2012: Privacy Highlights in India

Posted by Elonnai Hickok at Feb 12, 2013 12:39 PM |
In this blog post, Elonnai Hickok summarizes the top privacy moments of 2012 in India. In doing so she lists out the major ones like the Report of Group of Experts on Privacy, the RIM Standoff, the Nira Radia controversy, the Centralized Monitoring System, Unmanned Aerial Vehicles, NATGRID, CCTNS, the growth of CCTVs, the leaked DNA Profiling Bill, and the UID project.

The Report of Group of Experts on Privacy: In October 2012 the "Report of Group of Experts on Privacy" was published by a governmental committee chaired by Justice A.P. Shah. The report contains recommendations for comprehensive privacy legislation, including defining nine privacy principles, establishing a regulatory framework consisting of privacy commissioners at the regional and central level, and self regulatory organizations, and analyzing the present challenges to privacy in India.[1]

Before the report was published, two draft privacy bills had been leaked to the public, and a concept paper drafted in 2010. The report received mixed reviews from the media, including questions about the relationship between the Right to Information and the Right to Privacy. Before the publishing of the Report, Prime Minister Manmohan Singh recognized that disclosures under the RTI Act could, in some instances, violate individual privacy. In a statement to the public, the Prime Minister stated "citizens right to know should definitely be circumscribed if disclosure of information encroaches upon someone's personal privacy.  But where to draw the line is a complicated question".[2]

Three months before the report was published, the EU had publicly stated that current data protection provisions in India are not sufficient enough, and that India is not considered to be 'data secure'.[3] If the recommendations in the report are turned into legislation, among other things, individuals in India will have a right to privacy and a right to redress for violations of privacy.

Governmental Interception: In early 2013 it was revealed that the Ministry of Home Affairs ordered interception of 10,000 phones and 1300 email ids during October 2012 to December 2012.[4] Continuing its efforts to access all communications, in May 2012, the Government of India gave service providers a month to develop a method for intercepting calls using VoIP services.[5] In February 2012 the Telecom Department proposed a new set of security guidelines that would allow for real time interception of communications and the tracking of the location of users. Among other things, the proposal establishes telecom security assurance and testing labs for the purpose of testing and certifying telecom equipment.[6] Additionally, in October of 2012, Bharti Airtel refused to wiretap telephones for RAW. The Department of Telecommunications eventually ordered Bharti Airtel to comply with the order, which they did.[7] The events around interception in 2012 show that the Indian government is still trying to gain access to as much information as possible. The constant push for real time access by the government is concerning, as many safeguards are missing from the Indian interception regime such as, penalty to security agencies for unauthorized interception and avenues of redress for the individual.

The RIM Standoff: Since 2008, the Indian government has been negotiating with RIM access to BlackBerry communications. Over the years, a number of solutions have been proposed by RIM and the GoI, yet a final agreement was never reached. Continuing the negotiations, In October 2012, RIM agreed to set up a server in Mumbai, which would allow security agencies to access Blackberry Messenger services.[8] Blackberry also provided a solution that would allow access to Blackberry Internet Services.[9] Following this, the Government of India mandated that Telecom Service Providers must incorporate the Blackberry interception solution, or risk being forced to shut their service by December 31, 2012. In compliance with this order, many service providers have set time frames for incorporation of the interception solution including and installed the necessary software.[10] It is important to note that the lawful access solutions provided do not extend to the Blackberry Enterprise Server.[11] Though it seems that the BlackBerry controversy might be resolved, the solution does not appear to be a long term solution, as BES communications are still not accessible, and the solution is not universal for all international providers. Thus, the Indian government will have to negotiate individually with each provider and service that they currently cannot access communications of.

The Nira Radia Controversy: Continuing the Nira Radia controversy, which began in 2008-2009, in September 2012 the Supreme Court ordered the Income Tax Department to transcribe the 5,831 recorded conversations that were originally intercepted by the department. In January this year, the Supreme Court of India ordered that a "random check" be run through the Radia Tapes to check for instances of possible criminality.[12] This case has become an important moment for privacy in India, as it intersects the dilemma between the right to privacy and public interest. Since 2010, Ratan Tata has been claiming that his right to privacy was violated by the publishing of the leaked tapes.[13] The Supreme Court’s final decision will be important for drawing another contour of how the right to privacy is shaped in India.

The Centralized Monitoring System: In 2012 the Telecom Ministry set aside Rs. 400 crore for the Central Monitoring System, which is projected to be finished by August 2014.[14] The project, which first began in 2007, is envisioned to allow security agencies to bypass service providers and intercept communications on their own. The system is designed to have regional databases and a central database which will be accessible to law enforcement and security agencies. Privacy concerns related to the project include how the system will incorporate current legal regulations for interception in India, as a system that bypasses service providers essentially means that every communication can be read by law enforcement. Furthermore, it is not clear exactly who, and on what conditions will officials be allowed and authorized to access and use the system. The exact capabilities of the system have also not been identified. For example, will the CMS be able to intercept VoIP calls, will it be able to decrypt messages, and will it employ techniques such as Deep Packet Inspection.

Unmanned Aerial Vehicles (UAVs): Since the late 90’s the Defense Research Development Organisation (DRDO) has been developing UAV’s for military purposes, and before this, India was acquiring UAV’s from Israel.[15] Since that time there has been an increase in domestic companies and institutes developing UAVs, and an increase in the procurement of the technology by state police for generic reasons purposes as crowd control, traffic management, and security. For example, in August of 2012 the city of Mumbai used the UAV "Netra", as part of their security protocol during the Raj Thackeray rally to capture and send real time images back to the police. Netra is manufactured by the company Idea Forge.[16] The Mumbai police also used the Netra in September 2012 after the Azad Maidan riots, and again on New Year’s Eve to monitor and track crime such as sexual harassment.[17] Similarly, Chennai city police are looking to procure from Anna University a UAV developed by the Madras Institute of Technology. The UAV will be used to assist in traffic monitoring and control.[18] The increased procurement and use of UAV’s by state police is concerning as there is no clear legal regulation over the deployment of the vehicles. Thus, they have shifted from being used as a tool by the military, and are being used for monitoring traffic, crowd monitoring, etc. Furthermore, the process for authorization for use of the vehicles is not clear, and it is not clear how the captured information is protected and handled. Though UAV’s are clearly a useful tool for the military, for military purposes, the permitted use of them by other actors should be defined and regulated. The use of UAV’s for generic purposes could place individual privacy at risk, because of the amount of information and the level of detail that the vehicles are able to capture without the knowledge of the individual.

The National Intelligence Grid (NATGRID): Plans for the NATGRID project, which was first piloted after the Mumbai attacks, has been continuing forward through 2012 and is envisioned to be operational sometime in 2013. During 2012, a detailed project report was submitted for the project, and in June the government approved Rs. 1,100 crore for purchase of technological equipment.[19] NATGRID is a project that envisions networking 21 databases for purposes of crime investigation including tax, health, and travel information. The information will be accessible to 11 security agencies and law enforcement agencies. Though it has been clarified that NATGRID will ensure that privacy is protected, the design of NATGRID is one that could create potential risks – as it brings together large amounts of personal data for easy access by security agencies. In doing so it could potentially eliminate the steps security agencies must take currently to access information – such as submitting a request and obtaining permission for access. Furthermore, it is unclear how current legal protections such as secrecy clauses in banking legislation will be incorporated and upheld by the NATGRID system. Other questions that the project raises include – though currently there are only eleven agencies listed that will have access to NATGRID – will this list expand? Without a policy in place how will this standard and other standards be enforced?

The Crime and Criminal Tracking Network & System (CCTNS): Though the CCTNS project has been in the works since 2009, a call for companies to develop the technology for the system was taken in early 2012, and pilot projects were launched later that year. The CCTNS is being headed by the National Crime Records Bureau, and will allow for the sharing of crime related information on a national level, in real time. In 2012, the system was allocated 2,000 crores by the government, and currently 2,000 police stations and other offices have been connected under the system.[20]

For example, police in Chhattisgarh,[21] Uttarakhand[22] and Odisha have all been connected to the CCTNS system.[23] Though it will be beneficial for the police to have access to a networked system, it has not been made clear yet what type of security system the project will adopt to ensure that the information is not compromised or accessed without authorization. It has also not been clarified what information will be placed on the database, and will all records be accessible to any individual accessing the system. Because the project is still in pilot stages it is hard to tell if it could put individual privacy at risk. Hopefully, before the project is realized in its full, many of the details will be clarified.

The Growth of CCTVs: Throughout 2012 the use of CCTV’s has continued to grow across India. For example, the Maharashtra government has undertaken a "CCTV surveillance project" in which it is in the process of taking bids for.[24] The state of Karnataka is also planning on installing CCTV cameras in Bangalore and other major cities to help detect incidents of crime.[25] While the Delhi Transport Department is contemplating installing CCTVs in buses,[26] and the Indian Rail Authorities have also decided to install CCTVs throughout stations to increase security.[27] There still does not exist regulation of the use of CCTV cameras, thus it is unclear who can operate a CCTV camera, which departments of the government can mandate for the installation of CCTVs, if public notice must be given that a CCTV camera is in use, and who can access the footage from a CCTV.

Study on Privacy Perceptions: In a study that came out in December 2012 by Ponnurangam K, among other things, it was found that 75 per cent of participants never read the privacy policy on a website – including social networking sites, participants also thought that there was a privacy legislation in place in India, and that individuals in India are most concerned about financial privacy.[28]

The National Counter Terrorism Centre (NCTC): The NCTC was originally created in response to the Mumbai terror attacks, under the Unlawful Prevention Act, 1967. The NCTC was meant to be realized in 2012, but in March, plans for the Centre were put on hold, because of the controversial nature of the project.[29] The Centre was meant to bring Indian intelligence agencies under one umbrella, and analyze and store information related to terrorism. The proposed body has been highly controversial, as states object to the powers given to the Centre and see it as intruding on their powers and jurisdiction. If passed, the NCTC will have the powers of arrest, search and seizure, and the ability to access information from other intelligence agencies.[30]

The Leaked DNA Profiling Bill: In 2012, a version of the DNA Profiling Bill, originally drafted in 2007, was leaked to the public. The Bill is being piloted by the department of biotechnology, and seeks to establish DNA databases at the regional and central level for forensic purposes, yet the Bill does not establish strong protections for the privacy of DNA samples taken and important technical standards for ensuring that DNA samples are not misused or tampered with.[31] What will happen to the Bill in 2013 is yet to be seen, but hopefully it will not be passed without the appropriate safeguards incorporated into its provisions.

The Unique Identification Project and the National Population Registrar: Throughout 2012, the UID has continued to carry out enrollments across the country, and sign MoU's with private sector companies for the adoption of the UID platform. Parallel to the UID project, the NPR project is also being implemented. The NPR seeks to provide every citizen of India with an identity that will be stored in an identity database maintained by the Registrar General and Census Commissioner of India.[32] According to the NPR scheme, individuals who had already enrolled with the UID and given their biometrics would not need to re-submit their biometrics with the NPR. Yet, this has not been the case, and instead individuals are now being required to provide their biometrics for enrollment with the UID and the NPR.[33]

Privacy has been raised as a concern of the UID since the start of the project. For both the UID and the NPR now the transaction record will be stored by agencies, and whether it will be possible to track individuals across databases using their NPR or UID  identity?

[1]. The Report of Group of Experts on Privacy. See http://bit.ly/VqzKtr

[2]. Tikku, A., "RTI doesn’t trample upon privacy, says expert panel", Hindustan Times, October 29, 2012, available at http://bit.ly/TNAzRF, last accessed on January 8, 2013.

[3]. Sen, A. India protests European Union study of data laws. Economic Times. July 9, 2012, available at http://bit.ly/Y9ahHs, last accessed on January 8, 2013.

[4]. Harismran, J., Thomas, J. "Home Ministry ordered 10k wire taps in last 90 days, order tapping of 1300 email Ids", The Economic Times, January 3, 2013, available at http://bit.ly/TKk7yN, last accessed on January 7th 2013.

[5].The Economic Times, "Provide solution to intercept VoIP within a month: Govt", May 6, 2012, available at http://bit.ly/VQDQ4k, last accessed on January 7, 2013.

[6]. The Economic Times, "New policy for real time interception to security agencies", February 1, 2012, available at http://bit.ly/11DrlvB, last accessed on January 7, 2013.

[7]. The Economic Times, "RAW irked as Airtel keeps its request for phone tapping on hold", October 21, 2012, available at http://bit.ly/12IujhF, last accessed on January 7, 2013.

[8]. Reyes, D., "RIM installs BlackBerry server in Mumbai", CrackBerry, February 23, 2012, available at http://bit.ly/yBQsSo

[9]. Economic Times, "DoT makes telecom operators fall in line on Blackberry issue", December 30, 2012, available at http://bit.ly/1169ufn

[10]. Economic Times, "MTNL, BSNL fail to give dates for Blackberry interception", October 29, 2012, available at http://bit.ly/1169ufp, last accessed on January 7, 2012.

[11]. The Economic Times, "Telecom companies agreed to provide real-time intercept facilities for BlackBerry smartphones", December 31, 2012, available at http://bit.ly/Y9gjYt, last accessed on January 7, 2012.

[12]. Mahapatra, D., "SC to examine Radia tapes for criminality", Times of India, January 9, 2013, available at http://bit.ly/VD7eWX

[13]. Times of India, "Ratan Tata softens stand on Radia tapes", August 23, 2012, available at http://bit.ly/158CZxl, last accessed on January 7, 2013.

[14]. The Economic Times, "Govt. to place phone tapping system worth Rs. 400 cr by 2014", March 21, 2012, available at http://bit.ly/V2P9q6, last accessed on January 7, 2013.

[15]. Monsonis, G., "UAVs gaining currency with Indian Armed Forces", Indian Defence Review, October 30, 2012, available at http://bit.ly/KVYyIr, last accessed on January 7, 2013.

[16]. Mumbai Mirror, "Raj Thackeray’s mega rally: Unmanned Aerial Vehicle kept an eye on Azed Maidan", Economic Times, August 22, 2012, available at http://bit.ly/PYTGAG, last accessed on January 7, 2013.

[17].Ali, A. & Narayan. V., "Netra cameras to keep a close watch , over New Year’s Eve hotspots", Times of India, December 31, 2012, available at http://bit.ly/Z7orxt, last accessed on January 7, 2013.

[18]. Venugopal, V., "It flies, it swoops, it records and monitors", The Hindu, December 20, 2012, available at http://bit.ly/V89sLo, last accessed January 7, 2013.

[19]. The Economic Times, "Cabinet Committee on Security approves Rs. 1,100 crore for NATGRID", June 14, 2012.

[20]. Mohan, V., "Centre launches pilot project to track criminals", The Times of India, January 5, 2013, available at http://bit.ly/UPk2fh

[21]. The Pioneer, "Civil Lines Police Station gets connected with CCTNS", January 2012, available at http://bit.ly/VRXKGJ

[22]. CIOL Bureau, "CCTNS to be made public through internet: Dehradun DGP", January 4, 2012, available at http://bit.ly/X4JISx, last accessed on January 7, 2013.

[23]. The Hindu, "Odisha to launch CCTNS on January 12", January 7, 2013, available at http://bit.ly/Vd9Ay1, last accessed on January 7, 2013.

[24]. Padmakshan, M., "Maharashtra plans to invite new bids for CCTV surveillance project", September 18, 2012, available at http://bit.ly/VRYrQm, last accessed on January 7, 2013.

[25]. Ashoka, R., "Karnataka to install CCTV cameras in Bangalore, major cities", Economic Times. July 26, 2012, available at http://bit.ly/11Dxt6Z, last accessed on January 7, 2013.

[26]. Economic Times, "Buses to come with CCTV cameras for safety of women: Delhi government", December 17, 2012, available at http://bit.ly/158Gtjo, last accessed on January 7, 2013.

[27]. Economic Times, "Railways to step by security apparatus at stations", February 15, 2012, available at http://bit.ly/11DxSX8, last accessed on January 7, 2013.

[28]. Times of India, "Most Indians ignorant about privacy issues on Facebook, Twitter: Study", December 10, 2012, available at http://bit.ly/X4KVt1, last accessed on January 7, 2013.

[29]. Kumar, H., "Does India Need a National Counter Terrorism Center?", The New York Times, India Ink, February 28, 2012, available at http://nyti.ms/A5VU5P

[30]. Times of India. CM to attend National Counter- Terrorism Centre Meet in Delhi. May 4, 2012, available at http://bit.ly/12IDoH9, last accessed on January 8, 2012.

[31]. Hickok, E., "Rethinking DNA Profiling in India", Economic Political Weekly, October 27, 2012, available at http://bit.ly/TUrH7j, last accessed on January 7, 2013.

[32]. Department of Information Technology, "National Population Register", available at http://bit.ly/12rzyOh

[33]. Pandit, A., "NPR must even if you have Aadhar number", Times of India, October 31, 2012, available at http://bit.ly/Y9oXGq, last accessed on January 8, 2013.