: The Privacy Policy should specify under what laws and service providers are required disclose personal information to.

9. Inclusion of data retention practices: The Privacy Policy should include provisions defining the retention practices of the company.

Annexure 1

Explanation and Interpretation of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Section 43A under the Information Technology Act 2000 addresses the protection of sensitive personal data or information and the implementation of an information security management system, and the Rules framed under section 43A attempt establish a holistic data security regime for the private sector.

The following section is a description of the requirements found under section 43A and subsequent Rules with respect to information that must be included in the privacy policy of a 'body corporate' and procedures that must be followed by 'body corporate' with respect to the publishing and notice of a privacy policy. This section also includes an explanation of how each relevant provision has been interpreted for the purpose of this research.

Relevant provisions that pertain to the privacy policy of body corporate

Rule 3: This section defines the term 'Sensitive Personal Data or Information', setting out the six types of information that are considered 'sensitive personal data' including:

i. Password - Defined under the Rules as "a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information"^[76].

ii. Financial information - "such as Bank account or credit card or debit card or other payment instrument details" ^[77]

iii. Physical, physiological and mental health condition

iv. Sexual orientation

v. Medical records and history

vi. Biometric information

The two other broad categories of Sensitive Personal Data or Information that are included in the Rule are - any related details provided to the body corporate, and any information received by the body corporate in relation to the categories listed above. ^[78]

The proviso to this section excludes any information available in the public domain or which may be provided under the Right to Information Act, 2005 from the ambit of SPD/I.

Under the Rules, Sensitive Personal Data is considered to be a subset of Personal Information - which has been defined by Section 2 (1) (i) as " any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person "^[79]

Interpretation: While the Rules are clearly limited to personal and sensitive personal data or information, the use of these terms throughout the Rules is not consistent. For example, some provisions under the Rules ambiguously use the term 'information' in place of the terms 'personal information' and/or 'sensitive personal information'.^[80] While 'information' has been defined non-exhaustively as any 'data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated microfiche' in the Act, this definition appears to be overbroad and cannot be applied in that form for the purpose of provisions on privacy policy. ^[81] Hence, 'information', when used in the Rules, is construed to mean 'personal information' including 'sensitive personal information' for the purpose of this survey.

As per Rule 3, information in the public domain isn't classified as sensitive personal data. This exception may require a relook considering that 'providers' of information' may not want their data to be disclosed beyond its initial disclosure, or in certain cases, they may not even know of its existence in the public domain. Since the notice of collection, purpose and use of information is limited to SPD alone under Rule 5, information in the public domain should be seen together with whether the provider of information has provided the latter directly or to service provider that requires the information. If the source is the information provider directly, it need not be classified as SPD.

On a positive note, the addition of the term "in combination with other information available or likely to be available", gives recognition to the phenomenon of convergence of data. Parts of information that seem of negligible importance, when combined, provide a fuller personal profile of an individual, the recognition of this, in effect, gives a far wider scope to personal information under the Rules.

In the specific context of Privacy Policies, the Rules do not stipulate whether the mandated privacy policy has to explicitly mention SPD/I that is collected or used.{This is mentioned under Rule 4(ii) and (iii)} Since Rules do require that a privacy policy must be clear, it is construed that the privacy policy should explicitly recognize the type of PI and SPD/I being collected by the company.

Rule 4: This rule mandates that a "body corporate that collects, receives possess, stores, deals or handles information of the provider of information". For the purposes of this research, this entity will be referred to as a 'data controller'. According to Rule 4, every data controller must provide a privacy policy on its website for handling of or dealing in personal information including sensitive personal information.

The following details have to be included in the privacy policy -

"(i) Clear and easily accessible statements of its practices and policies;

(ii) Type of personal or sensitive personal data or information collected under rule 3;

(iii) Purpose of collection and usage of such information;

(iv) Disclosure of information including sensitive personal data or information as provided in rule 6;

(v) Reasonable security practices and procedures as provided under rule 8."^[82]

Interpretation : The Rules do not provide an adequate understanding of the terms 'clear' and 'accessible', and the terms 'practices' and 'policies' are not defined. For the purpose of this research, 'practices' will be construed to mean the privacy policy of the company. It is deemed to be clear and accessible if it is available either directly or through a link on the main website of the body corporate. To meet the standards set by this Rule, the policy or policies should disclose information about the company's services, products and websites, whenever personal information is collected.

Rule 5: This Rule establishes limits for collection of information. It states that prior informed consent has to be obtained by means of letter, fax or email from the user regarding the purpose of usage for the sensitive personal information sought to be collected. It limits the purpose for collection of SPD/I to collection for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and only if it is considered necessary for that purpose. Thus, the information collected can only be used for the stated purpose for which it has been collected. ^[83]

Further, Rule 5 (3) provides that consent has to be obtained and knowledge provided to a person from whom personal information is being directly collected - which for service providers - is understood to be through the customer application form. This rule will be deemed to have been complied with when the following information is provided -

a. The fact that the information is being collected.

b. The purpose of such collection.

c. Intended recipients of the collected information.

d. Names and addresses of the agency or agencies collecting and retaining information.

Moreover, it provides that the user has to be given the option of not providing information prior to its collection. In case the user chooses this option or subsequently withdraws consent the body corporate has the option to withhold its services.

This section also provides under Section 5 (2) (a) that the type of information that this Rule concerns itself with can only be collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and if it is considered necessary for that purpose.

It also requires that a Grievance Officer be instated to redress the grievance " expeditiously but within one month from the date of receipt of grievance." The Grievance Redressal process has been discussed in more detail later.

Interpretation: Even though Rule 5 incorporates various major data protection principles and mandates the establishment of a Grievance Redressal Mechanism, neither Rule 5 nor Rule 4 (3) makes a reference to the other. [Rule 4(3) uses the term "such information", and the fact that it follows Rule 4(2) which clearly refers to personal information as well as SPD/I, means that Rule 4(3) also refers to the same]

Prima facie , the scope of Rule 5 is limited to collection of SPD/I. However, Rule 4 (3) ostensibly covers the broad ambit of 'information' which includes SPD/I. Construing these two provisions together using the 'Harmonious Construction' principle ^[84], Rule 5 could be interpreted to cover personal information for privacy policies under Rule 4.

In addition, Rule 5(3) doesn't expand on the reasonable steps to be taken for intimating the information provider on the extent of disclosure and purpose of collection. This appears as a rather large loophole considering the wide interpretation that can be given to 'reasonable' practices of service providers.

Rule 6: This rule lays down the conditions and procedure for disclosure of information.^[85] Under it, the following conditions apply before any disclosure of information by the 'body corporate' to any third party -

a. The body corporate is required to obtain prior permission from the provider of the information, or

b. Permission to disclose has to be agreed on in the contract between the company and the data subject, or

c. Disclosure is necessary for the compliance of a legal obligation.

An exception is made in case the disclosure is made to an authorized and legally mandated Government agency upon request for the purposes of verification of identity, for prevention, detection, and investigation of incidents, specifically including cyber incidents, prosecution, and punishment of offences, in which case no consent from the data subject will be required. Thus, the company does not need user consent to disclose information to authorized law enforcement or intelligence agencies when presented with an authorized request.

Interpretation :

The guidelines for disclosure limit themselves to SPD under Rule 6 leaving a vacuum with respect to information that doesn't fall within the definition of SPD/I. However, Rule 4 (iv)'s applies to 'information including SPD'. Reading the two together, in accordance with the 'Harmonious Construction' principle, the scope of SPD/I in Rule 6 is construed to extend to the same personal information and SPD/I as is covered by Rule 4 (iv), for the limited purpose of the privacy policies under Rule 4.

Rule 7 : This Rule requires that when the data controller transfers SPD/I to another body corporate or person, such a third party must adhere to the same standards of data protection that the body corporate collecting the information in the first instance follows.

Interpretation : Although the privacy policy is not required to provide details of the transfer of information, the fourth sub-section of Rule 4, which concerns itself with the obligation of the body corporate to provide a policy for privacy including information about the disclosure of information to its consumers, incorporates this Rule as it deals with disclosure of information to third parties. Thus, the Policy of the body corporate must include details of the way the data is handled or dealt by the third party, which is shared by the body corporate in question.

Rule 8: This Rule details the criteria for reasonable security practices and procedures.^[86] It provides that not only must the body corporate have implemented standard security practices and procedures, but it should also have documented the information security program and policies containing appropriate "managerial, technical, operational and physical security control measures". The Rule specifically uses the example of IS/ISO/IEC 27001 as an international standard that would fulfill the requirements under this provision. The security standards or codes of best practices adopted by the company are required to be certified/audited by a Government approved independent auditor annually and after modification or alteration of the existing practice and procedure. Sub-section (1) of the Rule also gives the body corporate the option of creating its own security procedures and practices for dealing with managerial, technical, operational, and physical security control, and have comprehensive documentation of their information security programme and information security policies. These norms should be as strict as the type of information collected and processed requires. In the event of a breach, the body corporate can be called to demonstrate that these norms were suitably implemented by it.

Interpretation : It is unclear whether the empanelled IT security auditing organizations recognized by CERT-In discussed later are qualified for the purpose of this Rule, but from publicly available information the Data Security Council of India and CERT-In's empanelled Security Auditors seem to be the agencies given this task^[87]. With regards to the Privacy Policy or Policies of a company, it is only necessary that the company include as many details as possible regarding the steps taken to ensure the security and confidentiality of the collected information in the Privacy Policy and Policies, and notify them to the consumer.

Other Relevant Policies:

Empanelled Information Technology Security Auditors - CERT-In has created a panel of 'IT Security Auditors' for auditing networks & applications of various organizations of the Government, critical infrastructure organizations and private organizations including bodies corporate.^[88] The empanelled IT security auditing organization is required to, inter alia, conduct a " Review of Auditee's existing IT Security Policy and controls for their adequacy as per the best practices vis-à-vis the IT Security frameworks outlined in standards such as COBIT, COSO, ITIL, BS7799 / ISO17799, ISO27001, ISO15150, etc." ^[89] and conduct and document various assessments and tests. Some typical reviews and tests that include privacy reviews are - Information Security Testing, Internet Technology Security Testing and Wireless Security Testing.^[90] For this purpose CERT-In maintains a list of IT Security Auditing Organizations^[91].

Criteria for analysis of company policies based on the 43A Rules

1. Clear and Accessible statements of its practices and policies^[92] -

i. Whether the privacy policy is accessible through the main website of the body corporate?

ii. Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

iii. Whether the privacy policy can be comprehended by persons without legal knowledge?

2. Type and acknowledgment of personal or sensitive personal data/information collected ^[93]-

i. Whether the privacy policy explicitly states that personal and sensitive personal information will be collected.

ii. Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

3. Option to not provide information and withdrawal of consent^[94] -

i. Whether the Privacy Policy specifies that the user has the option to not provide information?

ii. Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

4. Existence of Grievance Officer -

i. Whether the privacy policy mentions the existence of a grievance officer?

ii. Whether the privacy policy provides details of the grievance redressal mechanism?

iii. Whether the privacy policy provides the names and contact information of the grievance officer?

5. Purpose of Collection and usage of information -

i. Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

6. Disclosure of Information -

i. Whether personal information is shared with third parties (except authorized government agencies/LEA/IA) only with user consent?

ii. Whether the policy specifies that personal information is disclosed to Government agencies/LEA/IA only when legally mandated as per the circumstances laid out in 43A?

7. Reasonable Security practices and procedures -

i. Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure information?

Annexure 2

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules) 2011 and Company SURVEY

1. Bharti Airtel Ltd.

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: Airtel's Privacy Policy^[95] is available through the main page of the website and it is mentioned in the Airtel Terms and Conditions and is applicable for Airtel's websites as well as its services and products, such as its telecommunications services. It was determined that the policy can be comprehended by individuals without legal knowledge.

2. Type and acknowledgement of personal or sensitive personal data/information collected: Yes

b. Rationale: Airtel's Privacy Policy indicates that sensitive personal and personal information will be collected, defines sensitive personal information^[96], and specifies specific types of personal^[97] and sensitive personal information ^[98] that will be collected.

3. Option to not provide data or information and subsequent withdrawal of consent: Yes

c. Rationale: The Airtel Privacy Policy states that individuals have the right to choose not to provide consent or information and have the right to withdraw consent. The policy notes that if consent/information is not provided, Airtel reserves the right to not provide or to withdraw the services.^[99]

4. Existence of Grievance Officer: Yes

a. Rationale: Airtel provides for the contact details of nodal officers^[100] and appellate authorities ^[101] on its website. Additionally the website provides for the 'Office of the Ombudsperson'^[102], which is an independent forum for employees and external stakeholders^[103] of the company to raise concerns and complaints about improper practices which are in breach of the Bharti Code of Conduct. Additionally, details of the Airtel Grievance Redressal Officers can also be found in the TRAI website.^[104]

5. Comprehensive disclosure of purpose of collection and usage of information: Partial

Rationale: Airtel's Privacy Policy indicates eight purposes^[105] that information will be collected and used for, but notes that the use and collection is not limited to the defined purposes.

6. Disclosure of Information^[106]: Yes

a. Rationale: Airtel has a dedicated section explaining the company's practices around the disclosure and sharing of collected information, including ways in which consent will be collected for the sharing of personal information^[107], how collected personal information may be collected internally ^[108], the disclosure of information to third parties and that the third party will be held accountable for protecting the information through contract^[109], the possible transfer of personal information and its purposes^[110], and the circumstances under which information will be disclosed to governmental agencies (which reflect the circumstances defined by the Rules.) ^[111]

7. Existence of reasonable security practices and procedures ^[112] : Yes

a. Rationale: Airtel's privacy policy has a dedicated section that explains the company's security practices and procedures in place. The policy notes that Airtel's practices and procedures are IS/ISO/IEC 27001 compliant ^[113], that access is restricted to a need to know basis and that employees are bound by codes of confidentiality^[114], and that Airtel works to ensure that third parties also have strong security procedures in place.^[115] The policy also provides details on the retention^[116] and destruction ^[117] procedures for personal information, and notes that reasonable steps are taken to protect against hacking and virus attacks.^[118]

1. Tata Telecommunication Services (DoCoMo and Virgin Mobile)

1. Clear and Accessible statements of its practices and policies : Partial

a. Rationale: Though Tata DoCoMo has a comprehensive Data Privacy Policy ^[119] that is applicable to Tata Teleservices Limited's ("TTL") products and services and the TTL website, it is not accessible to the user through the main website. In the Frequently Asked Questions Section of TTL, it is clarified under what circumstances information that you provide is not covered by the TTL privacy policy. ^[120]

2. Type of personal or sensitive personal data/information collected: Partial

a. Rational: TTL defines personal information^[121] but only provides general examples of types of personal information^[122] (and not sensitive personal) collected, rather than a comprehensive list. The definitions and examples of information collected are clarified in the FAQs and the Privacy Policy, rather than in the Privacy Policy alone. As a strength, the Privacy Policy clarifies the ways in which TTL will collect information from the user - including the fact that they receive information from third parties like credit agencies. ^[123]

3. Option to not provide information and withdrawal of consent: N/A

a. Rationale: The TTL Privacy Policy does not address the right of the individual to provide consent/information and to withdraw information/consent.

4. Existence of Grievance Officer: Yes

a. Rationale: TTL has various methods to lodge complaints and provides for an appellate authority. ^[124] Additionally, details of the Grievance Redressal Officers are provided via the TRAI website.^[125]

5. Purpose of Collection and usage of information: Yes

a. Rationale: In its' Privacy Policy, TTL describes the way in which collected information is used. ^[126] The TTL FAQs further clarify the use of cookies by the company, the use of provided information for advertising purposes, ^[127] and the use of aggregate and anonymized data.^[128]

6. Disclosure of Information: Yes

a. Rationale: In the Privacy Policy and the FAQs page, TTL is transparent about the circumstances on which they will share/disclose personal information with third parties^[129], with law enforcement/governmental agencies^[130], and with other TTL companies. ^[131] Interestingly, the TTL FAQ's clarify to the customer that their personal information might be processed in different jurisdictions, and thus would be accessible by law enforcement in that jurisdiction. ^[132]

7. Reasonable Security practices and procedures: Partial

a. Rationale: TTL's Privacy Policy broadly references that security practices are in place to protect user information, but the policy does not make reference to a specific security standard, or provide detail as to what these practices and procedures are. ^[133] Although TTL's Privacy Policy does not make mention of any specific security standard, Tata Teleservices (Maharashtra) Limited claims to have been awarded with ISO 27001 ISMS (Information Security Management Systems) Certification in May 2011, and completed its first Surveillance Audit in June 2012^[134]. Information on IT security standards adopted by other circles could not be found on the internet.

2. Vodafone

1. Clear and Accessible statements of its practices and policies: Yes

Rationale: Vodafone's Privacy Policy^[135] is easily accessible from its website from a link at the bottom, directly from the home page and from all other pages of the website. ^[136]

2. Collection of personal or sensitive personal data/information: No

Rationale: Type -

a. Personal Information - The amount of details given by the Privacy Policy with regards to the personal information being collected is insufficient, as it does not include a number of relevant facts, and uses is vague language - such as 'amongst other things', implying that information other than that which is notified is being collected.^[137]

b. Sensitive Personal Data or Information - The Privacy Policy does not mention the categories or types of SPD/I, as defined under Rule 3, being collected by the service provider explicitly, only gives a general overview of the information that is collected.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The privacy policy does not mention the consent of data subject anywhere, nor does it mention his or her right to withdraw it at any point of time. It also does not mention whether or not the provision of services by Vodafone is contingent on the provision of such information.

4. Existence of Grievance Officer: Yes

a. Rationale: The Privacy Policy explicitly mentions and gives the email address of a grievance redressal officer, though further details about the other offices are given in a separate section of the website.^[138]

5. Purpose of Collection and usage of information: Partial

a. Rationale:

The Privacy Policy gives an exhaustive list of purposes for which the collected information can be used by Vodafone, ^[139] but at the same time the framing of the opening sentence and the usage of the term 'may include' could imply that it can be used for other purposes as well.

6. Disclosure of Information: Yes

a. Rationale:

The Privacy Policy mentions that Vodafone might share the collected information with certain third parties and the terms and conditions which would apply to such a third party.^[140] The phrasing does not imply that there are other conditions that have not been mentioned in the policy, under which the information would be shared with a third party. At the same time, the Privacy Policy does not explicitly say that the third party will necessarily follow the privacy and data security procedures and rules laid down in the Privacy Policy.

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Privacy Policy mentions in reasonably clear detail the security practices and procedures followed by Vodafone, and also mentions the circumstances in which the data subject should take care to protect his or her own information, wherein Vodafone will not be liable. ^[141] Although Vodafone India's Privacy Policy does not specify what their IT Security standard is, its 2012/2013 Sustainability Report available through its international website ^[142] states that it follows industry practices in line with the ISO 27001 standard and its core data centre in India follows this standard^[143].

3. Aircel

1. Clear and Accessible statements of its practices and policies: Yes

Rationale:

The Privacy Policy is accessible from every page of the Aircel website, with a link at the bottom of each page after the specific circle has been chosen. It is reasonably free of legalese and is intelligible.^[144]

2. Type of personal or sensitive personal data/information collected: Partial

Rationale: Type -

a. Personal Information

In the Privacy Policy, the repeated usage of the term 'may' creates some doubt about the actual extent of the data collected, and leaves the Privacy Policy quite unclear in this regard. At the same time, the Privacy Policy does include a fairly comprehensive list of personal information that could be collected. ^[145] The wording in the Privacy Policy thus requires further clarification and specification in order to make a determination on whether or not it provides complete details on the personal information that will be collected.

a. Sensitive Personal Data or Information

The Privacy Policy does not mention SPDI explicitly, which adds to the lack of concrete details as noted earlier.

3. Option to not provide information and withdrawal of consent - Yes

Rationale : The Privacy Policy mentions that users do have the right to refuse to provide or the withdrawal of consent to collect personal information. In such cases, Aircel can respectively refuse or discontinue the provision of its services. ^[146]

4. Existence of Grievance Officer: Yes

a. Rationale:

Though not directly mentioned in the Privacy Policy, a separate, easily noticeable link at the bottom of each webpage links to the Customer Grievance section. There are different officers in charge of each node, called the Nodal Officers. ^[147]

5. Purpose of Collection and usage of information: Partial

a. Rationale: The usage of the term 'may' in the section of the Privacy Policy regarding the purpose of collection and usage of information again leaves it ambiguous in this regard, implying that it can just as easily be used for purposes that have not been notified to the data subject.^[148]

6. Disclosure of Information: Yes

a. Rationale: Though the Privacy Policy does not specify all the circumstances under which Aircel would share the collected information with a third party, it specifies the terms and conditions that would apply in the cases that it does. ^[149]

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Policy gives a reasonable amount of detail about the steps taken by Aircel to ensure the security of the information collected by it, but leaves certain holes uncovered.^[150]

4. Atria Convergence Technologies Private Limited (ACT)

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: The Policy is intelligible, and is easily accessible from all the webpages of the company's website from a link at the bottom of all pages.^[151]

2. Type of personal or sensitive personal data/information collected: Partial

a. Rationale:

Type -

a. Personal Information - Yes -

The Policy mentions the different types of Personal Information which will be collected by ACT if the customer registers with the Company. ^[152]

a. Sensitive Personal Data or Information -

The categories of SPD/I collected by ACT are not specifically mentioned in the policy, though they are mentioned as part of the general declarations.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The option of the data subject not providing or withdrawing consent has not been mentioned in the Policy.

4. Existence of Grievance Officer: No

a. Rationale: No Grievance Officer has been mentioned in the Privacy Policy or on the ACT website, nor has any other grievance redressal process been specified.^[153]

5. Purpose of Collection and usage of information: Yes

a. Rationale: The Policy mentions the various ways ACT might use the information it collects, though the use of the term 'general' is a cause for concern.^[154] The list of purposes for collection given in the Privacy Policy is a very general list.

6. Disclosure of Information: Yes

a. Rationale: The Policy mentions the circumstances in which ACT might share the collected information with a third party, and also mentions that such parties will either be subject to confidentiality agreements, or that the data subject will be notified before his or her information becomes subject to a different privacy policy. It also mentions the exception to above, that being when the information is shared for investigative purposes.^[155] At the same time, the intended recipients of the information are not mentioned, and the name and address of agency/agencies collecting and retaining information is not mentioned.

7. Reasonable Security practices and procedures: No

a. Rationale: - The security practices and procedures followed by ACT to protect the information of its customers are not mentioned in the Policy, which is a critical weak point, keeping in mind the requirements of the Rules. ^[156]

The application — targeted at easing the information asymmetry between internet service providers (ISPs) and consumers — elicited responses that provide interesting insights into the functioning of ISPs in India.

The application queried BSNL about its:

• Adherence to net neutrality / non-discrimination principles
• Throttling on the basis of content
• Throttling on the basis of protocol
• Limiting traffic / speeds for pornographic websites
• Limiting traffic / speeds for P2P / torrent connection

In its reply, BSNL denied all forms of throttling on the basis of content and reaffirmed that it is bound by the terms of its ISP license granted by the Department of Telecommunications. The application and response are below:

Application:

Request for Information under the Right to Information Act, 2005

To,

Sh. Suresh Kumar
Addl.GM (MIS)  & CPIO ,BSNL Co.
R. No. -29, IR Hall
Eastern Court, Janpath
New Delhi – 110001

Date of application: 08-10-2014

Subject: Network Neutrality / Throttling / Data discrimination policies of BSNL

Please provide information as to the policies of BSNL / decisions taken in respect of the following questions. Please supply where possible a copy of the relevant documents, minutes of meeting, position papers etc.

1. Does BSNL support the principle of net neutrality and non-discrimination of data?
2. Does BSNL regulate internet traffic flows depending on the type of content being accessed by the user on its broadband connections?
3. Does BSNL regulate internet traffic flows depending on the type of protocol being used by the user on its broadband connections?
4. Please provide details of the various types of content/protocols for which BSNL regulates traffic and the nature of such regulations, restrictions as the case may be.
5. Please provide a list of traffic for which BSNL engages in limiting internet speed or throttling.
6. Does BSNL limit internet traffic or upload/download speeds for pornographic websites and content?
7. Does BSNL limit internet traffic or upload/download speeds for Peer-to-peer or torrent connections?

Please provide copies of all documents that pertain to BSNL’s policies and decisions in this regard.

It is certified that I am a citizen of India and that I do not fall within the BPL category. I am enclosing Rupees thirty (Rs. 30) towards the application fee and photocopying costs under the RTI Act for the information and documents requested. Kindly inform me at the address stated below if any further fees are required to be paid.

Applicant:

Tarun Krishnakumar
Centre for Internet and Society
No.194, 2nd C Cross Road, Domlur II Stage,
Bangalore - 560071

RESPONSE FROM BSNL:

To,

Sh. Tarun Krishnakumar
Centre for Internet and Society
No. 194, 2^nd C Cross Road, Domulur II stage,
Bengaluru – 560071

Subject: Supply of Information under RTI ACT – 2005

Case of Shri. Tarun Krishnakumar – reg.

Ref:  -   1. No. BSNL/BBNW/RTI Act/Vol II/2012-13/52 dtd 28.10.2014

2. No. 23-744/14-RTI dtd 21.10.2014

With reference to the above subject, for the point wise information furnished as below:

1. BSNL is following the guidelines as per the ISP License Agreement of DOT.
2. NO, BSNL is NOT regulating the Internet traffic flow based on content.
3. NO, BSNL is not regulating the Internet traffic flow based on the type of protocol.
4. Not Applicable
5. Not Applicable
6. NO
7. NO
8. The documents relating to above are available on DOT’s website http://dot.gov.in

(Sd/-)

DE Admin and APIO
O/o General Manager
BBNW, BSNL,
5^th floor, BG (E), TE Building,
Lazar Road, Fraser Town,
Bengaluru – 560005
Tel No. 080 - 25808878

Copy to:

1. The Addl. GM (A) & CPIP O/o CGM, BBNW, New Delhi for information pl.

The scanned version of the reply is available here.

Introduction: Conceptions of Privacy

Because of the variance exhibited by the various legal, social, and cultural aspects of privacy, it cannot be easily defined. As a legal concept, privacy may form a constitutional claim, a statutory entitlement, a tortious action or an equitable remedy. As a constitutional claim, privacy is either an explicitly recognised right that is capable of independent enforcement, read into a pre-existing right , or located within the penumbra of a larger right. Statutory recognition of privacy may be afforded by both criminal and civil statutes. The offence of criminal defamation for instance, is perceived as an act of violating an individual's privacy by tarnishing his or her reputation. Similarly the provision of in camera trials for divorce proceedings is an illustration of a civil statute implicitly recognising privacy. As a tortious claim the notion of privacy is commonly understood in terms of the right against trespass of property. Equity, co-terminus with a statutory mandate or in isolation, may also be a source of privacy.

Most legal conceptions of privacy in everyday use in India originated from the English common law. Other constitutional and statutory constructions of privacy, even when not found in the common law, arise within a broader modernist system of law and justice that originated in Europe. During the European colonisation of India, the British (and, in a different manner, the French ) attempted to recreate the common law in India through the establishment of a new legal and courts system, and the wholesale importation of the European idea of law. The very notion of privacy, as well as its legal conception, is a product of this legal modernity. In post-colonial societies, the argument against the right to privacy is usually premised on its perceived alien-ness - as a foreign idea brought by colonisers and imposed on a traditionalist society that favoured communitarian living over individual rights - in an effort to discredit it.

The fallacy of this argument lies in its ignorance of the cultural plurality of privacy. To begin with, the idea that is connoted by the modernist notion of privacy pre-dated the introduction of common law in India. By the time of the Enlightenment, Hindu law and Islamic law were established legal systems with rich histories of jurisprudence and diverse schools of law within them, each with their own juristic techniques and rules of interpretation. While neither Hindu law nor Islamic law use a term that readily translates to "privacy", thereby precluding a neat transposition of meanings between them, the notion of privacy existed and can be located in both the legal traditions. In this paper, the term 'privacy' is used to describe both the modernist notion that arises from the principle of personal autonomy as well as the diverse pre-modern concepts in Hindu and Islamic jurisprudence that resemble or relate to this notion. These pre-modern concepts are diverse, and do not permit an easy analysis. For instance, the Manusmriti, which is a source of classical Hindu law, prohibits bathing in tanks that belong to other men. Additionally it prohibits the use of wells, gardens, carriages, beds, seats and houses without the owner's permission. These prohibitions are not driven by the imperatives of privacy alone. The rationale is that in using others' belongings one appropriates a portion of their sins. Hence, these privacy protections are linked to an ideal of purity. Islamic law also restricts the use or misappropriation of another's property. However, this prohibition is designed to protect private property; it has no ideological link to purity.

This paper attempts to locate constructs of privacy in classical Hindu law. The purpose of this exercise is not to privilege one legal system over another. Therefore, we do not intend to normatively assess the existing modernist discourse on privacy. We simply seek to establish the existence of alternate notions of privacy that pre-date modernity and the common law.

The scope of the paper is confined to locating privacy in classical Hindu law. The materials within the realm of classical Hindu law, relevant to this exercise are- the sruti, smriti, and acara. Sruti comprises of the Vedas, Brahmanas, Aranyakas and the Upanishads. It is considered to symbolise the spirit of Hindu law and is not the source of any positivist command as such. Smriti involves various interpretations of the sruti, We have however restricted ourselves to the Dharmashastras in this realm. Acara refers to the body of customary practices.

The review of the material at hand however, is not exhaustive. The reasons for this are twofold- first, given the vast expanse of Hindu jurisprudence, the literature review has been limited; second, there is a limited availability of reliable English translations of ancient legal treatises.

This paper is divided into two parts. The first part of this paper deals with the interface of colonisation with Hindu law and elucidates the nature of Hindu law. With the advent of colonialism, classical Hindu law was gradually substituted by a modernist legal system. Exploring the characteristics of modernity, the factors that contributed to the displacement of classical Hindu law will be identified.

One of the factors that contributed to the displacement was the uncertainty that characterised classical Hindu law. Classical Hindu law was an amalgamation of three sources, as. In an attempt to rule out the uncertainty, and the lack of positive command, the modernisation of Hindu law was brought about. Accordingly this part shall also examine the nature of Hindu law. Furthermore it shall determine whether the application of codified modern Hindu law, is informed by the precepts of classical Hindu law.

Having explicated the nature of Hindu law, the next part will focus on identifying instances of privacy in classical Hindu law.

Before ascertaining specific instances, however, this part will lay down a general understanding of privacy as it existed then. It will be demonstrated that regardless of the absence of an equivalent term, an expectation of privacy existed.

The specific illustrations of privacy will then be mapped out.

Given the different aspects wherein an expectation of privacy exists, there is also a possibility of competing claims. In the event that such conflicts arise, this part will attempt to resolve the same.

Part 1: The Transmogrification of the Nature of Hindu Law

The evolution of Hindu jurisprudence can be charted through three phases- classical, colonial, and modern.

In the classical phase, it was embodied by the Dharmashastra which elaborated on customary practices, legal procedure, as well as punitive measures. The Dharamshastra was accompanied by the Vedas, and acara. Whether this body of jurisprudence could be called 'law' in the strict modernist sense of the term is debatable.

Modernity has multifarious aspects. However, we are concerned with modernity in the context of legal systems, for the purpose of this paper. The defining attribute of a modernist legal system is the need for positivist precepts that are codified by a legislature. The underlying rationale for formalised legislation is the need for certainty in law. Law is to be uniformly applied within the territory. The formalised legislation is to be enforced by hierarchized courts. Furthermore this codified law can be modified through provisions for amendment, if need be.

This modernist understanding is what informs the English common law. With the advent of colonialism, common law was imported to India. The modernist legal system was confronted by plural indigenous legal systems here that were starkly different in nature. In the given context, the relevant indigenous system is classical Hindu law. The classical precepts were interpreted by the British. These interpretations coupled with the sources of Classical Hindu law, constituted colonial Hindu law.

It is pertinent to note that these interpretations were undertaken through a modernist lens. The implication was the attempted modernisation of a traditional legal system.

The traditional system of Classical Hindu law did not exhibit any of the introduced features. To begin with not all of classical Hindu law was text based. The problem with the textual treatises was threefold. First, they were not codes enacted by a legislature, but written by various scholars. Second, they were not phrased as positivist precepts. Third, their multiplicity was accompanied with the lack of an established hierarchy between these texts.

Additionally classical Hindu law was the embodiment of dharma, which in itself was an amorphous concept. The constitutive elements ofdharma were law, religious rites, duties and obligations of members of a community, as well as morality. These elements do not however, exhaustively define dharma. There exist varying definitions of dharma, and in some cases even ancient texts dealing with dharma fail to articulate its definition. This is on account of the fact that the meaning of dharma, varied depending on the in which it is used Owing to the fact that classical Hindu jurisprudence was informed by dharma, the former was an amalgamation of law, religion and morality. Therefore it was categorised as jurisprudence that lacked the secularity exhibited by modern positivist law.

The co-existence of law and morality in classical Hindu law has led to various debates regarding its nature. Before explicating the nature of classical Hindu law, its sources must be elaborated on. As referred to, the sources are sruti, smriti, and acara.

Sruti is constituted by the Vedas, Brahmanas, Aranyakas, and Upanishads. Vedas are divine revelations that contain no positive precept per se. They are considered as the spirit of law, and believed to be the source of the rules of dharma. The Vedas are constituted by the Rigveda, Samveda, Yajurveda and Athravaveda. Based on the Vedic texts, treatises have been written elucidating religious practices. These texts are known as the Brahmanas. The Aranyakas and the Upanishads engage in philosophical enquiries of the revelation in the Vedas.

Interpretations of the Sruti by various scholars are embodied in the Smriti. The connotations of smriti are twofold. First, it implies knowledge transmitted through memory, as opposed to knowledge directly revealed by divinity. Additionally, it is the term used to collectively reference the Dharmasutras and Dharmashastra.

Dharmasutras were essentially interpretations of revelation in only prose form, or a mixture of prose and verse. They detailed the duties and rituals to be carried out by a person, through the four stages, of his or her life. The duties laid down also varied depending on the caste of a person. They also laid down guidelines for determining punishments.

Dharmasastras on the other hand were in the verse form. Though their subject matter coincided with the Dharmasutra in terms of domestic duties and rituals, they had a wider ambit. The Dharmasastras also dealt with subjects such as statecraft, legal procedure for adjudicating disputes. In a limited way, they marked the diversification from strictly religious precepts, from those that were legal in nature. For instance the Manusmriti was an amalgamation of law and ritual. The Yajnawalkya Samhita however, has separate parts that deal with customary practices, legal procedure, and punitive measures. The Narada Smriti, in turn deals only with legal procedure and rules of adjudication.

It is opined that in due course of time, the Aryan civilisation diversified. Their life and literature were no longer limited to sacrificial practices, but took on a more 'secular' form. The Arthashastra is evidence of such diversification. Unlike the Dharmashastra, it deals with strategies to be employed in governance, regulations with regard to urban planning, commercialisation of surrogacy, espionage, among other things.

The third source of classical Hindu law, acara refers to customary practices and their authoritativeness was determined by the people. Their prevalence over textual tradition is contentious. Some opine that acara prevails over textual traditions. However, the opposing school of thought believes that customary practices prevail only if the text is unclear or disputed.

Other sources of classical Hindu law include the itihas (epics such as the Mahabharata and Ramayana), and digests written by scholars.

Given the diversity of sources and its non-conformity to positivism, the nature of classical Hindu law is a heavily contested issue. For instance, with regard to the legal procedure in the Dharmashastra, Maynes opines that these rules qualified as law in the modernist sense. Ludo Rocher however, opines that textual treatises would not qualify as law. Classical Hindu law can admittedly not be identified as strictly legal or strictly moral. However, it does in a limited way recognise the distinction between legal procedure and morality. This is to say, it is not merely a source of rituals, but also lays down precepts that are jurisprudentially relevant.

On account of its non-conformity with characteristics of a modernist legal system, classical Hindu law was displaced by its colonial version. The British attempted to accomplish this though the process of codification. The colonial attempts to codify Hindu law were carried forward by the Indian government post-independence. The result was the Hindu Code Bill. The context in which this codification took place must be examined in order to better comprehend this transmogrification. Post-independence, the idea of a Uniform Civil Code had been debated. However it was at odds with the Nehruvian notion of secularity. The codification of Hindu personal law was an attempt at modernising it, without infringing on the religious freedom of Hindus. The idea was to confine the influence of religion to the private sphere. What emerged was the Hindu Code Bill, which served as the blueprint for the Hindu Marriage Act, the Hindu Succession Act, the Hindu Minority and Guardianship Act and, the Hindu Adoption and Maintenance Act. Colonial Hindu law was thus displaced by modern Hindu law.

As Galanter observes however, modernisation through legislations may formalise or even modify classical precepts, but cannot erase them completely. For instance, Section 7 of the Hindu Marriage Act, which prescribes the ceremonial requirements for a Hindu marriage, replicates those prescribed in Classical Hindu law. Additionally a plethora of judicial decisions have relied on or taken into consideration, precepts of ancient Hindu jurisprudence.

It is evident thus that ancient precepts still inform modern Hindu law. Given their relevance, it would be erroneous to write off classical Hindu law as completely irrelevant in a modernist context.

Part II: Precepts of Privacy in Classical Hindu Law

As referred to, we have not come across a terminological equivalent of the term 'privacy' in the course of our research. The linguistic lacuna is admittedly a hurdle in articulating the pre-modern understanding of privacy as found in Hindu jurisprudence. It is not however, an argument against the very existence of privacy. The lack of pre-modern terminology necessitates the usage of modern terms in classifying the aspects of privacy detailed in Hindu jurisprudence.

Thus, broadly speaking, the aspects of privacy we have culled out from the material at hand are those of physical space/ property, thought, bodily integrity, information, communication, and identity. As will be demonstrated these aspects overlap on occasion and are by no means an exhaustive indication. In order to contextualise these aspects within the realm of Hindu jurisprudence, they are detailed below through specific illustrations.

A. Privacy of physical Space/ property

Akin to the modern legal system that first understood privacy in proprietary terms, Hindu jurisprudence too accorded importance to privacy in terms of physical space. This is further illustrated by the similarity between the common law notion of a man's house being his castle, and the institutional primacy accorded by the Naradsmriti to the household . The common denominator here is the recognition of a claim to privacy against the sovereign. This claim operated against society at large as well. For instance, an individual caught trespassing on someone else's property was liable to be fined.

These religious precepts were supplemented by those reflected in texts such as the Arthashastra. By way of illustration the house building regulations prescribed by it are largely informed by the recognition of a need for privacy. To begin with, a person's house should be built at a suitable distance from a neighbour's house, to prevent any inconvenience. In addition the house's doors and windows should ideally not face a neighbours doors and windows directly. The occupants of the house should ensure the doors and windows are suitably covered. Furthermore in the absence of a compelling justification, interference in a neighbour's affairs is penalised.Juxtaposed to religious texts that often perceived privacy as a concept driven by the imperative of purity, the Arthashastra is reflective of a secular connotation of privacy.

Though the household was privileged as the foundational institution in Hindu jurisprudence, claims of privacy extend beyond one's house to other physical objects as well, regardless of whether they were extensions of the household or not. For instance, both the Yajnawalkya Samhita and the Manusmriti condemn the usage of another person's property without his or her permission.

What is noteworthy in the context of personal property is that in an era infamous for the denigration of women, Hindu jurisprudence recognised a woman's claim over property. This property, also known as Stridhana, had varied definitions. In the Yajnawalkya Samhita for instance, it is conceptualised as, "What has been given to a woman by the father, the mother, the husband or a brother, or received by her at the nuptial fire, or given to her on her husband's marriage with another wife, is denominated Stridhana or a woman's property". In the Manusmriti, it is defined as "What was given before the nuptial fire, what was given on the bridal procession, what was given in token of love, and what was received from her brother, mother, or father, that is called the sixfold property of a woman".

Beyond mere cognizance of proprietary rights however, these precepts were also informed by the notion of exclusivity. Consequently, a woman's husband or his family were precluded from using her Stridhana, unless they were in dire straits. Additionally it was a sin for a woman's relatives to use her wealth even if the same was done unknowingly.

B. Privacy of Thought

In addition to the aspect of physical space, a claim to privacy vis-a-vis the intangible realm of thought was afforded by Hindu jurisprudence. In the modern context the link between solitude and privacy has been recognised as early as 1850 by Warren and Brandeis. The key distinction is that in the modern era this need for solitude was seen as a function of the increasing invasion of privacy. In the pre-modern era however, solitude was considered essential for self-actualisation, and not as a response to the increasing invasion of the private realm. Meditation in solitude was perceived as enabling existence in the highest state of being. In fact a life in solitude was identified as a pre-requisite for being liberated.

Though solitude itself is intangible, engaging in meditation would require a tangible solitary space. This is where the privacy of thought overlapped with the aspect of privacy of space. Accordingly, the Arthashastra prescribed that forest areas be set aside for meditation and introspection. It also recognised the need for ascetics to live within these spaces harmoniously, without disturbing each other.

It is evident, that as far as the aspects of privacy were concerned, there were no watertight compartments.

C. Privacy with respect to bodily integrity

A claim to privacy of thought can only be substantively realised when complemented by the notion of privacy with respect to bodily integrity, as corporeal existence serves as a precursor to mental well-being. The inference drawn from the relevant precepts concerning this aspect is that they were largely women-centric. Arguably they were governed by a misplaced patriarchal notion that women's modesty needed to be protected. At best they could be considered as implicit references to an expectation of privacy.

The Manusmriti states, "But she who…goes to public spectacles or assemblies, shall be fined six krishnalas". Restrictions operating during a woman's menstruation were twofold. Her family was prohibited from seeing her. Additionally cohabitation with such a woman was also forbidden. It should be pointed out that that these constructs had little to do with a woman's expectation of privacy. They were forbidden due to the attached implications of impurity that would vest in the defaulter. A woman's autonomy with regard to her body was not regarded as a factor meriting consideration.

However, there were constructs, albeit limited, which were more egalitarian in their approach and did recognise her autonomy. They established that women do have an expectation of privacy in terms of bodily integrity. Sexual assault was considered as an offence. Evidence of this is found in the Yajnawalkya Samhita which states, "If many persons know a woman against her will, each of them should be made to pay a fine of twenty four panas". In addition, the Arthashastra vested in commercial sex workers the right to not be held against their will. Further it expressly states that even a commercial sex worker cannot be forced to engage in sexual intercourse.

Women could make a claim to privacy not only against society at large, but also against their husbands. Ironically, while our contemporary legal system (i.e., the Indian legal system) fails to criminalise marital rape, the Manusmriti considered it an offence. Additionally, husbands were also prohibited from looking at their wives when the latter were in a state of relaxation.

D. Privacy of Information and Communication

While the three aspects explicated above were by and large restricted to the individual, the privacy of information and communication has been largely confined by Hindu jurisprudence to the realm of the sovereign. Both the Manusmriti and the Arthashastra acknowledge the importance of a secret council that aids the king in deliberations. These deliberations are to be carried on in a solitary place that was well-guarded. The decisions made in these deliberations are to be revealed on a need to know basis. That is to say, only persons concerned with the implementation of these decisions are to be informed. The Manusmriti also provides for private deliberation by the king on matters not involving governance. It provides, "At midday or midnight , when his mental and bodily fatigues are over, let him deliberate, either with himself alone or with his ministers on virtue, pleasure, and wealth".

Apart from governance, privacy of information also pertained to certain types of documents that were considered private in nature. These are documents that involve transactions such as partition, giving of a gift, purchase, pledge and debt. What is interesting about this precept is the resemblance it bears to the common law notion of privity. The common characteristic of the documents referred to, is that they concerned transactions undertaken between two or more persons. The rights or obligations arising from these transactions were confined to the signatories of these documents. It could be possible that the privatisation of these documents was aimed at guarding against disruption of transactions via third party intrusions.

The limited reference to private communications is found within the realm of governance, within the context of privacy of information. The only illustration of this that we have come across is the precept in the Arthashastra that requires intelligence to be communicated in code.

E. Privacy of Identity

The final aspect that warrants detailing is the privacy of identity. The notion of privacy of identity can be understood in two ways. The first deals with protection of personal information that could be traced back to someone, thus revealing his or her identity. The second recognises the component of reputation. It seeks to prevent the misappropriation or maligning of a person's identity and thus reputation. In ancient Hindu jurisprudence there is evidence of recognition of the latter. An illustration of the same is offered by the precept which states "For making known the real defects of a maiden, one should pay a fine of a hundred panas". Another precept prescribes that false accusations against anyone in general are punishable by a fine. Additionally, there is also a restriction operating against destroying or robbing a person of his or her virtue. In the modern context, the above would be understood under the rubric of defamation. These precepts are indicative of the fact that defamation was recognised as an offence way before the modern legal system afforded cognizance to the same.

Conclusion

The dominant narrative surrounding the privacy debate in India is that of the alien-ness of privacy. This paper has attempted to displace the notion that privacy is an inherently 'Western' concept that is the product of a modernist legal system. No doubt the common understanding of the legal conception of privacy is informed by modernity. In fact, the research conducted in support of this paper has been synthesised from privacy information through a modernist lens. The fact still remains however, that privacy is an amorphous context, and its conceptions vary across cultures.

To better appreciate the relevance of Classical Hindu law in a modernist context, the nature of Hindu law must be examined first. While Hindu jurisprudence might not qualify as law in the positivist sense of the term, its precepts continue to inform India's statues and judicial pronouncements.

Privacy is subjective and eludes a straitjacketed definition. On occasion this elusiveness is a function of its overlapping and varying aspects. At other times it stems from a terminological lacuna that complicates the explication of privacy. These impediments notwithstanding, it is abundantly clear that the essence of privacy is reflected in Hindu culture and jurisprudence. This may give pause to thought to those who seek to argue that 'collectivist' cultures do not value privacy or exhibit the need for it.

The meeting began with a talk by Bhairav Acharya on the origin of privacy law, its jurisprudential evolution, and the current context in which privacy is being debated in India and around the world.

Bhairav began by talking about the nature of privacy law around the world. Privacy has, until recently, never been a right in English common law. Indeed, the tort of invasion of privacy is also relatively incomplete. Privacy is protected through other torts, including the torts of nuisance, trespass, and others. European treaty requirements have foisted a right to privacy upon the British legal system; the contours of this right remain unclear.

American courts, on the other hand, have been more receptive to claims of the right to privacy. There is much in the American political and legal tradition that has contributed to the easy acceptability of privacy claims. Not least among these are the strong emphasis on the individual as the fundamental unit of governance and sovereignty, and the American libertarian tradition of autonomy.

Bhairav then spoke of the right to privacy in India. Early cases in the Supreme Court of India see privacy as a negotiation between the liberties of citizens and the power of the state. In a legal tradition deeply influenced by colonialism, Indian courts readily accepted claims against physical police surveillance and other related rights in the criminal justice process – public rights against the state that were once denied to Indian subjects of colonial rule, but held short of viewing privacy as a necessary individual protection against society. This has resulted in dichotomous privacy jurisprudence.

Bhairav then talked about the contexts in which privacy claims arise in India today. Specifically, he spoke about increasingly sophisticated surveillance techniques and large-scale personal data collection and processing. There are many complexities in both these fields and a lot of time and questions were spent going over them. Surveillance is older than the nation-state; privacy law does not seek the end of surveillance, but only its optimal use. There are many kinds of surveillance, the contemporary debate deals solely with wiretapping and electronic surveillance. Privacy law cannot be blind to the many other kinds of surveillance, including old-fashioned physical surveillance on the road.

Data collection, too, cannot be ended, nor should it for it forms the basis of modern commerce and is tied to India’s economic growth. There were questions and discussion on ‘big data’, data mining, analytics, business models, and other related areas. In India, however, in the absence of an innovative IT industry, the dominant business model is of receiving foreign personal data, usually of Europeans and Americans, to provide cheap processing services. This model depends entirely on comparatively lower Indian wages. Hence, it is not surprising that the first personal data protection rules issued by the Indian government in 2011 applied solely to foreign data that was outsourced to India.

Bhairav then introduced the 2011 draft Right to Privacy Bill that was proposed by the Department of Personnel and Training of the Indian government, as well as the Personal Data Protection Rules issued under the Information Technology Act, 2000. These measures were studied clause-by-clause.

Similarly, Indian law in respect of communications surveillance was analysed in detail. The Indian Telegraph Act 1885, the Indian Telegraph Rules 1951 (including the amendments of 1961, 1999, 2007, and 2014) were looked at in detail. These laws were compared to the Indian Post Office Act 1898 and the Information Technology Act 2000. The 1968 report of the Law Commission of India that examined the wiretapping power and suggested possible overreach was also examined.

Bhairav reviewed Indian law in respect of wiretapping. All Supreme Court case law, especially the cases of Hukum Chand and Peoples Union for Civil Liberties, were analysed. Finally, the group looked at how the legal principles applicable to wiretapping have been extended to electronic and Internet surveillance. Over here, the group studied the two sets of 2011 Rules under the IT Act that enable Internet and email surveillance of both content and metadata.

After a lunch break, the group spoke about possible models for privacy regulation and protection in India. In respect of surveillance, a lot of time was spent discussing the merits and demerits of judicial warranting of surveillance, as opposed to executive authorisations. The consensus of the group, with a few exceptions, was that judicial warranting would not be a suitable model for Indian surveillance, due to several systemic weaknesses. The group also rejected several of the principles proposed by Justice A. P. Shah in the 2012 Report that was commissioned by the Planning Commission.

After a discussion on legislative models, the group discussed, clause-by-clause, the CIS proposal on privacy that was read through by Bhairav. This discussion lasted several hours, and covered many areas.

Similar is the case with financial information released by a bank, etc. This makes one wonder exactly where and how it is that the law of breach of privacy intersects with that of the law of confidentiality. An enquiry into such a complex question of law requires a deeper appreciation of the relationship between these two different principles of law which require a better understanding of the origins and evolutions of these principles.

In this paper we shall try to explore the origins of both the law of privacy as well as confidentiality as they have evolved in the field of tort law in India. Although our primary focus is Indian law, however in order to understand the evolution of these principles it is necessary to discuss their evolution in three common law jurisdictions, viz. the United States of America, the United Kingdom and India. The reason for an analysis of these three jurisdictions will become clear as the reader goes further into this paper, however for ease of reference it would be better if the reason is clarified here itself. The concept of a right against breach of confidentiality has existed in English common law for a very long time, however the concept of a claim for breach of privacy originated only in American law, other than some statutory protection granted in the last couple of decades, has still not been granted recognition in English common law.

After a discussion of the evolution of these principles in both American and English law, we will then discuss these principles as they exist in Indian law. This discussion will (or should) at once become easier to understand and digest because of the deeper understanding of the interplay between these two principles gained from a reading of the first two chapters.

Privacy Torts: American Origins

Looking at the origins of privacy law it has been argued by many academics that the law of privacy in common law has its origins in an article published by Samuel Warren and Louis Brandies in the Harvard Law Review in 1890.[1] Warren and Brandeis suggested that one could generalise certain cases on defamation, breach of copyright in unpublished letters, trade secrets and breach of confidence as all based upon the protection of a common value which they called privacy.[2] The authors relied upon the existing body of cases relating to the law of confidentiality and interpreted it in a way so as to create a "right to privacy" which has evolved into a right quite different from the common understanding of confidentiality.

Although there are certain criticisms of the article by Warren and Brandeis, the background in which the article was written and the lacuna that these two scholars were trying to fill in the law of confidentiality as it existed at that time gives some context to the reasons why they felt the need to move away from the existing principles and propose a new principle of law. Samuel Warren and Louis Brandies were both worried about the invasion of personal space by the advent of the news and print media which was experiencing a boom during the late 19^th century. [3] Warren and Brandeis were worried that although the existing body of law on confidentiality would protect a person from having their picture put on a postcard by their photographer without their consent,[4] however if there was no relationship between the two persons there would be no remedy available to the aggrieved party. [5]

One of the criticisms of Warren and Brandeis' article is that to propose the existence of a right to privacy they relied heavily on the English case of Prince Albert v. Strange[6]. It has been proposed by some academics that this was a case which dealt with confidentiality and literary property which was characterized by Warren and Brandeis as a privacy case. [7] In this case Prince Albert sought to restrain publication of otherwise unpublished private etchings and lists of works which were made by Queen Victoria. The etchings appeared to have been removed surreptitiously from the private printer to whom these etchings were given and came into the possession of one Mr. Strange who wanted to print and sell the etchings. The case specifically rejected the existence of a right to privacy in the following words:

"The case is not put by the Plaintiff on any principle of trust or contract, but on property; there is nothing to show contract or confidence. It cannot be maintained that privacy constitutes property, or that the Court will interfere to protect the owner in the enjoyment of it; Chadler v. Thompson (3 Camp. 80). In William Aldred's case (9 Rep. 58 b.), Wray C. J. said, "The law does not give an action for such things of delight"."

Infact the case mentioned the term "privacy" only once, but that statement was made in the context of whether a delay in granting an injunction in such cases would defeat the entire purpose of the suit and was not preceeded or followed by any discussion on a distinct right to privacy:

"In the present case, where privacy is the right invaded, postponing the injunction would be equivalent to denying it altogether. The interposition of this Court in these cases does not depend upon any legal right, and to be effectual, it must be immediate."

However, Warren and Brandeis interpreted this case in a different manner and came to the conclusion that the "principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality".[8]

The article further incorporated the language of Judge Cooley's treatise (Cooley on Torts)[9] which used the phrase "the right to be let alone". They said that identifying this common element should enable the courts to declare the existence of a general principle which protected a person's appearance, sayings, acts and personal relations from being exposed in public. [10] However it has been argued by some scholars that this phrase was not used by Judge Cooley with as much import as has been given by Warren and Brandeis in their article. The phrase was used by Judge Cooley in mere passing while discussing why tort law protected against not only batteries but also assaults with no physical contact, and had no connection with privacy rights. [11]

Warren and Brandeis' article started getting almost immediate attention and some amount of recognition from various quarters,[12] though it cannot be said that it was universally well received. [13] However over time this tort of privacy slowly started getting recognized by various Courts throughout the United States and got a huge boost when it was recognized in a brief section in the First Restatement of Torts published in 1939. The right to privacy in American jurisprudence got another boost and became fully entrenched later on specially with the endorsement of Dr. William Prosser who discussed privacy in his treatise on the law of torts, the subsequent editions of which had a more and more elaborate discussion of the tort of privacy. This development of the law was further enhanced by Dr. Prosser's position as a reporter of the Second Restatement of Torts, which imported a four part taxonomy of the privacy tort which had been suggested by Dr. Prosser in his previous works.[14]

Thus we see how, beginning with the article by Warren and Brandeis in 1890, the privacy tort in American jurisprudence developed over the years and became further entrenched due to the influence of William Prosser and his works on the tort of privacy.

Privacy Torts in England: An Elaborate Principle of Confidentiality

The law of confidentiality in English law, as applied in certain specific contexts such as attorney client privileges, [15] doctor patient confidentiality,[16] etc. has been applied since hundreds and even though cases relating to the breach of confidentiality had already existed, however the case of Prince Albert v. Strange,[17] be it due to the interesting facts or the fame of the parties involved, is still considered as the clearest and most well established precedent for the tort of breach of confidence.[18] Similar cases relying upon this tort kept being decided by the English Courts but the tort of confidentiality was further cemented in English common law by the case of Saltman Engineering Co. v. Campbell Engineering Co.,[19] which expanded the application of the principle by holding that the obligation to respect confidence is not limited to only instances where parties have a contractual relationship.

The seminal case on the tort of breach of confidentiality in English law was that of Coco v. A.N Clark (Engineers) Ltd., [20] where an inventor enjoined a moped manufacturer from using design ideas communicated by the inventor during failed contractual negotiations with the manufacturer.[21] In this case Megarry J., held that a case of breach of confidence normally requires three elements to succeed, apart from contract, (i) the information itself must have the necessary quality of confidence about it, (ii) that information must have been imparted in circumstances importing an obligation of confidence, and (iii) there must be an unauthorised use of that information to the detriment of the party communicating it.

Relying on the principles enunciated in the above cases and developed by subsequent decisions, English law relating to the tort of breach of confidentiality developed into a robust and flexible body of law protecting personal and commercial information from disclosure. Infact by the late 1990s, English law was very broad and gradually expanding in its scope of the tort of breach of confidentiality and Courts had stretched the idea of an obligation of confidence so as to include cases where there was not even any communication between the parties, such as secret photography and wiretapping. Further since third parties had already been reposed with an obligation of confidence when they knowingly received confidential material even if they did not have any relationship with the plaintiff, therefore the law of confidence could be extended to parties outside the relationship in which the confidence was initially made. This, although was not as broad and overarching as the American privacy tort, still had the ability to cover a wide range of cases. [22]

While English Courts on the one hand kept trying to expand the scope of the confidentiality tort, they also categorically rejected the existence of a privacy tort on the lines developed under American jurisprudence. The suggestion of the existence of such a privacy tort in English law was most recently rejected by the House of Lords in the case of Wainwright v. Home Office,[23] by Lord Bingham in the following words:

"What the courts have so far refused to do is to formulate a general principle of "invasion of privacy" (I use the quotation marks to signify doubt about what in such a context the expression would mean) from which the conditions of liability in the particular case can be deduced."

In this case the plaintiffs made a claim against the prison authorities for strip searching them before they went to meet an inmate and since the incident occurred before the coming into force of the Human Rights Act, 1998 of the UK had not yet come into force, so the plaintiffs also argued that there was an existing tortuous remedy based on a breach of privacy in common law. While discussing whether English Courts were amenable to or had ever recognized such a common law tort of privacy, the House of Lords cited decisions such as Malone v Metropolitan Police Comr, [24] and R v Khan (Sultan),[25] in both of which the courts refused to recognize a general right to privacy in the context of tapping of telephones.

The absence of any general cause of action for invasion of privacy was also acknowledged by the Court of Appeal in the context of a newspaper reporter and photographer invading into a patient's hospital bedroom in an effort to purportedly interview him and taking photographs, in the case of Kaye v Robertson.[26]

Thus relying on the above line of cases the House of Lords concluded that a general right to privacy does not exist in English common law:

"All three judgments are flat against a judicial power to declare the existence of a high-level right to privacy and I do not think that they suggest that the courts should do so. The members of the Court of Appeal certainly thought that it would be desirable if there was legislation to confer a right to protect the privacy of a person in the position of Mr Kaye against the kind of intrusion which he suffered, but they did not advocate any wider principle."

Thus it is clear that English Courts have time and again denied the existence of an American style right to privacy as emanating from common law. The Courts have instead tried to expand and widen the scope of the tort of confidentiality so as to cover various situations which may arise due to the pervasiveness of technology and which the traditional interpretation of the law of confidentiality was not equipped to deal with.

Therefore it is now a little clearer that the reason for the existence of the confusion between the torts of privacy and confidentiality is that the right to privacy had its origins in the common law precedents but the right to privacy developed as a distinct and separate right in America, primarily due to the influence of Warren and Brandeis's article as well as the works of William Prosser, whereas the Courts in England did not adopt this principle of privacy and instead favored a much more elaborate right to confidentiality. In the Indian context, this has led to some amount of confusion because, Indian case laws, as will be seen in the following chapter, borrowed heavily from American jurisprudence when discussing the right to privacy and not all cases have been able to clearly bring out the difference between the principles of privacy and confidentiality.

Indian Law

Tort of Breach of Privacy

Any analysis of the right to privacy in India, be it in the realm of constitutional law or tort law almost always includes within its ambit a discussion of the two celebrated cases of Kharak Singh v. Union of India[27] and Govind v. State of M.P.,[28] which elevated the right to privacy to the pedestal of a fundamental right under Indian law. However, an unintended consequence of this has been that pretty much every commentator on Indian law includes a discussion of these two cases when discussing the right to privacy, be it under constitutional law or under tort law. However, there is one problem with such an analysis of the right to privacy, viz. these two cases were dealing with a pure constitutional law question and relied upon American case laws to read into Article 21 an inbuilt right to privacy. However from a strictly tort law perspective, these cases are not relevant at all, and the seminal case for the tort of breach of privacy would have to be the Apex Court decision in R. Rajagopal v. State of Tamil Nadu, [29] which specifically recognized this distinction and stated that the right to privacy has two different aspects, (i) the constitutional right to privacy, and (ii) the common law right to privacy.

The facts of the R. Rajagopal case revolve around the publishing of the autobiography written by the prisoner Auto Shankar, who had been placed in jail for committing multiple murders. The autobiography contained proof of involvement of many IAS, IPS officers in his crimes. Although Shankar had initially requested that the magazine print his autobiography, he later requested that his story not be published. The publishers held that it was their right to publish the autobiography while the IPS and IAS officers on the other hand claimed that Auto Shankar was trying to defame them and wanted to ban its publication. The Supreme Court in this case, implicitly accepts the existence of a right to privacy under Indian tort law when

"21.The question is how far the principles emerging from the United States and English decisions are relevant under our constitutional system. So far as the freedom of press is concerned, it flows from the freedom of speech and expression guaranteed by Article 19(1)(a). But the said right is subject to reasonable restrictions placed thereon by an existing law or a law made after the commencement of the Constitution in the interests of or in relation to the several matters set out therein. Decency and defamation are two of the grounds mentioned in clause (2). Law of torts providing for damages for invasion of the right to privacy and defamation and Sections 499/500 IPC are the existing laws saved under clause (2). "

Discussing the distinction between the two aspects of the right to privacy, the Court held:

"The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognized. This right has two aspects which are but two faces of the same coin (1) the general law of privacy which affords a tort action for damages resulting from an unlawful invasion of privacy and (2) the constitutional recognition given to the right to privacy which protects personal privacy against unlawful governmental invasion. The first aspect of this right must be said to have been violated where, for example, a person's name or likeness is used, without his consent, for advertising or non-advertising purposes or for that matter, his life story is written whether laudatory or otherwise and published without his consent as explained hereinafter. In recent times, however, this right has acquired a constitutional status."

After a discussion of the various arguments presented by the parties (a number of which are not relevant for the purposes of this paper), the Supreme Court laid down the following principles regarding freedom of the press and the right to privacy:

(1) The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.

(2) The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media.

(3) There is yet another exception to the rule in (1) above - indeed, this is not an exception but an independent rule. In the case of public officials, it is obvious, right to privacy, or for that matter, the remedy of action for damages is simply not available with respect to their acts and conduct relevant to the discharge of their official duties. This is so even where the publication is based upon facts and statements which are not true, unless the official establishes that the publication was made (by the defendant) with reckless disregard for truth. In such a case, it would be enough for the defendant (member of the press or media) to prove that he acted after a reasonable verification of the facts; it is not necessary for him to prove that what he has written is true. Of course, where the publication is proved to be false and actuated by malice or personal animosity, the defendant would have no defence and would be liable for damages. It is equally obvious that in matters not relevant to the discharge of his duties, the public official enjoys the same protection as any other citizen, as explained in (1) and (2) above. It needs no reiteration that judiciary, which is protected by the power to punish for contempt of court and Parliament and legislatures protected as their privileges are by Articles 105 and 104 respectively of the Constitution of India, represent exceptions to this rule."

The above principles have ruled the roost on the issue of privacy and freedom of the press under Indian law, with certain minimal additions. It has been held by the Delhi High Court that even though a claim for damages may be made under tort law for breach of privacy, the Court may even grant a pre-publication injunction to prevent a breach of privacy.[30] The principles laid down inR. Rajagopal were further clarified in the case of Indu Jain v. Forbes Incorporated, [31] where a case was filed by Indu Jain in the Delhi High Court to stop Forbes magazine from featuring her family in the Forbes List of Indian Billionaires. After a discussion of the various authorities and cases on the issue the Court summarized the principles relating to privacy and freedom of the press and applying those principles rejected the claim of the plaintiff. However for the purposes of our discussion these principles are extremely useful, and have been listed below:

"(V) Public or general interest in the matter published has to be more than mere idle curiosity.

(VI) Public figures like public officials play an influential role in ordering society. They have access to mass media communication both to influence the policy and to counter-criticism of their views and activities. The citizen has a legitimate and substantial interest in the conduct of such persons and the freedom of press extends to engaging in uninhibited debate about the involvement of public figures in public issues and events. (Ref. (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others Para 18).

(VII) Right to privacy that rests in an individual may be waived by him by express or implied consent or lost by a course of conduct which estops its assertions. Such implication may be deduced from the conduct of the parties and the surrounding circumstances.

(VIII) A public person or personage is one who by his standing, accomplishment, fame, mode of life or by adopting a profession or calling which gives the public a legitimate interest in his doings, affairs and character has so become a public figure and thereby relinquishes at least a part of his privacy.

(IX) The standard to be adopted for assessing as to whether the published material infracts the right to privacy of any individual is that of an ordinary man of common sense and prudence and not an out of ordinary or hyper-sensitive man. (Ref. (2007) 1 SCC 143 Ajay Goswami v. UOI & Ors.).

(X) Even though in this country, the freedom of press does not have presumptive priority as in some other jurisdictions including the United States of America, however the importance of a free media of communication to a healthy democracy has to receive sufficient importance and emphasis.

(XI) In evaluating a relief to be granted in respect of a complaint against infraction of the right to privacy, the court has to balance the rights of the persons complaining of infraction of right to privacy against freedom of press and the right of public to disclosure of newsworthy information. Such consideration may entail the interest of the community and the court has to balance the proportionality of interfering with one right against the proportionality of impact by infraction of the other.

(XII) The publication has to be judged as a whole and news items, advertisements and published matter cannot be read without the accompanying message that is purported to be conveyed to public. Pre-publication censorship may not be countenanced in the scheme of the constitutional framework unless it is established that the publication has been made with reckless disregard for truth, publication shall not be normally prohibited. (Ref.: (2007) 1 SCC 143 Ajay Goswami Vs. UOI & Ors.; (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others and AIR 2002 Delhi 58 Khushwant Singh & Anr. Vs. Maneka Gandhi)."

Thus we see that the right to privacy in Indian law, even in the realm of tort law has had an inextricable connection with constitutional principles and constitutional cases have had a very huge impact on the development of this right in India. However a perusal of these cases shows that the right to privacy is available only insofar as information which is personal in nature, however in situations where the information is non-personal in nature the right to privacy may not be as useful and this is where, as we shall see below, the tort of breach of confidentiality comes in to fill the void.

Tort of Breach of Confidentiality

While there have been a number of landmark cases in India on the issue of breach of confidence in a contractual or a statutory setting, these cases are not very relevant for a discussion on the tort of breach of confidentiality. This is not to say that the tort of breach of confidentiality is non-existent in Indian law, the Courts here have time and again accepted that there does exist such a tortuous remedy in certain situations. We shall now try to examine the contours of this principle of torts by discussing some of the landmark cases on the topic.

In the case of Petronet LNG Ltd. v. Indian Petro Group and Another, ^[32] the Delhi High Court considered a claim by a corporation seeking to prevent a news and media group from reporting its confidential negotiations and contracts with counterparties. The claim was based upon both the right to privacy as well as the right to confidentiality but in this case the court, looking at the fact that the plaintiff was a corporation and also the type of information involved denied the claim on the right to privacy. However, it did allow the injunction claimed by the corporation based on the right to confidentiality. Summarizing its discussion of the right to confidentiality, the Court stated thus:

"49. It may be seen from the above discussion, that originally, the law recognized relationships- either through status (marriage) or arising from contract (such as employment, contract for services etc) as imposing duties of confidentiality. The decision in Coco (1969) marked a shift, though imperceptibly, to a possibly wider area or zone. Douglas noted the paradigm shift in the perception, with the enactment of the Human Rights Act; even before that, in Attorney General (2) (also called the Spycatcher case, or the Guardian case) the Court acknowledged that there could be situations -where a third party (likened to a passerby, coming across sensitive information, wafting from the top of a building, below) being obliged to maintain confidentiality, having regard to the nature and sensitivity of the information….."

While discussing the factors that the Court would have to consider while deciding a claim based on the breach of confidentiality, the Delhi High Court relied upon and quoted from English judgments as follows:

"50. Even while recognizing the wider nature of duty - in the light of the Human Rights Act, 1998, and Articles 8 and 10 of the European Convention, it was cautioned that the court, in each case, where breach of confidentiality, is complained, and even found- has to engage in a balancing process; the factors to be weighed while doing so, were reflected in A v. B Plc [2003] QB 195; the latest judgment in H.R.H. Prince of Wales indicates that the court would look at the kind of information, the nature of relationship, etc, and also consider proportionality, while weighing whether relief could be given:

"The court will need to consider whether, having regard to the nature of the information and all the relevant circumstances, it is legitimate for the owner of the information to seek to keep it confidential or whether it is in the public interest that the information should be made public….

..In applying the test of proportionality, the nature of the relationship that gives rise to the duty of confidentiality may be important."

Holding that the principles discussed in the English cases given in the context of individual rights of confidentiality would also hold good in the case of corporations, the Court held that:

"51. Though the reported cases, discussed above, all dealt with individual right, to confidentiality of private information (Duchess of Argyll;Frazer; Douglas; Campbell and H.R.H. Prince of Wales) yet, the formulations consciously approved in the Guardian, and Campbell, embrace a wider zone of confidentiality, that can possibly be asserted. For instance, professional records of doctors regarding treatment of patients, ailments of individuals, particulars, statements of witnesses deposing in investigations into certain types of crimes, particulars of even accused who are facing investigative processes, details victims of heinous assaults and crimes, etc, may, be construed as confidential information, which, if revealed, may have untoward consequences, casting a corresponding duty on the person who gets such information - either through effort, or unwittingly, not to reveal it. Similarly, in the cases of corporations and businesses, there could be legitimate concerns about its internal processes and trade secrets, marketing strategies which are in their nascent stages, pricing policies and so on, which, if prematurely made public, could result in irreversible, and unknown commercial consequences. However, what should be the approach of the court when the aggrieved party approaches it for relief, would depend on the facts of each case, the nature of the information, the corresponding content of the duty, and the balancing exercise to be carried out. It is held, therefore, that even though the plaintiff cannot rely on privacy, its suit is maintainable, as it can assert confidentiality in its information."

Apart from privacy, the law of confidentiality has been used in cases where there has been a definite harm to one side but none of the other laws provide for any relief. This was the situation in the case of Zee Telefilms Limited v. Sundial Communications Pvt Ltd, [33] where a company which developed television and media programming had discussed their concept of a new show with a network during negotiations which could not be finalized. The network however subsequently tried to start a new show which was based on the same concept and idea as the one presented by the plaintiff company. The plaintiff sued the network, inter alia on a claim for breach of confidential information and asked that the network be prevented from airing its show. In this case the plaintiff's claim based on copyright was rejected because copyright only subsists on the expression of an idea and not the idea itself, therefore the tort of breach of confidentiality had to be resorted to in order to give relief to the plaintiffs. Discussing the difference between confidentiality and copyright, the Division Bench of the Bombay High Court held:

"10. The law of the confidence is different from law of copyright. In paragraph 21.2 (page 721), [of Copinger and Skone-James on Copyright (13th Edn.)] the learned author has pointed out that right to restrain publication of work upon the grounds, that to do so would be breach of trust of confidence, is a broader right than proprietary right of copyright. There can be no copyright of ideas or information and it is not infringement of copyright to adopt or appropriate ideas of another or to publish information received from another, provided there is no substantial copying of the form in which those ideas have, or that information has, been previously embodied. But if the ideas or information have been acquired by a person under such circumstances that it would be a breach of good faith to publish them and he has no just case or excuses for doing so, the court may grant injunction against him. The distinction between the copyright and confidence may be of considerable importance with regard to unpublished manuscripts / works submitted, and not accepted, for publication or use. Whereas copyright protects material that has been reduced to permanent form, the general law of confidence may protect either written or oral confidential communication. Copyright is good against the world generally while confidence operates against those who receive information or ideas in confidence. Copyright has a fixed statutory time limit which does not apply to confidential information, though in practice application of confidence usually ceases when the information or ideas becomes public knowledge. Further the obligation of confidence rests not only on the original recipient, but also on any person who received the information with knowledge acquired at the time or subsequently that it was originally given in confidence."

A similar view, in a similar fact situation Single Judge Bench of the Delhi High Court had also came to a similar conclusion in the case of Anil Gupta v. Kunal Das Gupta.[34]

The law of confidentiality has also come to the rescue of employers in attempting to prevent important business and client information from being taken or copied by the employees for their personal gain. In the case of Mr. Diljeet Titus, Advocate v. Mr. Alfred A. Adebare, [35] the Delhi High Court had to decide a claim based on breach of confidentiality when some ex-employees of a law firm tried to take away client lists and drafts of legal agreements and opinions from their earlier employer-law firm. Discussing the importance of preventing employees or former employees from away which such actions, the Court held as follows:

"81. I am in full agreement with the views expressed in Margaret, Duchess of Argyll (Feme Sole) v. Duke of Argyll and Ors. (1965) 1 All ER 611, that a Court must step in to restrain a breach of confidence independent of any right under law. Such an obligation need not be expressed but be implied and the breach of such confidence is independent of any other right as stated above. The obligation of confidence between an advocate and the client can hardly be re-emphasised. Section 16 of the Copyright Act itself emphasizes the aspect of confidentiality de hors even the rights under the Copyright Act. If the defendants are permitted to do what they have done it would shake the very confidence of relationship between the advocates and the trust imposed by clients in their advocates. The actions of the defendants cause injury to the plaintiff and as observed by Aristotle: 'It makes no difference whether a good man defrauds a bad one, nor whether a man who commits an adultery be a good or a bad man; the law looks only to the difference created by the injury."

The Court allowed the claim of the law firm holding that the relationship between a law firm and its attorneys is of a nature where information passed between them would be covered by the law of confidence and would not be allowed to be copied or used by the attorneys for their individual gain.

Recently, in 2009, the principles relating to breach of confidentiality under Indian law were very succinctly summarized by the Bombay High Court in the case of Urmi Juvekar Chiang v. Global Broadcasting News Limited,[36] where in a fact situation similar to the ones in Zee Telefilms case and the Anil Gupta case, the Court discussed a number of previous cases on breach of confidentiality and laid down the following principles:

"8. The principles on which the action of breach of confidence can succeed, have been culled out as

(i) he (Plaintiff) had to identify clearly what was the information he was relying on;

(ii) he (Plaintiff) had to show that it was handed over in the circumstances of confidence;

(iii) he (Plaintiff) had to show that it was information of the type which could be treated as

confidential; and

(iv) he (Plaintiff) had to show that it was used without licence or there was threat to use it…… It is further noted that at interlocutory stage, the Plaintiff does not have to prove (iii) and (iv) referred to above, as he will at the trial. But the Plaintiff must address them and show that he has atleast seriously arguable case in relation to each of them."

From the above discussion on Indian law it is clear that the Courts in India have tried to incorporate the best of both worlds, in the sense that it has taken and adopted the principle of a right to privacy, a breach of which would give rise to an action in torts, from American jurisprudence while rejecting the stand taken by English Courts in rejecting such a right to privacy. However, Indian Courts have often referred to the decisions given by English Courts as well as American Courts in interpreting the principle of the right to confidentiality. Therefore on an overall examination it would appear that insofar as the rights to privacy and confidentiality are concerned, Indian jurisprudence has more in common with American law rather than English law.

Conclusion

The law of privacy does not seem to have existed as a recognizable principle of law before it was propounded in the article by Warren and Brandeis in the Harvard Law Review in 1890. It slowly gained traction in American jurisprudence over the twentieth century but was rejected outright by the Courts in England, which preferred to follow the principle of confidentiality rather than privacy and tried to expand that old principle to fit newer and newer situations. Since Indian law borrows heavily from English law and to a smaller extent also from American law, the Courts in India have accepted both, the principle of a right to privacy as well as a right to confidentiality. This is not to say that the Courts in America do not recognize a right to confidentiality and only accept a right to privacy. Infact American Courts, just like their Indian counterparts, recognize both a right to confidentiality as well as a right to privacy.

Since Indian courts accept both the concept of breach of privacy as well as breach of confidentiality, one should not try to figure out if a particular circumstance is more appropriate for the one over the other, but actually use both principles to supplement one another for achieving the same objective. For example in situations where the conditions required for the application of the law of confidentiality do not exist such as disclosure of personal information by a person who did not receive it in a confidential capacity, one could apply the principle of privacy to prevent such information being disclosed or claim a remedy after disclosure. On the other hand if the information to be disclosed is not of a personal nature then one could try to utilize the law of confidentiality to prevent disclosure or claim damages.

At a briefing on ICANN52 organized by the Centre for Communication Governance (NLU, Delhi) on 3 February, 2015 (‘CCG Briefing Event’), consensus was seen on two broad things: ICANN’s processes on IANA transition and accountability are crucial for Internet governance this year, and India’s participation (both municipal and international) is wanting. The meeting, which saw discussion following the Chatham House rules, was attended by members from industry associations, government and civil society. A light parsing of the current proposals from the CWG-Names and CRISP (the names and numbers communities) for IANA transition brought the composition of the transition proposals under scrutiny.

CRISP and the proposed Service Level Agreements:

The proposal from the numbers community, the CRISP, suggests that ICANN and the five RIRs enter into Service Level Agreements. Under the proposal, existing accountability, oversight and policy development mechanisms remain unchanged, with ICANN agreeing to perform IANA functions to meet requisite service levels. If it fails to meet such standards, the RIRs may terminate the contract or refuse to renew it.

The CRISP proposal does not look beyond ICANN for an IANA functions operator, and places its faith entirely in ICANN’s past performance of numbering IANA functions. As so many have said before, the CRISP proposal is blithe in its lack of review mechanism or safeguards, having even fewer safeguards than the CWG-Names proposal. Doubtless, a cause for concern.

CWG-Names and the Four New Entities:

The CWG-Names proposal suggests that four new entities be created to replace the NTIA’s role under the IANA Functions Contract. Under the proposal, ICANN will continue to be the IANA Functions Operator for the present. It will enter into an IANA Functions Contract with “Contract Co.”, a new shell entity which will replace NTIA as the contracting party. Contract Co. is to be a lightweight entity, with few staff or administrative capabilities.

At present, the NTIA performs what it considers a “clerical role” in its oversight of the DNS. However, the IANA Functions Contract also includes review functions, such as the rebidding and renewal process to determine whether ICANN (or some other entity) ought to continue as the IANA functions operator. Under the CWG-Names proposal, these review functions, which also include budget reviews, reporting, etc. are to be carried out by a “Multi-stakeholder Review Team (MRT)”, the terms of whose composition are as yet undecided.

The composition of the MRT is crucial to an independent and representative oversight of IANA. At the CCG Briefing Event, concerns were raised as to the representation of ccTLDs on the MRT. Not all ccTLDs are represented in the ICANN ecosystem, in the ccNSO; 152 ccTLDs are members of the ccNSO. Of course, one may argue that this concern exists under the present IANA functions contract as well. But the devil is in the details, or lack thereof. We don’t know, for instance, who will populate the MRT, whether they will enjoy immunities normally reserved for diplomatic or consular agents, or most importantly, what relationship the MRT will enjoy with ICANN. Will there be a contract with ICANN, or a memorandum of understanding that sets out ICANN’s responsibilities, failing which the IANA contract may be terminated?

The third new creation of the CWG-Names proposal is the “Customer Standing Committee (CSC)”. While the CSC’s composition is also nebulous, its functions are to work with the MRT to establish Service Levels and Performance Indicators for the naming functions, and to receive performance reports from the IANA operator (ICANN). Clause C.2.8 of the present IANA functions contract requires that the IANA operator (ICANN) develop performance standards for all enumerated IANA functions (see Clause C.2.9.1 to C.2.9.4), and also to report on them (Clause C.4). Presumably, the CSC will fill the role of the NTIA’s Contracting Officer’s Representative in receiving these performance reports.

The fourth and final new entity is the “Independent Appeals Panel (IAP)”, the composition of which is also undecided. The IAP is intended to hear and adjudicate all actions related to the root zone or root zone WHOIS, and under the present proposal, the CWG-Names suggests it should be constituted from time to time in the manner of a binding arbitration process. However, it should be noted that the CWG-Names proposal is unclear whether the IAP decisions are binding on or advisory to the ICANN Board. Concerns of the IAP’s composition aside, dangers of making its decisions only advisory to the ICANN Board loom large and real, and the CCG Briefing Event reflected this.

Already, the ICANN Board wields extensive power with regard to policy decisions. For instance, policies developed under the global policy development process by Regional Internet Registries (RIRs) may be rejected by the ICANN Board by a 2/3rds majority vote. Such a rejection may result in a mediation process according to agreed procedure. Another instance is the change in the ICANN Board’s treatment of GAC advice. Prior to the amendment to ICANN’s Bye-laws, the Board was not required to provide reasons for its rejection of GAC advice. In its present form, Article XI, Section 2(1) of ICANN’s Bye-laws make such reasons mandatory. How ought IAP decisions be treated, as binding or advisory? If they are to be binding, ICANN or any other IANA functions operator will have to enter into a legal arrangement (by contract or MoU, or in the best case, an amendment to ICANN Bye-laws).

Dodging the real issues: ICANN incumbency, IANA separation and where will all the money come from?

Both the CWG-Names and CRISP proposals skim past certain issues relating to ICANN’s incumbency in the IANA role. The first concern, of course, is whether ICANN should continue to be the IANA functions operator. Both proposals accept ICANN’s role, suggesting no change. While there are compelling reasons for ICANN’s continued role as IANA functions operator, unquestioning incumbency is equal to lack of accountability. And as neither proposal sets out a review process (the CWG-Names proposal only mentions that the MRT shall have this function), it is a concern.

Perhaps the CCWG-Accountability, convened under the Enhancing ICANN Accountability process, is better equipped to provide suggestions. However, the CCWG-Accountability is hard-pressed for time. Its two Workstreams, dealing with IANA transition related accountability mechanisms and ICANN’s internal accountability, are unlikely to see desired progress before the transition deadline of September 2015. For instance, within the CCWG-Accountability, a debate is ongoing as to ICANN’s composition. At the time of its incorporation, a suggestion that ICANN ought to have statutory members was floated, but turned down. The suggestion has reared its head again in the CCWG-Accountability, to consider checks and balances on the ICANN Board.

The second concern relates to IANA’s continued existence within ICANN, without separation of policy and implementation. This concern has been clamouring for attention for many months. Milton Mueller, for instance, has recommended structural separation of IANA and ICANN, as did I and others during the course of the face-to-face meetings of the CWG-Names (I attended remotely).

A structural separation is beneficial for many reasons. It enforces a simple separation of powers. “When”, as Montesquieu stated, “the legislative and the executive powers are united in the same person, or in the same body of magistrates, there can be no liberty; because apprehensions may rise, lest the same monarch or senate should enact tyrannical laws, to execute them in a tyrannical manner”. Tyranny is speaking in terms too extreme for ICANN, perhaps, it is undeniable that ICANN has grown larger in scope and size from its original incorporation. It was incorporated, as Professor DeNardis has noted [Protocol Politics, 161], to perform technical coordination of the global DNS and other functions performed originally by Jon Postel as IANA.

Today, in addition to technical coordination and policy-setting for names and numbers (through the gPDP), ICANN is a major player in the Internet governance institutional space; its involvement in and aggressive marketing of the NETmundial Initiative is but an example. For instance, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (FY2015). It has budgeted, in comparison, US $13 million for travel and meetings alone (FY2015). Separating IANA from ICANN will, as others have suggested, protect it from political or other influences within ICANN.

In any event, once the NTIA terminates the IANA functions contract, IANA is not strictly required to be within the US. At the moment, Clause C.2.1 of the IANA functions contract requires that the IANA functions operator be “a wholly U.S. owned and operated firm or fully accredited United States University or College operating in one of the 50 states of the United States or District of Columbia; b) incorporated within one of the fifty (50) states of the United States or District of Columbia; and c) organized under the laws of a state of the United States or District of Columbia”.

Were structural separation to be achieved, IANA could be incorporated in another, neutral jurisdiction. Not only would be assuage optical considerations and ensure separation of powers, but as our experience with filtering on the Internet shows (see, for instance, the Open Net Initiative’s research), unilateral controls are much harder to enforce when the apparatus is decentralized.

The third concern raised at the CCG Briefing Event concerned the funding of the new entities proposed by the CWG-Names. Would these entities be self-financing, or perhaps ICANN would support them? While some participants felt ICANN could also provide financial support, this would, in my view, bring ICANN too close to its oversight entities, and increase chances of influence.

Collection of Net Neutrality Definitions

Please feel free to get in touch if you would like to suggest definitions to be added to this  working database.

Why Is ICANN Here?

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for critical backbones of the Internet. It manages the root server system, the global allocation of IP addresses, protocol registries and the domain name system (management of gTLDs, ccTLDs, as well as the newly rolled-out “new gTLDs”).

ICANN was incorporated in California in 1998, and was intended as the technical coordination body for the backbone of the Internet. That is, it was to administer the Internet’s domain names and IP addresses, and also manage the Internet root servers.

As a result of an agreement with the National Telecommunications and Information Administration (NTIA) in the US Department of Commerce, ICANN is the IANA functions operator. It carries out the IANA functions, which include making changes to the root zone file (the backbone of the domain name system), allocation of IP address blocks to the five Regional Internet Registries (RIRs), and maintaining protocol parameter registries in collaboration with the Internet Engineering Task Force (IETF). The RIRs are responsible for allocating IP addresses (IPv4 and IPv6) to national and local Internet registries. The IETF develops Internet standards and protocols, such as those within the TCP/IP suite. To be clear, ICANN does not make policy for the IP address or Internet standards/protocols; those are the domains of RIRs and the IETF, respectively.

ICANN, Domain Names and All That Buried Treasure

ICANN is the de facto policy-making body for domain names. Through ICANN’s community Supporting Organisations and Advisory Committees (SOACs) – largely a multi-stakeholder community – ICANN determines policies for dispute resolution (see, for instance, the UDRP for domain name disputes), maintaining the WHOIS database, etc. for domain names.

Under its contracts with Top Level Domain (TLD) Registries, ICANN receives payment for all registrations and/or renewals of domain names. For instance, under the .bharti Registry Agreement, ICANN receives a fixed annual registry free of US $6250. If there are more than 50,000 registrations or renewals of domain names under a TLD (say, .bharti) in a quarter, then ICANN also receives an amount equal to (No. of registrations or renewals X US $0.25). TLD Registries “own” TLDs like .com, and they maintain a list of all the domain names registered under that TLD. There are around 816 such Registry Agreements, and in FY14, ICANN received over US $47 million in Registry fees [see page 7].

Similar agreements exist between ICANN and domain name Registrars accredited by it, too. Domain name Registrars are entities like Go Daddy and Big Rock, from whom people like you and me (or companies) can register domain names. Only Registrars accredited by ICANN can register domain names that will be included in the ICANN DNS, the most frequently used DNS on the Web. Each Registrar pays a yearly accreditation fee of US $4000 to ICANN (see Clause 3.9). Each Registrar also pays to ICANN fees for every domain name registration or renewal. There are over 500 ICANN-accredited Registrars, and in FY14, ICANN received over US $34.5 million in Registrar fees [see page 7].

Now, apart from this, in its IANA operator role, ICANN is responsible for the global allocation of IP addresses (IPv4 and IPv6). From the global pool of IP addresses, ICANN allocates to the five Regional Internet Registries (RIRs), which then allocate to National Internet Registries like the National Internet Exchange of India (NIXI as IRINN), local Internet registries or ISPs. For this, ICANN receives a combined contribution of US $823,000 each year as revenue from RIRs [see, ex.: FY09 Financial Statements, page 3].

And this isn’t all of it! With its new gTLD program, ICANN is sitting on a large treasure trove. Each gTLD application cost US $185,000, and there were 1930 applications in the first round (that’s US $357 million). Where there arose disagreements as to the same or similar strings, ICANN initiated an auction process. Some new gTLDs were auctioned for as high as US $6 million.

So ICANN is sitting on a great deal of treasure (US $355 million in revenues in FY14 and growing). It accumulates revenue from a variety of quarters; the sources identified above are by no means the only revenue-sources. But ICANN is unaware of, or unwilling to disclose, all its sources of revenue.

ICANN's Troubling Scope-creep and Does Transparency Matter?

At CIS, we are concerned by ICANN’s unchecked influence and growing role in the Internet governance institutional space. For instance, under its CEO Fadi Chehade, ICANN was heavily involved backstage for NETmundial, and has set aside over US $200,000 for Mr. Chehade’s brainchild, the NETmundial Initiative. Coupled with its lack of transparency and vocal interests in furthering status quo (for instance, both the names and numbers communities’ proposals for IANA transition want ICANN to remain the IANA functions operator, without stringent safeguards), this makes for a dangerous combination.

The clearest indication lies in the money, one might say. As we have written before, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (Budget FY15, page 17). It has budgeted, in comparison, US $13 million for travel and meetings alone, and spent over US $18 million on travel in FY14 (Budget FY15, page 11).

To its credit, ICANN makes public its financial statements (current and historic), and community discussions are generally open. However, given the understandably complex contractual arrangements that give ICANN its revenues, even ploughing through the financials does not give one a clear picture of where ICANN’s money comes from.

So one is left with questions such as the following: Which entities (and how many of them) pay ICANN for domain names? What are the vendor payments received by ICANN and who pays? Who all have paid ICANN under the new gTLD program, and for what purposes? Apart from application fees and auctions, what other heads of payment exist? How much does each RIR pay ICANN and what for, if IP addresses are not property to be sold? For how many persons (and whom all) does ICANN provide pay for, to travel to meetings and other events?

You may well ask why these questions matter, and whether we need greater transparency. To put it baldly: ICANN’s transparency is crucial. ICANN is today something of a monopoly; it manages the IANA functions, makes policy for domain names and is increasingly active in Internet governance. It is without greater (effective) accountability than a mere review by the NTIA, and some teething internal mechanisms like the Documentary Information Disclosure Policy (DIDP), Ombudsman, Reconsideration and Independent Review and the Accountability and Transparency Review (ATRT). I could elaborate on why these mechanisms are inadequate, but this post is already too long. Suffice it to say that by carefully defining these mechanisms and setting out their scope, ICANN has stifled their effectiveness. For instance, a Reconsideration Request can be filed if one is aggrieved by an action of ICANN’s Board or staff. Under ICANN’s By-laws (Article IV, Section 2), it is the Board Governance Committee, comprising ICANN Board members, that adjudicates Reconsideration Requests. This simply violates the principles of natural justice, wherein one may not be a judge in one’s own cause (nemo debet esse judex in propria causa).

Moreover, ICANN serves corporate interests, for it exists on account of contractual arrangements with Registries, Registrars, the NTIA and other sundry entities. ICANN has also troublingly reached into Internet governance domains to which it was previously closed, such as the NETmundial Initiative, the NETmundial, the IGF and its Support Association. It is unclear that ICANN was ever intended to overreach so, a point admitted by Mr. Chehade himself at the ICANN Open Forum in Istanbul (IGF 2014).

Finally, despite its professed adherence to multi-stakeholderism, there is evidence that ICANN’s policy-making and functioning revolve around small, cohesive groups with multiple professional inter-linkages with other I-Star organisations. For instance, a revolving door study by CIS of the IANA Coordination Group (ICG) found that 20 out of 30 ICG members had close and longterm ties with I-Star organisations. This surely creates concern as to the impartiality and fairness of the ICG’s decision-making. It may, for instance, make a pro-ICANN outcome inevitable – and that is definitely a serious worry.

But ICANN is intended to serve the public interest, to ensure smooth, stable and resilient running of the Internet. Transparency is crucial to this, and especially so during the IANA transition phase. As advisor Jan Scholte asked at ICANN52, what accountability will ICANN exercise after the transition, and to whom will it be accountable? What, indeed, does accountability mean? The CCWG-Accountability is still asking that question. But meanwhile, one among our cohorts at CIS has advocated transparency as a check-and-balance for power.

The DIDP process at ICANN may prove useful in the long run, but does it suffice as a transparency mechanism?

ICANN's Responses to CIS' DIDP Requests

Over December ’14 and January ’15, CIS sent 10 DIDP requests to ICANN. Our aim was to test and encourage transparency from ICANN, a process crucial given the CCWG-Accountability’s deliberations on ways to enhance ICANN’s accountability. We have received responses for 9 of our requests. We summarise ICANN’s responses in a table: please go here.

A glance at the table above will show that ICANN’s responses are largely negative. In 7 requests out of 9, ICANN provides very little new information. Though the responses are detailed, the majority of information they provide is already identified in CIS’ requests. For instance, in the response to the NETmundial Request, ICANN links us to blogposts written by CEO Fadi Chehade, where he notes the importance of translating the NETmundial Principles into action. They also link us to the Final Report of the Panel on Global Internet Cooperation and Governance Mechanism, and ICANN’s involvement in the NETmundial Initiative.

However, to the query on ICANN’s own measures of implementing the NETmundial Principles – principles that it has lauded and upheld for the entire Internet governance community – ICANN’s response is surprisingly evasive. Defending lack of action, they note that “ICANN is not the home for implementation of the NETmundial Principles”. But ICANN also responds that they already implement the NETmundial Principles: “Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework” (emphasis provided). One wonders, then, at the insistence on creating documents involving such high-level principles; why create them if they’re already implemented?

Responses to other requests indicate that the DIDP is, in its current form, unable to provide the transparency necessary for ICANN’s functioning. For instance, in the response to the Ombudsman Request, ICANN cites confidentiality as a reason to decline providing information. Making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline a DIDP request. But it is also important to investigate these reasons. ICANN’s Ombudsman is appointed by the ICANN Board for 2 year terms, under Clause V of ICANN’s Bylaws. The Ombudsman’s principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly”. The Ombudsman reports only to the ICANN Board, and all matters before it are kept confidential, including the names of parties and the nature of complaints. The Ombudsman reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy.

This creates a closed circle in which the Ombudsman operates. The ICANN Board appoints the Ombudsman. He/she listens to complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. However, neither the names of parties, the nature of complaints, nor the decisions of the Ombudsman are publicly available. Such a lack of transparency throws doubt on the functioning of the Ombudsman himself – and on his independence, neutrality and the extent of ICANN’s influence on him/her. An amendment of ICANN’s Bylaws would then be imperative to rectify this problem; this matter is squarely within the CCWG-Accountability’s mandate and should be addressed.

As is clear from the above examples, ICANN’s DIDP is an inadequate tool to ensure transparency functioning. The Policy was crafted without community input, and requires substantial amendments to make it a sufficient transparency mechanism. CIS’ suggestions in this regard shall be available in our next post.

CIS' Annual Reports are here. Our audit is ongoing, and the Annual Report for 2013-14 will be up shortly. Pranav Bidare (3rd year) of the National Law School, Bangalore assisted with research for this post, and created the table of CIS' DIDP requests and responses.

Click to view the article on Global Voices here.

Mock-up of a blocked URL (Image: Subhashish Panigrahi, CC-by-SA 3.0)

The Government of India in the last week of 2014 asked Internet service providers (ISPs) to block 32 websites including code repository Github, video streaming sites Vimeo and Dailymotion, online archive Internet Archive, free software hosting site Sourceforge and many other websites on the basis of hosting anti-India content from the violent extremist group known as ISIS.

The blanket block on many resourceful sites has been heavily criticized on social media and blogs by reviving the hashtag #GoIblocks that evolved in the past against internet censorship by the government.

Nikhil Pahwa at MediaNama notes that this time many ISPs published the list of the blocked sites:

Typically, users are not informed about which websites are blocked, so this was a welcome move from the ISP.

“Say No to Censorship. #GOIBlocks” (taken from Facebook page of Free Software Foundation, Tamil Nadu)

In 2012, opposition party leader Narendra Modi (who is now India's Prime Minister) tweeted against the URL blocks by the earlier ruling of India's National Congress when then-Minister of Communications and Information Technology Kapil Sibal ordered to block 300 websites. Many eyebrows were raised when Modi repeated the move this time around.

Internet censorship in India has been increasingly prominent since 1999 when Pakistani newspaper Dawn was blocked by the Videsh Sanchar Nigam Limited for post-Kargil War views against India. These caught heavy criticism from netizens, often under the hashtag #IdiotKapilSibal. Since then there have been many instances of government-mediated censorship, particularly with the enactment of India's Information Technology Act of 2000.

Arvind Gupta, head of Information Technology for India's ruling Bharatiya Janata Party, tweeted to clarify that the sites were blocked as advised by the Anti-Terrorism Squad.

Arvind Gupta ✔ @buzzindelhi

Follow

The websites that have been blocked were based on an advisory by Anti Terrorism Squad, and were carrying Anti India content from ISIS. 1/2

3:11 PM - 31 Dec 2014

362 Retweets 82 favorites

After agreeing to remove anti-India content posted by accounts that appeared to have some association with ISIS, weebly.com, vimeo.com, Pastebin, dailymotion.com and gist.github.com were unblocked.

These websites have undertaken not to allow pasting of such propaganda information on their website and also work with the government to remove such material as per the compliance with the laws of land.

-  Ministry of Communications and Information Technology, Government of India (posted in Business Standard)

Arvind Gupta ✔ @buzzindelhi

Follow

Action has been initiated to unblock -- http://weebly.com , http://vimeo.com , http://dailymotion.com and (1/2)

12:36 AM - 1 Jan 2015

63 Retweets 25 favorites

Arvind Gupta ✔ @buzzindelhi

 

gist.github.com :: http://wap.business-standard.com/article/news-ians/government-decides-to-unblock-four-websites-out-of-32-114123101162_1.html … (2/2)

12:36 AM - 1 Jan 2015

39 Retweets 12 favorites

The Supreme Court, in Sabu George v. Union of India and Ors. (WP (C) 341/2008), is looking into the presence of material regarding pre-natal sex determination on search engines such as Google, Bing, and Yahoo!. The petitioner alleges that search engines have been displaying content that falls foul of §22 of the Pre-Natal Diagnostic Techniques Act, 1994, as amended in 2002 (“the Act”).

The relevant parts of §22 that search engines are alleged to have violated are as follows:

“22. Prohibition of advertisement relating to pre-natal determination of sex and punishment for contravention.-

1. No person, organization, Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic, including clinic, laboratory or centre having ultrasound machine or imaging machine or scanner or any other technology capable of undertaking determination of sex of foetus or sex selection shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement, in any form, including internet, regarding facilities of pre-natal determination of sex or sex selection before conception available at such centre, laboratory, clinic or at any other place.
2. No person or organization including Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement in any manner regarding pre-natal determination or preconception selection of sex by any means whatsoever, scientific or otherwise” (emphasis supplied)

Explanation.- For the purposes of this section, ‘advertisement’ includes any notice, circular, label, wrapper or any other document including advertisement through internet or any other media in electronic or print form and also includes any visible representation made by means of any hoarding, wall-painting, signal, light, sound, smoke or gas.

From a cursory reading, it would appear that the section serves as a clear and unequivocal ban on advertisements for clinics or other laboratories that perform pre-natal sex determination. However, the Supreme Court seems to have landed itself into a mess by muddling the distinction between web/online advertisements (in the sense that the word has been used in the quoted provision) and organic search results. The court has received little assistance from the words of the statute, since the Act contains no exhaustive definition of ‘advertisement’. The closest thing to such a definition is the explanation to §22, which only specifies that the term is inclusive of some common forms of adverts – label wrappers, audiovisual representations, etc. This is not a definition, and does not expand the meaning of the word to include organic search results, which are commonly understood not to be advertisements (see here and here, for example). This distinction was pointed out to the court in the submission of the Group Coordinator, Cyber Laws Formulation and Enforcement Division, Department of Information Technology, as noted by the bench in its order dated the 4^th of December 2014.

It is our view that this distinction is of vital importance to the entire debate surrounding the PNDT Act, and therefore we have clearly differentiated between organic search results and “sponsored links”, or advertisements, wherever required.

In order to examine whether search engines were in compliance with the law, we systematically searched for terms most likely to trigger advertisements that would violate §22 of the Act. Further, we selected search engines across the market spectrum, from high-revenue organisations likely to have performed comprehensive due diligence (Google, Bing, etc.) to relatively low-revenue operators who did not have offices in India, or dedicated service offerings specific to India, and were therefore unlikely to have taken special measures to comply with the provisions of the PNDT Act (Yandex, DuckDuckGo, etc.). Further, where search engines had India-specific websites, we checked to see whether there was any difference in the advertising outputs of the India site and the US site.

Since the advertising systems work on a bidding mechanism, where the same keywords were likely to trigger different ads based on the rates selected by advertisers, our methodology also included making multiple (five, in most cases) iterations of searches that yielded advertisements, even if the ads displayed were not violative of the Act.

Online Advertisements

The results of this analysis (tabulated below) are surprising, to say the least. First, we found that major search engines such as Google, Yahoo and Bing (constituents of the advertising alliance, the Yahoo! Bing Network) did not display incriminating ads for many of the searches we attempted [see Table 1 below]. In searches for “sex selective abortion”, for example, Google even provided sponsored links to NGOs attempting to generate awareness against the practice. Nor were any non-compliant ads present on their US sites. No violative ads were observed on Yandex. DuckDuckGo did display a questionable advertisement for the term “prenatal sex determination”, but we shall discuss this in detail later.

However, there were some advertisements of questionable legal status. In Google, for instance, our searches for “Dubai indian pregnancy centre” and a litany of similar searches showed searches that featured international services. These services for sex-selection would, presumably, extend to India [see Table 2 below].

Table 1

Advertisements within Search Results

We also examined the search results themselves to check whether the links led to advertisements. On the basis of our searches we found that there are instances both in Google and Yahoo!, where, when we clicked on the search result, we were directed to advertisements. Bing and Rediff, in these searches, did not lead to any prohibited links. Our findings are tabulated below:

Given that some search results do indeed seem to violate §22, we then examined the advertising policies of those search engines alleged to display prohibited advertisements in Sabu George – Google, Yahoo! and Bing.

Advertising Policies of Search Engines

The Yahoo! Bing Network, in its advertising guidelines, has an entire section dedicated to ads for pharmacy and health care products and services. In it, there exists a comprehensive list of advertisements prohibited specifically due to the existence of Indian law – such as, for example, ads for miracle cures. Further, under the ‘Family Planning’ category on the same page, the Network acknowledges the existence of regulatory restrictions against advertisements for abortion services, paternity tests, and pre-natal sex determination in India. The consequences of non-compliance with the guidelines are laid out clearly on the same page – they include ad disapprovals, domain blocks, and account suspensions. Despite this, a search for “pregnancy gender determination” displayed an advertisement of an ultrasound lab in the United States that conducts sex determination tests [Table 2].

Google’s Adwords service has a similar policy statement, titled ‘Legal requirements & serving limitations’ for advertisements on its network. At the outset, Google asserts that the advertiser is responsible for the legality of the ad’s contents:

“As an advertiser, you're always responsible for ensuring that you comply with all applicable laws and regulations, in addition to Google's advertising policies, for all of the locations where your ads are showing. The guidelines below are intended to help highlight some areas where we've seen advertisers violate legal requirements in the past. However, this is not an exhaustive list of legal issues that you may need to consider, so we urge you to do your own research regarding appropriate advertising practices for the place where your business operates, as well as any other places where your ads are showing.”

Further, in its list of local legal requirements, under the head of ‘Regulated Products & Services’, Google clearly acknowledges that existing legal prohibitions shall be enforced against advertisements for, inter alia, infant food products and gender determination in India. Advertisements for infant food products are prohibited under §3(a) of the Infant Milk Substitutes Act, 2003. As with the Yahoo! Bing Network, the consequences for violating the advertising guidelines include disapproval of the ad, disabling of the domain from the ad network, and suspension of accounts. Despite these precautions, Google did show display some advertisements that would fall foul of §22, such as those we found in Table 2.

But it seems, at least, that in the case of major search engines, there exist concrete policies to back the relative lack of advertisements violating §22 of the PNDT Act. However, it is possible that these policies were evolved after the Writ Petition in Sabu George was filed in 2008.

Sources connected to the case indicate that the petitioner has alleged the presence of violative ads, and we have no data regarding 2008 advertising policies at either of these search engines. The Yahoo! Bing Network, however, does have an Editorial guidelines change log, stretching back all the way to the Network’s inception in 2012. The log does not detail any changes to the policy against ads for sex determination in India, so it follows that the Yahoo! Bing Network policy has existed at least from September 2012.

Interestingly, Yandex, the Russian search provider, appears to have prevented ads relating to pre-natal sex determination for different reasons. In its Advertising Requirements, Yandex mandates several restrictions on advertisements relating to medicines, medical products and medical services, which require licenses, registrations with Russian federal authorities, etc. to be produced to Yandex before an ad can be placed. Yandex has placed these restrictions in pursuance of Russian federal laws, but it appears that they have had the unintended consequence of keeping the site clear of advertisements that violate §22 of the PNDT Act, as well.

Finally, we come to the case of DuckDuckGo, which displayed questionable content in response to the term “prenatal sex determination” – an ad for ultrasound imaging services provided in the US. A similar ad was seen on Yahoo, as noted earlier. Even this, however, would not be a violation of the Act, since the service was located outside India, and the ad was placed by a foreign citizen residing in a foreign jurisdiction.

It is well-known that India is one of the few countries that has a ban on pre-natal sex determination, and it is a documented practice for couples to travel abroad and undergo diagnostic tests that enable them to discern the sex of the foetus – Thailand has been a destination of choice, if news reports are to be believed. Further, such non-Indian advertisements were seen on Google around 2009, and the argument made by Google’s counsel then stands today – that the situation was akin to an Indian library buying Thai magazines containing sex determination-related advertisements and making them available to the Indian public. Those ads are not targeted at Indians; the magazines were not meant for India. If the ad included invitations to foreigners (“Internationally famous for sex selection!”; “Sex of babies from around the world determined!”), and was published knowing that Indians would read it, then there is a greater likelihood that §22 of the Act stands violated. For instance, Google’s results for “UAE pregnancy gender” showed advertisements of fertility centres in the Middle East, some of which advertise for international patients.

In any event, since there exists no ban against the advertiser in his own jurisdiction, it would lead to an absurd result for search engines to be prosecuted for showing such ads to the Indian public, especially when the advertised service is not meant for or available in India. Displaying such a result would be especially detrimental to low-revenue search engines such as DuckDuckGo, who would be unable to conduct adequate due diligence to protect themselves from similar provisions in other Indian laws.

Organic Search Results

Having dealt with the issue of advertising against the provisions of §22, we now shift our focus to organic search results. At the outset, we must acknowledge the fact that the words of the statute specify “advertisement”, and it remains to be seen whether organic search results can be treated as advertisements if they are aimed at selling a product or service to prospective consumers for a price. If organic search results are to be treated as advertisements under §22, then it would amount to imposing an unnaturally high burden on search engines.

As intermediaries, search engines will be given the responsibility to scrutinise and curate the content that they display. Such a model is problematic on several levels. If intermediaries (search engines, in this case) were charged with the responsibility of policing their search results, a chilling effect will, in all likehood, befall online content – search engines, being profit-driven business institutions, will naturally choose to ‘err on the side of caution’, and would rather see some legitimate content taken down rather than risk the possibility of expensive, time-consuming litigation or penalties. In fact, when given the responsibility to take down data and curate organic search results, intermediaries are ham-handed.

Such an approach would necessitate the creation of large and complex structures, much like the means used by the DMCA in the US. Only large, reasonably high-revenue search engines will be able to put in place such mechanisms, so the law creates an undesriable entry barrier. Also, curating search results for content violative of §22 would be even more arduous than curating results for DMCA violations, since under DMCA, there is concrete private incentive for rights-holders to report DMCA violations to search engines. There exists no such incentive for individuals to petition search engines to remove §22 violations, and this affects its effectiveness. For these reasons, it is problematic to read organic search results within the ambit of §22.

Of course, the government can and should expect that online advertisements for sex selection services, inviting people to learn the sex of their foetus, are prohibited. It may do this for reasons of public health and safety, and in order to reduce female-selective abortions. But search results, unlike advertisements, contain medical information, links to anti-sex-selection campaigns and information about female foeticide. It would be unfortunate for the government to expect search providers to actively curate the content of a dynamic ecosystem such as the internet, while at the same time ensuring that legitimate content is preserved.

Sabu George and What Can Be Done

Lamentably, the Supreme Court does not appear to have entered this debate at all. In the latest arguments in Sabu George, the Solicitor General of India Mr. Ranjit Kumar offered the government’s hand in filtering and blocking sex-selection advertisements. Mr. Kumar stated that, “if the URL and the I.P. addresses are given along with other information by the respondents”, and also listing keywords, the Union of India can order website blocking under §69A of the Information Technology Act, 2000 (amended). The Union’s stance, it would seem, is that either the search engines should block offending ads by themselves, or block on the basis of directions issued by the government.

In its order of 28 January 2015, the Supreme Court has directed that, as an interim measure, “Google, yahoo and Micro Soft [sic] shall not advertise or sponsor any advertisement which would violate Section 22 of the PCPNDT Act, 1994. If any advertise [sic] is there on any search engine, the same shall be withdrawn forthwith by the respondents”. The Court plans to hear arguments on the “total blocking of items that have been suggested by the Union of India” on the next hearing date, February 11, 2015.

Instead of hearing arguments on the feasibility of total blocking of offending online ads, the Supreme Court should ask whether organic search results constitute advertisements. These results are those that appear as the product of the search algorithm, and would take much time and expense to curate. It would also amount to time-consuming and disproportionate content inspection by the search engines. In any event, it seems that the major search engines do comply in large part with §22 of the PNDT Act. Where offending ads are found (like we did during our searches), the notice-and-takedown procedure under §79 of the Information Technology Act, 2000 can be put to intelligent use.

The second option noted by the Court, filtering or blocking on the basis of URLs or IP addresses, also stand the danger of overbreadth or overblocking. Such overblocking is routine across filtering regimes in many jurisdictions; for ex., see the Open Net Initiative’s note on filtering (“Filtering’s Inherent Flaws”). It is a danger better averted. In any event, a filtering regime would not affect organic search results, and so the doubt as to the scope of §22 remains.

Pranesh Prakash provided invaluable feedback. Balaji Subramanian and Pranav Bidare performed the searches on different engines. Balaji Subramanian is at NALSAR University of Law, Hyderabad, and is in his 2nd year of law. Pranav Bidare is in his 3rd year of law at the National Law School, Bangalore.

ASSOCHAM convened a meeting of its members and other stakeholders, at which CIS was represented. At this meeting, inputs were sought on Internet governance issues relevant for India, on which the industry body proposed to make comments to the Ministry of External Affairs, Government of India. Such a discussion, proposing to consolidate the views of ASSOCHAM members in consultation with other stakeholders, is a commendable move. This submission presents preliminary comments from the Centre for Internet and Society (CIS) in light of ASSOCHAM's consultation on Internet governance.

I. About CIS

1. CIS is a non-profit research organization that works, inter alia, on issues relating to privacy, freedom of expression, intermediary liability and internet governance, access to knowledge, open data and open standards, intellectual property law, accessibility for persons with disabilities, and engages in academic research on the budding Indian disciplines of digital natives and digital humanities.

2. CIS engages in international and domestic forums for Internet governance. We are a Sector-D member of the International Telecommunications Union (ITU),[1] and participated in the World Conference on International Telecommunications (WCIT), 2012 (Dubai) [2] and the Plenipotentiary Conference, 2014 (Busan).[3] We have also participated in the WSIS+10 Multistakeholder Preparatory Platform (MPP)[4] and the WSIS+10 High Level Event, organized by the ITU.[5]

3. CIS is also a member of the Non-Commercial Users Constituency (NCUC) at ICANN. Pranesh Prakash, our Policy Director, held a position on the NCUC Executive Committee from December 2013 to November 2014.[6]

4. CIS has been engaging at the Internet Governance Forum (IGF) since 2008, and has organized and participated in over 60 panels to date.[7] We have also organized panels at the Asia-Pacific Regional IGF (APrIGF). [8] Our Executive Director Sunil Abraham is a member of the Multistakeholder Advisory Group (MAG) for the India-IGF, and has attended in its meetings.[9] We are also in the process of developing international principles for intermediary liability, in collaboration with international civil society organisations like EFF and Article19. [10]

II. Structure of Submission

5. In this submission, we identify issues in Internet governance where engagement from and within India is necessary. In particular, brief descriptions of issues such as freedom of expression and privacy online, cyber-security, critical Internet resources and ICANN, multistakeholderism and net neutrality are provided.

III. Internet Governance Issues

6. The history of the Internet is unique, in that it is not exclusively government-regulated. Though governments regulate the Internet in many ways (for instance, by ordering website blocking or filtering, licensing of ISPs, encryption controls, investment caps, etc.), the running of the Internet is largely in the hands of private businesses, technical organisations and end-users.

7. International processes like the World Summit on Information Society (WSIS), and forums such as ICANN, the ITU, the IGF and the UN are involved in governing in the Internet in many ways. Regional organisations like the OECD, APEC and the Shanghai Cooperation Organisation (SCO) are also involved (for instance, in cyber-security matters).

8. The issues surrounding Internet governance are many, and range from telecom infrastructure and technical coordination to human rights and access to information.

Rights Online

9. The status of 'human rights online' has come under discussion, with the NETmundial Outcome Document affirming that offline rights must also be protected online. These issues are important in the context of, among others, the large scale violations of privacy in light of the Snowden Revelations,[11] and increased instances of website blocking and takedowns in different parts of the world.[12]

10. Internationally, issues of freedom of speech, privacy and access or the digital divide (though it is debatable that the latter is a human right) are discussed at the UN Human Rights Council, such as the resolution on human rights and the Internet, and the UN Human Rights Commissioner's report on the right to privacy in the digital age , which discusses the need for checks and balances on digital mass surveillance. During the Universal Periodic Review of India in 2012, India noted a recommendation from Sweden to " ensure that measures limiting freedom of expression on the internet is based on clearly defined criteria in accordance with international human rights standard ".

11. Freedom of speech and privacy are also relevant for discussion at the ITU.[13] For instance, at the Plenipotentiary meeting in 2014 (Busan), India proposed a resolution that sought, among other things, complete traceability of all Internet communications. [14] This has implications for privacy that are not yet addressed by our domestic laws. A Privacy Bill and such other protections are only in the pipeline in India.[15]

12. At ICANN as well, the root zone management function may affect freedom of expression. If, for instance, a top level domain (TLD) such as .com is erased from the root zone file, hundreds of thousands of websites and their content can be wiped from the World Wide Web. A TLD can be erased by Verisign if a request to that effect is raised or accepted by ICANN, and signed off on by the National Telecommunications and Information Administration (NTIA) of the US government. Similarly,the WHOIS database, which contains information about the holders of domain names and IP addresses, has implications for privacy and anonymity.

13. In India, the judiciary is currently adjudicating the constitutionality of several provisions of the Information Technology Act, 2000 (as amended in 2008), including S. 66A, S. 69A and S. 79. A series of writ petitions filed, among others, by the Internet Service Providers Association of India (ISPAI) and Mouthshut.com, relate to the constitutionality of the nature of content controls on the Internet, as well as intermediary liability. [16]

14. A judgment on the constitutionality of Ss. 66A, 69A and 79 are crucial for end-users and citizens, as well as companies in the Internet ecosystem. For instance, an uncertain intermediary liability regime with penalties for intermediaries - S. 79, IT Act and Intermediaries Guidelines Rules, 2011 - disincentivises ISPs, online news websites and other content providers like Blogger, Youtube, etc. from allowing free speech to flourish online. [17] The ongoing cases of Kamlesh Vaswani v. UOI and Sabu George v. UOI also have consequences for ISPs and search engines, as well as for fundamental rights.[18] International and domestic engagement is desirable, including in consultations with the Law Commission of India (for instance, the consultation on media laws).

Critical Internet Resources

15. Critical Internet Resources form the backbone of the Internet, and include management of IP addresses, the domain name system (DNS) and the root zone. [19] ICANN, a global non-profit entity incorporated in California, manages the IANA functions (Internet Assigned Numbers Authority) for the global Internet. These functions include allocating the global pool of IP addresses (IPv4 and IPv6) to Regional Internet Registries (RIRs), administering the domain name system and maintaining a protocol registry.

16. At present, the IANA functions are performed under a contract with the NTIA. On March 14, 2014, the NTIA announced its intention to transition oversight of the IANA functions to an as-yet-undetermined "global multi-stakeholder body". The deadline for this transition is September 30, 2015, though the NTIA has expressed its willingness to renew the IANA contract and extend the deadline. ICANN was charged with convening the transition process, and set up the IANA Coordination Group (ICG), a team of 30 individuals who will consolidate community input to create a transition proposal. At the moment, thenames (CWG-Names),numbers (CRISP) and protocols (IETF) communities are debating existing draft proposals. A number of new entities with which ICANN will have contractual arrangements have been proposed. At ICANN's meetings in Singapore (February 7-12, 2015) and Buenos Aires (June 2015), these proposals will be discussed.

17. At the same time, a parallel track to examine ICANN's own transparency and accountability has been introduced. The CCWG-Accountability is considering ICANN's accountability in two Workstreams: first, in light of the IANA transition and second, a revision of ICANN's policies and by-laws to strengthen accountability. ICANN's accountability and transparency are crucial to its continued role in Internet governance.

18. Several issues arise here: Should ICANN continue to remain in the US? Should the IANA Functions Department be moved into a separate entity from ICANN? Ought ICANN's by-laws be amended to create oversight over the Board of Directors, which is now seen to have consolidated power? Ought ICANN be more transparent in its financial and operational matters, proactively and reactively?

19. It is, for instance, beneficial to the stability of the Internet and to India if the IANA department is separate from ICANN - this will ensure aseparation of powers. Second, stronger transparency and accountability mechanisms are necessary for ICANN; it is a growing corporate entity performing a globally Internet function. As such, granular information about ICANN's revenues and expenses should be made public. See, for ex.,CIS' request for ICANN's expenses for travel and meetings, and ICANN's response to the same.

20. The most ideal forum to engage in this is ICANN, and within India, working groups on Internet governance at the Ministry level. As such, ASSOCHAM may seek open, transparent and inclusive consultations with the relevant departments of the Government (the Ministry of External Affairs, DeitY, Department of Telecommunications). At ICANN, industry bodies can find representation in the Business Constituency or the Commercial Stakeholders Group. Additionally, comments and proposals can be made to the ICG and the CCWG-Accountability by anyone.

Cyber-security

21. Cyber-security is often used as an umbrella-term, covering issues ranging from network security (DNSSEC and the ICANN domain), cyber-crime, and cyber-incidents such as the Distributed Denial of Service attacks on Estonian public institutions and the Stuxnet virus that attacked Iran's nuclear programme. Within the ITU, spam and child safety online are also assessed as security issues (See Study Group 17 under ITU-T).

22. At the international level, the UN Group of Governmental Experts has published three reports to date, arguing also that in cyber-security incidents, international humanitarian law will apply. International humanitarian law applies during armed attacks on states, when special rules apply to the treatment of civilians, civilian and military buildings, hospitals, wounded soldiers, etc.

23. The ITU also launched a Global Cybersecurity Agenda in 2007, aiming at international cooperation. Such cooperative methods are also being employed at the OSCE, APEC and the SCO, which have developed drafts of Confidence Building Measures. The Global Conferences on Cyberspace (London 2011, Budapest 2012, Seoul 2013, The Hague 2015) resulted in, inter alia, the Budapest Convention on Cybercrime. India has not ratified the Convention, and remains tight-lipped about its security concerns.

24. Surveillance and monitoring of online communications is a crucial issue in this regard. In India, the surveillance power finds its source in S. 5, Telegraph Act, 1888, and the Rule 419A of the Telegraph Rules, 1951. Further, S. 69 of the Information Technology Act, 2000 and the Interception Rules, 2009 enable the government and authorized officers to intercept and monitor Internet traffic on certain grounds. Information regarding the implementation of these Rules is scant.

25. In any event, the applicability of targeted surveillance should be subject to judicial review , and a balance should be struck between fundamental rights such as freedom of speech and privacy and the needs of security. An accountability model such as that present in the UK for the Interception of Communications Commissioner may provide valuable insight.

26. In India, the government does not make public information regarding its policies in cyber-security and cybercrime. This would be welcome, as well as consultations with relevant stakeholders.

Models of Internet Governance

27. Multi-stakeholderism has emerged as one of the catchphrases in Internet governance. With the display of a multi-stakeholder model at NETmundial (April 2014), controversies and opinions regarding the meaning, substance and benefits of multi-stakeholderism have deepened.

28. The debates surrounding stakeholder-roles in Internet governance began with ¶49 of the Geneva Declaration of Principles and ¶35 of the Tunis Agenda, which delineated clear roles and responsibilities. It created a 'contributory' multi-stakeholder model, where states held sovereign authority over public policy issues, while business and civil society were contributed to 'important roles' at the 'technical and economic fields' and the 'community level', respectively.

29. As the WGEC meeting (April 30-May 2, 2014) demonstrated, there is as yet no consensus on stakeholder-roles. Certain governments remain strongly opposed to equal roles of other stakeholders, emphasizing their lack of accountability and responsibility. Civil society is similarly splintered, with a majority opposing the Tunis Agenda delineation of stakeholder-roles, while others remain dubious of permitting the private sector an equal footing in public policy-making.

30. The positions in India are similarly divided. While there is appears to be high-level acceptance of "multi-stakeholder models" across industry, academia and civil society, there exists no clarity as to what this means. In simple terms, does a multi-stakeholder model mean that the government should consult industry, civil society, academia and the technical community? Or should decision-making power be split among stakeholders? In fact, the debate is more specific.

31. In India, the Multistakeholder Advisory Group (MAG) for the India-IGF was established in February 2014, and some meetings were held. Unfortunately, neither the minutes of the meetings nor action points (if any) are publicly available.

32. The Indian government's position is more complex. At the 68^th UN General Assembly session in 2011, India argued for a (multilateral) 50-member UN Committee on Internet-related Policies (CIRP). However, the Ministry for Communications and Information Technology (MCIT) has, over the years, presented differing views at the IGF and ITU through its two departments: DeitY and DoT. Further, at the meetings of the Working Group on Enhanced Cooperation (WGEC), India has presented more nuanced views, suggesting that certain issues remain within the governmental domain (such as cyber-security and child online protection). At the 9^th IGF (Istanbul, September 2014), Mr. R.S. Sharma of the DeitY echoed such a view of delineated roles for stakeholders.

33. A clear message from the Indian government, on whether it favours multistakeholderism or governmental policy authority for specific issues, would be invaluable in shaping opinion and domestic processes. In any event, a transparent consultative procedure to take into account the views of all stakeholders is desirable.

Emerging Issues

Net Neutrality

34. In simple terms, net neutrality concerns differential treatment of packets of data by carriers such as ISPs, etc. over networks. The issue has gained international attention following the U.S. FCC's regulatory stance, and the U.S. Court of Appeal's 2014 decision in Verizon v. FCC. Though this decision turned on the interpretation of 'broadband providers' under the Communications Act, 1934, net neutrality has since been debated in the US, both by the FCC and other stakeholders. There is no international consensus in sight; the NETmundial Outcome Document recognized net neutrality as an emerging issue (page 11, no. IV).

35. In India, a TRAI consultation on Over-The-Top Services on August 5, 2014 brought concerns of telecom and cellular operators to light. OTTs were seen as hijacking a portion of telcos' revenues, and as lacking consumer protection and privacy safeguards. While these concerns are legitimate, net neutrality regulation is not yet the norm in India. In any event, any such regulation must take into account the consequences of regulation on innovation, competition, and consumer choice, as well as on the freedom of the medium (which may have detrimental impacts freedom of expression).

36. Though net neutrality regulation is being mooted, there is as yet anarray of definitions of 'net neutrality'. The views of telcos themselves differ in India. Further study on the methods of identifying and/or circumventing net neutrality is necessary before a policy position can be taken.

IV. Conclusions

37. CIS welcomes ASSOCHAM's initiative to study and develop industry-wide positions on Internet governance. This note provides brief descriptions of several issues in Internet governance where policy windows are open internationally and domestically. These issues include freedom of expression and privacy under Part III (Fundamental Rights) of the Constitution of India. The Supreme Court's hearing of a set of cases alleging unconstitutionality of Ss. 66A, 69, 69A and 79 (among others) of the IT Act, 2000, as well as consultations on issues such as pornography by the Rajya Sabha Parliamentary Committee and media laws by the Law Commission of India are important in this regard.

38. International and domestic engagement is necessary in the transition of stewardship of the IANA functions, as well as ICANN's own accountability and transparency measures. Similarly, in the area of cyber-security, though several initiatives are afoot internationally, India's engagement has been cursory until now. A concrete position from India's stakeholders, including the government, on these and the question of multi-stakeholderism in Internet governance would be of immense assistance.

39. Finally, net neutrality is an emerging issue of importance to industry's revenues and business models, and to users' rights such as access to information and freedom of expression.

The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.

During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.

Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.

Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.

A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - “There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”

The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, “We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.

Information sought in the RTI Application

The specific questions asked are as follows:

1. Names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India.

2. Permission to inspect files pertaining to subject matter.

3. Details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount is for Rs. 50 crore or more.

Enterprises to which the RTI Application was addressed

The application was sent to the following enterprises:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

4. Centre for Development of Telematics (C-DOT) - an Indian Government owned telecommunications technology development centre which designs and develops digital exchanges and intelligent computer software applications.

5. Centre for Development of Advanced Computing (C-DAC) - a research and development organization under the Department of Electronics and Information Technology, Government of India.

6. Bharat Sanchar Nigam Ltd. (BSNL) - an Indian state-owned telecommunications company. It is India's oldest and largest communication service provider.

Reply to the RTI Application

The reply to the information sought in the RTI application by these enterprises is as follows:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

The RTI application was addressed to the Deputy Director of the department who forwarded the application to the Joint Director directing him to provide the requisite information directly to the applicant or transfer the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to his division. In response, the Joint Director of the Department of Electronics & Information Technology said that the information on the subject matter was NIL as far as Engineering/BM section, Fire, Security and Protocol Sections of Department of Electronics and Information Technology is concerned.

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

The RTI application was forwarded by the Deputy Secretary & Nodal Officer (RTI) of the Department of Telecommunications to the following divisions for providing the requisite information directly to the applicant or transferring the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to their division and their replies are as under:-

a. Investment Promotion Cell: The Director (IP Cell) & CPIO said that no information was available as the subject matter of the application did not pertain to IP Cell.

b. Access Services-I Division: Director (AS-I) & CPIO asked to treat the information as NIL.

c. Licensing Finance - II Branch: Director (IF-II) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

d. Licensing Finance - III Branch: Director (IF-III) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

e. Deputy Wireless Adviser: CPIO & Deputy Wireless Adviser to the Govt of India of WPC Wing, SACFA Sectt. said that the information sought was not available with that PlO.

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

The Public Information Officer (HQ) of the Information Technology Branch of Department of Food, Supplies & Consumer Affairs forwarded the RTI application to Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department to provide the Para wise information directly to the applicant in accordance with section 5(4) of RTI Act as the record related to the information sought was said to be available with their office. Section 5(4) of RTI Act reads, "The Central Public Information Officer or State Public Information Officer, as the case may be, may seek the assistance of any other officer as he or she considers it necessary for the proper discharge of his or her duties." However, a reply hasn't been received from the Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department yet.

4. The Centre for Development of Telematics

Referring the information sought in the RTI application as vague, the Centre for Development of Telematics asked the applicant to clearly define the information requirements and the period for which it required. The Centre claimed that the information sought at present would lead to handing over of a large amount of data which would require application of significant resources of public authority, since the number of the vendors and contractors could be more than seven hundred in numbers of different categories, namely, component vendors, equipment suppliers, administrative service contractors, etc. The reply was in consistency with section 7(9) of the Right to Information Act which reads, "An information shall ordinarily be provided in the form in which it is sought unless it would disproportionately divert the resources of the public authority or would be detrimental to the safety or preservation of the record in question."

5. Centre for Development of Advanced Computing

The Centre for Development of Advanced Computing disregarded the information sought by the applicant and observed that theinformation sought was vague in nature, not specific and open ended, therefore, could not be termed as Information under the RTI Act without providing any further explanation in this regard.

6. Bharat Sanchar Nigam Ltd. (BSNL), Government of India Enterprise

The RTI application was referred to the MM cell of BSNL by the AdditionaI General Manager (MIS) & CPIO of BSNL (RTI Cell) who replied that no information with respect to the names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India was available. As far as the third question regarding details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount was for Rs. 50 crore or more was concerned, the AGM of MM cell said that the information could be provided for specific contractor.

Answers to the following questions were requested:

1. Please list the companies from which MTNL/BSNL has bought all its security equipment.
2. What type of security equipment does MTNL/BSNL use to assist Indian law enforcement agencies in detecting and preventing crime, terrorism and all other illegal activity? Please provide the certification for all such equipment.
3. What malware does MTNL/BSNL test for? What does MTNL/BSNL use for testing malware in its networks?
4. Which proxy server does MTNL/BSNL use and is it used for filtering data? If so, what type of data is being filtered and for what purpose? Is authorisation required and if so, by whom?
5. Does MTNL/BSNL use FinFly ISP? If so, who authorises its use and under what conditions?

M. K. Sheda, the appellate authority of MTNL, responded to the above questions on August 3, 2013 with the following answers:

1. MTNL procures all its equipment through an open competitive bidding process and the details of all past tenders are available on the MTNL website. Equipment from multiple vendors are operational in GSM MTNL Packet-Core Network and specific names cannot be given due to security reasons.
2. MTNL uses the security equipment by the Department of Telecommunications, Government of India, to assist Indian law enforcement agencies. The details cannot be disclosed as the information is classified as "secret" as per MTNL IT Policy Revision 2.0 and also comes under Section -8 (1) (a) and (d) of the RTI Act 2005.
3. MTNL GSM Packet Core equipment for data access uses MTNL ISP as its interface with external entities. Thus information is pertaining to MTNL ISP and hence a reply may please be taken from the GM (Broadband) unit.
4. Same answer as "3" above.
5. Same answer as "3" above.

BSNL has still not responded to the above questions.

Click below to download the respective files:

1. RTI Application to BSNL
2. Reply from MTNL

The platform and campaign has been developed in response to a recent court ruling that GCHQ unlawfully obtained millions of private communications from the NSA up until December 2014. This decision allows not only British citizens, but anyone in the world, to ask GCHQ if the individual’s records were unlawfully shared by the NSA.

Individuals who wish to take part in this process can sign up here: https://www.privacyinternational.org/illegalspying

Privacy International intends to collate the inquiries from around the world and submit them to the UK Investigatory Powers Tribunal. Those who have been found to have been illegally spied on can then seek the deletion of their records, including emails, phone records, and internet communications. Given the mass surveillance capabilities of the NSA and GCHQ, and that the agencies “share by default” the information they collect, an unlimited number of people could have been affected by the unlawful spying.

The Investigatory Powers Tribunal, the UK court solely responsible for overseeing intelligence agencies, ruled on 6 February that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. It was only due to revelations made during the course of this case, which relied almost entirely on documents disclosed by Edward Snowden, that the intelligence sharing relationship became subject to public scrutiny.

The decision was the first time in the Tribunal’s history that it had ruled against the actions of the intelligence and security services.

According to the Centre for Internet and Society – this is a great example of transparency and the ability for individuals to access information held by the government. It is also an important step towards government accountability with respect to state surveillance.

Eric King, Deputy Director of Privacy International, said:

“We have known for some time that the NSA and GCHQ have been engaged in mass surveillance, but never before could anyone explicitly find out if their phone calls, emails, or location histories were unlawfully shared between the US and UK. The public have a right to know if they were illegally spied on, and GCHQ must come clean on whose records they hold that they should never have had in the first place.

There are few chances that people have to directly challenge the seemingly unrestrained surveillance state, but individuals now have a historic opportunity finally hold GCHQ accountable for their unlawful actions.”

Brief on “Did GCHQ Spy on You Illegally?”

Privacy International on Monday February 16th 2015 launched a campaign and platform allowing people to ask the UK’s surveillance court, the Investigatory Powers Tribunal, if GCHQ spied on people illegally. This comes on the heels of our recent legal victory in the IPT, who found that all intelligence sharing from the NSA to GCHQ prior to December 2014 was unlawful.

As on February 17th night, we had over 10,000 signatures, and at the end of today we expect to have more updated figures.

While this has been successful thus far, we need your help!

We need the support of other organisations to truly make this work, and we want your organisation to join as a partner. Being a partner in this can look a few different ways: you can send out emails to your organisation's members, tweet out the links to the platform, or send out a press release to your media contacts telling them you joined the effort.

We hope you can join, and below we try to address some questions we've been getting about the campaign. There's also an additional FAQ more specifically addressing the campaign itself.

What is PI doing?

Simply put: Giving people the chance to remedy illegal government activity and hold intelligence agencies accountable. When someone submits their information through this platform, they are allowing us to go to the IPT on their behalf to find out if they were illegally spied on by GCHQ.

People could have gone directly to the IPT to ask, but that process is difficult to engage in. We wanted to create a simple, low-barrier way to give people the chance to find out if they were victims of illegal spying.

Why are you doing this?

This action is not just about satisfying curiosity. Sure, lots of us are interested in knowing whether our emails have been caught in the NSA and GCHQ’s dragnet surveillance operations, and hopefully through this platform we’ll be able to find out. But, this campaign is about much more than that.

It is about making GCHQ understand the very personal and individual implications of mass surveillance. And it is about ending the feeling of powerlessness that many of us have felt since discovering, thanks to Edward Snowden, the reality of the almost total surveillance that we’re under.

We have never done a public campaign like this, but we felt that this ruling was too important to pass up. People have a right to know if they were illegally spied on, and if so, request that their records are deleted. We want to help them assert those rights, and we think you can help too.

Why should my organisation join?

We don't get many victories in this space, but we have a rare opportunity to give people the chance to do something! Not just sign a petition, but directly hold intelligence agencies accountable and challenge proven illegal government activity.

Numbers are important too, not just important to brag about. The greater number of people who sign up actually increases our likelihood of success. That's because when we submit people's details to the IPT, one of the possible outcomes could be that the court tests a sample to see if/where illegality occurred.

The more people who sign up, the greater chance there is we can prove that people were illegally spied on. If that's the case, we could request that GCHQ delete ALL the records they obtained from NSA prior to December to 2014.

To do that, we need as many people to join. We are not merely interested in building a list, this is not a stunt, and we have no interest in poaching your members. It's simple – more people means greater chance of success.

Also, this is going to be a long fight on our front. We are going to be dealing with this campaign for the next few months if not few years. As each turn comes along the way, we are going to need your help to keep pressure up and keep people involved. Nothing good comes easy!

Is it only for British citizens?

No. This literally affects everyone who has ever used a phone or computer prior to December 2014, which is pretty much every single person.

So, anyone around the world is eligible to join this petition! No matter where you are, you’re entitled under British law to bring a claim in the courts to find out whether you were illegally spied on. Given the degree of intelligence collection by the NSA and its close relationship with the British intelligence services, it’s entirely possible that your communications have been scooped up and unlawful handed over to the UK.

So, what can you do?

Four actions you can do:

• Declare your organisation’s support for the campaign! Email [email protected] and we'll add your name to the partner section on the petition page.
• Tweet the link for the petition to your followers: www.privacyinternational.org/illegalspying using the hashtag #DidGCHQSpyOnYou
• Email your supporters and members and encourage them to join the campaign - if you need further information you can point them to the FAQ on our website or included in this pack: https://www.privacyinternational.org/?q=node/495
• Tweet at or contact notable people in your city or country - we’ve been tweeting Members of Parliament, influential journalists, movie stars, whomever!

FAQ on action

URL: https://privacyinternational.org/?q=node/495

Who is able to join?

EVERYONE! The implications of our recent legal victory against GCHQ in the Investigatory Powers Tribunal means that all intelligence sharing from the NSA to GCHQ was unlawful. Because people located all over the world are affected by illegal intelligence sharing, not only British citizens, but anyone in the world, can ask if their records collected by the NSA were unlawfully shared with GCHQ.

Why are we doing this?

Intelligence agencies' culture of secrecy have allowed them, for too long, to avoid public accountability. Whether it’s secret hearings in closed court rooms or committees equipped only with rubber stamps, intelligence agencies like GCHQ have never been forced to answer to the public for their actions.

We think you have a right to know whether you have been caught up in GCHQ and NSA's illegal intelligence sharing. If so, you have a right to demand that data be deleted. Privacy International wants to help you assert those rights.

Wait what? Why do I have to give GCHQ my data?

We know it sounds absurd but it's the only way! The Tribunal can't act by itself, so it needs people to come forward to file complaints. We've kept information needed to a minimum, but the IPT requires more than your name to attempt to find your communications in GCHQ’s massive databases. If they do locate your data, you can ask them to delete it. Hopefully, if enough people sign up, we can show just how widespread Five Eyes mass surveillance and intelligence sharing is, and get the reform we all need!

Will this tell me if GCHQ are currently spying on me?

No. This campaign will only tell you if NSA shared your communications with GCHQ before December 2014. It won't tell you if GCHQ shared communications with NSA. It also won't tell you if GCHQ intercepted your communications by themselves. Should Privacy International be successful in our appeal to the European Court of Human Rights maybe this will change, but for now, this is limited to just whether NSA shared your communications with GCHQ before December 2014.

What will happen once I have entered my details?

After you hit submit, you'll receive an email asking you to confirm your participation. Make sure you click that link, otherwise your submission won't go through. While these few details are all we need from you now, we may need more information from you in the future. By entering your details, you authorise Privacy International and their legal team to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your rights under Article 8 and Article 10 of the UK Human Rights Act have been violated and to request your records be deleted.

How will I know my communications were illegal shared with GCHQ?

If the IPT find that your communications were illegally shared with GCHQ, they have to tell you. The Investigatory Powers Tribunal has a statutory obligation to investigate any complaint made against GCHQ. When they receive a complaint, if they think they have all the information required to make a determination, then they will do so, and inform you of the outcome. If not, the IPT can demand more information, a meeting or inspection of files held by GCHQ.

Do I get anything if I have been spied on?

Yes. If the IPT is able to establish that you have been illegally spied on, they have to tell you. You will receive a declaration that your privacy rights have been violated and you can request that any information unlawfully obtained be deleted.

WiIl GCHQ hold onto my details when they are handed over to them?

No. GCHQ are only allowed to keep your details for the purposes of establishing whether or not they spied on you illegally and for the duration of the investigation by the IPT.

How soon will I receive an answer to whether I was caught up in NSA and GCHQ's illegal spying?

It might be a while. This is the first time that such a large group action has been mounted against GCHQ so count on it being many months, and likely years before this action is completed. Nothing worth doing is easy!

Is this for all of NSA and GCHQ's programmes?

This legal campaign deals with information collected by the NSA and shared with GCHQ before December 2014, specifically PRISM and UPSTREAM. It doesn't deal with GCHQ initiated interception, but if we're successful with our appeal with the European Court of Human Rights, maybe that could change!

Is my email address and phone number enough for GCHQ to find all records?

No. Unfortunately, we imagine many of GCHQ's databases are unindexed or indexed by a "selector" which could be an IP address, a cookie, a hardware address or almost anything else. For people who want the most comprehensive records searched, much more personal information would have to be provided. Currently we are asking for only your email address and phone number to enable the greatest number of people access to this campaign. If you want to provide more detailed information and a range of selectors to GCHQ, consider submitting your own individual complaint here. We hope to have a detailed guide on how to do so in the next few days.

What are Privacy International going to do with this data?

By entering your details you are authorising Privacy International to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your privacy rights have been violated. We will provide you with updates on the case and won't use the information for any other purpose. We will only share it with our lawyers, GCHQ and the Investigatory Powers Tribunal.

CIS' Request

18 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for itemized details of expenditure by ICANN at its Meetings

We would like to thank Mr. Calvez and Mr. Gupta for providing information regarding ICANN’s domain name revenues for the fiscal year ending June 30, 2014.[1] We would like to request further information through the DIDP.

In the Audited Financial Statements for the fiscal year ended June 30, 2014, the “statements of activities” provides Total Expenses (for ICANN and New gTLD) as USD 124,400,000.[2] For the fiscal year ended June 30, 2013, the Total Expenses (ICANN and New gTLD) noted is USD 150,362,000.

According to the statement, this covers expenses for Personnel, Travel and meetings, Professional services and Administration. Quarterly Reports note that the head “Travel and meetings” includes community support requests.[3] In addition to these heads, Quarterly Reports include “Bad debt expenses” and “Depreciation expenses”. The manner of accounting for these is explained in Note 2 to the Notes to Financial Statements.[4] Note 2 explains that the expenses statement is prepared by “functional allocation of expenses” to identifiable programs or support services, or otherwise by methods determined by the management.

For the purposes of our research into normative and practised transparency and accountability in Internet governance, we request, to begin with, current and historical information regarding itemized, detailed expenses under the head “Travel and meetings”. We request this information from 1999 till 2014. We request that such information be categorized and sub-categorised as follows:

Total and Individual Expenses for each meeting (categorised by meeting and year):

1. Total and individual expenses for ICANN staff (differentiated by department and name of each individual attending the event, including dates/duration of attendance);

-    Also broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each ICANN staff member who attended the event to be named.

2. Total and individual expenses for members of ICANN Board (listed by each Board member and dates/duration of attendance);

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each Board member to be named.

3. Total and individual expenses for members of ICANN constituencies (ALAC, ATRT, ccNSO, GAC, GNSO, etc.)

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named.

4. Total and individual expenses for ICANN fellows

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their region and stakeholder affiliation.

5. Total and individual expenses incurred for any other ICANN affiliate or liaison (ISOC, IETF, IAB, etc.)

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their affiliation.

6. Total and individual expenses incurred for any other person, whether or not directly affiliated with ICANN

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their affiliation.

Please note that we request the above-detailed information for ICANN meetings, and also other meetings for which ICANN may provide financial support (for instance, CWG-Stewardship or CWG-Accountability). We request, as a preliminary matter, a list of all meetings to which ICANN provides and has, in the past, provided financial support (1999-2014).

We note that some information of this nature is available in the Travel Support Reports.[5] However, the Travel Support Reports are available only from 2008 (Cairo meeting), and are not available for ICANN48 to ICANN51. Further, the Travel Support Reports do not exhibit the level of granularity necessary for research and scrutiny. As explained above, we request granular information for all meetings.

In our view, providing such information will not violate any individual or corporate rights of ICANN, its Staff, Board, Affiliates/Liaisons or any other individual. Public corporations and even private organisations performing public functions may be subjected to or accept an increased level of transparency and accountability. We believe this is of especial importance to ICANN, as it is involved in a process to enhance its accountability, intrinsically related to IANA Stewardship Transition. We expressed similar views in our initial comment to “Enhancing ICANN Accountability”.[6] Increased transparency from ICANN may also address accountability concerns present across stakeholder-groups both within and outside ICANN.

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN's Response

ICANN responded to the above request for information within the stipulated time of 30 days. ICANN’s response is here. A short summary of CIS's request and ICANN's response can be found in this table (Request S. no. 1).

[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See ICANN Financial Statements As of and For the years ended June 30, 2014 and 2013, pages 7, 19-20, https://www.icann.org/en/system/files/files/financial-report-fye-30jun14-en.pdf.

[3] For instance, see ICANN FY14 Financial Package: For the nine months ending March 2014, pages 2-5, https://www.icann.org/en/system/files/files/package-fy14-31mar14-en.pdf.

[4] Supra note 1, page 14.

[5] See Community Travel Support, https://www.icann.org/resources/pages/travel-support-2012-02-25-en#reports.

[6] See CIS Comments on Enhancing ICANN Accountability, http://cis-india.org/internet-governance/blog/cis-comments-enhancing-icann-accountability.

CIS Request

22 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for granular income/revenue statements of ICANN from 1999-2014

Earlier this month, on 3 December 2014, Mr. Samiran Gupta presented CIS with detailed and granular information regarding ICANN’s domain names income and revenues for the fiscal year ended June 30, 2014. This was in response to several requests made over a few months. The information we received is available on our website.[1]

The information mentioned above was, inter alia, extremely helpful in triangulating ICANN’s reported revenues, despite and in addition to certain inconsistencies between the Annual Report (FY14) and the information provided to us.

We recognize that ICANN makes public its current and historical financial information to a certain extent. Specifically, its Operating Plan and Budget, Audited Financial Statements, Annual Reports, Federal and State Tax Filings, Board Compensation Report and ccTLD Contributions Report are available on the website.[2]

However, a detailed report of ICANN’s income or revenue statement, listing all vendors and customers, is not available on ICANN’s website. Our research on accountability and transparency mechanisms in Internet governance, specifically of ICANN, requires information in such granularity. We request, therefore, historical data re: income and revenue from domain names (1999-2014), in a manner as detailed and granular as the information referenced in FN[1]. We would appreciate if such a report lists all legal entities and individuals who contribute to ICANN’s domain names income/ revenue.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to CIS's request can be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 2).

[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See Historical Financial Information for ICANN, https://www.icann.org/resources/pages/historical-2012-02-25-en.

CIS Request

24 December 2014

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Geoff Bickers, Team Lead, ICANN Computer Incident Response Team (CIRT) & Director of Security Operations

Mr. John Crain, Chief Security, Stability and Resiliency Officer

Members of the ICANN-CIRT & ICANN Security Team

Sub: Details of cyber-attacks on ICANN

We understand that ICANN recently suffered a spear-phishing attack that compromised contact details of several ICANN staff, including their email addresses; these credentials were used to gain access to ICANN’s Centralized Zone Data System (CZDS).[1] We are glad to note that ICANN’s critical functions and IANA-related systems were not affected.[2]

The incident has, however, raised concerns of the security of ICANN’s systems. In order to understand when, in the past, ICANN has suffered similar security breaches, we request details of all cyber-attacks suffered or thought/suspected to have been suffered by ICANN (and for which, therefore, investigation was carried out within and outside ICANN), from 1999 till date. This includes, naturally, the recent spear-phishing attack.

We request information regarding, inter alia,

(1)  the date and nature of all attacks, as well as which ICANN systems were compromised,

(2)   actions taken internally by ICANN upon being notified of the attacks,

(3)  what departments or members of staff are responsible for security and their role in the event of cyber-attacks,

(4)  the role and responsibility of the ICANN-CIRT in responding to cyber-attacks (and when policies or manuals exist for the same; if so, please share them),

(5)   what entities external to ICANN are involved in the identification and investigation of cyber-attacks on ICANN (for instance, are the police in the jurisdiction notified and do they investigate? If so, we request copies of complaints or information reports),

(6)  whether and when culprits behind the ICANN cyber-attacks were identified, and

(7)  what actions were subsequently taken by ICANN (ex: liability of ICANN staff for security breaches should such a finding be made, lawsuits or complaints against perpetrators of attacks, etc.).

Finally, we also request information on the role of the ICANN Board and/or community in the event of such cyber-attacks on ICANN. Also, when was the ICANN-CIRT set up and how many incidents has it handled since its existence? Do there exist contingency procedures in the event of compromise of IANA systems (and if so, what)?

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN responded to our request by noting that it is vague and broad in both time and scope. In response, ICANN has provided information regarding certain cyber-incidents already in the public domain, while noting that the term "cyber-attack" is both wide and vague. While the information provided is undoubtedly useful, it is anecdotal at best, and does not provide a complete picture of ICANN's history of vulnerability to cyber-attacks or cyber-incidents, or the manner of its internal response to such incidents, or of the involvement of external law enforcement agencies or CIRTs in combating cyber-incidents on ICANN.

ICANN's response may be found here. A short summary our request and ICANN's response may be found in this table (Request S. no. 3).

[1] See ICANN targeted in spear-phishing attack, https://www.icann.org/news/announcement-2-2014-12-16-en.

[2] See IANA Systems not compromised, https://www.icann.org/news/announcement-2014-12-19-en.

CIS Request

27 December 2014

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Sub: Details of implementation by and within ICANN of the NETmundial Outcome Document (April ‘14)

We express our appreciation at ICANN’s prompt acknowledgement of our previous DIDP request, and await the information. We would, in the meanwhile, request information regarding ICANN’s internal measures to implement the NETmundial Outcome Document.[1]

In a post titled Turning Talk Into Action After NETmundial,[2] Mr. Chehade emphasized the imperative to carry forward the NETmundial principles to fruition. In nearly every public statement, Mr. Chehade and other ICANN representatives have spoken in praise and support of NETmundial and its Outcome Document.

But in the absence of binding value to them, self-regulation and organizational initiatives pave the way to adopt them. There must be concrete action to implement the Principles. In this regard, we request information about mechanisms or any other changes afoot within ICANN, implemented internally in recognition of the NETmundial Principles.

At the IGF in Istanbul, when CIS’ Sunil Abraham raised this query,[3] Mr. Chehade responded that mechanisms ought to and will be undertaken jointly and in collaboration with other organisations. However, institutional improvements are intra-organisational as well, and require changes within ICANN. An example would be the suggestions to strengthen the IGF, increase its term, and provide financial support (some of which are being achieved, though ICANN’s financial contribution to IGFSA is incongruous in comparison to its financial involvement in the NETmundial Initiative).

From ICANN, we have seen consistent championing of the controversial NETmundial Initiative,[4] and contribution to the IGF Support Association.[5] There are also mechanisms instituted for IANA Stewardship Transition and Enhancing ICANN Accountability,[6] as responses to the NTIA’s announcement to not renew the IANA functions contract and related concerns of accountability.

In addition to the above, we would like to know what ICANN has done to implement the NETmundial Principles, internally and proactively.

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

ICANN Response

ICANN's response to the above request disappointingly linked to the very same blogpost we note in our request, Turning Talk Into Action After NETmundial. Following this, ICANN points us to their involvement in the NETmundial Initiative. On the question of internal implementation, ICANN's response is defensive, to say the least. "ICANN is not the home for the implementation of the NETmundial Principles", they say. In any event, ICANN defends that it already implements the NETmundial Principles in its functioning, a response that comes as a surprise to us. "Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework", notes ICANN's response. Needless to say, ICANN's response falls short of responding to our queries.

Finally, ICANN notes that our request is beyond the scope of the DIDP, as it does not relate to ICANN's operational activities. Notwithstanding that our query does in fact seek ICANN's operationalisation of the NETmundial Principles, we are now confused as to where to go to seek this information from ICANN. If the DIDP is not the effective transparency tool it is aimed to be, who in ICANN can provide answers to these questions?

ICANN's response may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 4).

[1] See NETmundial Multi-stakeholder Statement, http://netmundial.br/wp-content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf.

[2] See Chehade, Turning Talk Into Action After NETmundial, http://blog.icann.org/2014/05/turning-talk-into-action-after-netmundial/.

[3] See ICANN Open Forum, 9^th IGF 2014 (Istanbul, Turkey), https://www.youtube.com/watch?v=Cio31nsqK_A.

[4] See McCarthy, I’m Begging You To Join, The Register (12 December 2014), http://www.theregister.co.uk/2014/12/12/im_begging_you_to_join_netmundial_initiative_gets_desperate/.

[5] See ICANN Donates $50k to Internet Governance Forum Support Association, https://www.icann.org/resources/press-material/release-2014-12-18-en.

[6] See NTIA IANA Functions’ Stewardship Transition & Enhancing ICANN Accountability Processes, https://www.icann.org/stewardship-accountability.