The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 21 to 35.
The Difficult Balance of Transparent Surveillance
http://editors.cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance
<b>Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.</p>
<p style="text-align: justify; ">So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">So we must unpack the idea of transparency.</p>
<p style="text-align: justify; ">First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?</p>
<p style="text-align: justify; ">Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.</p>
<p style="text-align: justify; ">Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, <i>so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds</i>.” <a href="#fna" name="fra">[a]</a> Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook <a href="#fna" name="fra">[a]</a>, Apple <a href="#fnb" name="frb">[b]</a>, Microsoft<a href="#fnc" name="frc">[c]</a>, and Google <a href="#fnd" name="frd">[d]</a>) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14<sup>th</sup>, “We have not received any national security orders <i>of the type that Verizon was reported to have received</i>.” <a href="#fnc" name="frc">[c]</a> Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.</p>
<p style="text-align: justify; ">Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.</p>
<p style="text-align: justify; ">But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS<a href="#fn4" name="fr4">[4]</a> but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the <a href="http://editors.cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">petition</a> as an Indian agency is not involved.”<a href="#fn5" name="fr5">[5]</a><a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.</p>
<p style="text-align: justify; ">For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.<a href="#fn7" name="fr7">[7] </a>India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.<a href="#fn8" name="fr8">[8]</a> It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.</p>
<p style="text-align: justify; ">The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.<a href="#fn5" name="fr5">[5]</a> If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.</p>
<p style="text-align: justify; ">Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of <i>who</i> citizens prefer spying over them.</p>
<p style="text-align: justify; ">Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.<a href="#fn9" name="fr9">[9]</a> Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”<a href="#fnc" name="frc">[c]</a></p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. <a href="http://digitaldueprocess.org/">http://digitaldueprocess.org/</a></p>
<p>[<a href="#fr2" name="fn2">2</a>]. <a class="external-link" href="http://bit.ly/151Ue1H">http://bit.ly/151Ue1H</a></p>
<p>[<a href="#fr3" name="fn3">3</a>]. <a class="external-link" href="http://bit.ly/12XDb1Z">http://bit.ly/12XDb1Z</a></p>
<p>[<a href="#fr4" name="fn4">4</a>]. <a class="external-link" href="http://ti.me/11Xh08V">http://ti.me/11Xh08V</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. <a href="http://editors.cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh</a> [attached]</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <a class="external-link" href="http://bit.ly/1aXWdbU">http://bit.ly/1aXWdbU</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. <a class="external-link" href="http://1.usa.gov/qafcXe">http://1.usa.gov/qafcXe</a></p>
<p>[<a href="#fr8" name="fn8">8</a>]. <a class="external-link" href="http://bit.ly/114hcCX">http://bit.ly/114hcCX</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. <a class="external-link" href="http://bit.ly/156wspI">http://bit.ly/156wspI</a></p>
<hr />
<p>[<a href="#fra" name="fna">a</a>]. <b>Facebook Statement</b>: <a class="external-link" href="http://bit.ly/ZQDcn6">http://bit.ly/ZQDcn6</a></p>
<p>[<a href="#frb" name="fnb">b</a>]. <b>Apple Statement</b>: <a class="external-link" href="http://bit.ly/1akaBuN">http://bit.ly/1akaBuN</a></p>
<p>[<a href="#frc" name="fnc">c</a>]. <b>Microsoft Statement</b>:<a class="external-link" href="http://bit.ly/1bFIt31">http://bit.ly/1bFIt31</a></p>
<p>[<a href="#frd" name="fnd">d</a>]. <b>Google Statement</b>: <a class="external-link" href="http://bit.ly/16QlaqB">http://bit.ly/16QlaqB</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance'>http://editors.cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-15T04:23:35ZBlog EntryPrivacy Protection Bill, 2013 (With Amendments based on Public Feedback)
http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback
<b>In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.</p>
<p style="text-align: center; "><b><a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="internal-link">Click to download the Privacy Protection Bill, 2013 with latest amendments</a></b> (PDF, 196 Kb).</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback'>http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback</a>
</p>
No publisherelonnaiFeaturedSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:50:22ZBlog EntrySEBI and Communication Surveillance: New Rules, New Responsibilities?
http://editors.cis-india.org/internet-governance/blog/sebi-and-communication-surveillance
<b>In this blog post, Kovey Coles writes about the activities of the Securities Exchange Board of India (SEBI), discusses the importance of call data records (CDRs), and throws light on the significant transition in governmental leniency towards access to private records.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify; ">The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.</p>
<h3 style="text-align: justify; ">SEBI’s Authority (Until Now)</h3>
<p style="text-align: justify; ">Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."<a href="#fn1" name="fr1">[1]</a> Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."<a href="#fn2" name="fr2">[2]</a> Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”<a href="#fn3" name="fr3">[3]</a> SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.</p>
<p>But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.</p>
<h3>What is the Importance of CDR Access?</h3>
<p style="text-align: justify; ">Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."<a href="#fn4" name="fr4">[4]</a> Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.</p>
<p style="text-align: justify; ">One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.<a href="#fn5" name="fr5">[5]</a> Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.<a href="#fn6" name="fr6">[6]</a> Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.<a href="#fn7" name="fr7">[7]</a> It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."<a href="#fn7" name="fr7">[7] </a>With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.<a href="#fn8" name="fr8">[8] </a>But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.</p>
<h3 style="text-align: justify; ">Significance and Responsibility in this Decision</h3>
<p style="text-align: justify; ">Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).</p>
<p>[<a href="#fr3" name="fn3">3</a>]. “Sebi Finalising new Anti-money laundering guidelines,” <i>The Times of India, </i>June 16, 2013</p>
<p><a href="http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms">http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms</a></p>
<p style="text-align: left; ">[<a href="#fr4" name="fn4">4</a>]. International Principles on the Application of Human Rights to Communications Surveillance -<a href="http://www.necessaryandproportionate.net/#_edn1">http://www.necessaryandproportionate.net/#_edn1</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. “Sebi to soon to get Powers to Access Call Records,” <i>Business Today</i>, June 13, 2013</p>
<p><a href="http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html">http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html</a></p>
<p>[<a href="#fr6" name="fn6">6</a>]. 1973 Criminal Procedure Code, Section 92 <a href="http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf">http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf</a></p>
<p>“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013</p>
<p><a href="http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary">http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. 1992 Securities and Exchange Board of India Act, section 11C, part 8</p>
<p>[<a href="#fr8" name="fn8">8</a>]. 2002 Prevention of Money-Laundering Act, section 12</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/sebi-and-communication-surveillance'>http://editors.cis-india.org/internet-governance/blog/sebi-and-communication-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-12T10:51:46ZBlog EntryOpen Letter to Prevent the Installation of RFID tags in Vehicles
http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles
<b>The Centre for Internet and Society (CIS) has sent this open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to intall RFID tags in vehicles in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p class="western" style="text-align: justify; ">This letter is with regards to the installation of Radio Frequency Identification Tags (RFID) in vehicles in India.</p>
<p class="western" style="text-align: justify; ">On behalf of the Centre for Internet and Society, we urge you to prevent the installation of RFID tags in vehicles in India, as the legality, necessity and utility of RFID tags have not been adequately proven. Such technologies raise major ethical concerns, since India lacks privacy legislation which could safeguard individuals' data.</p>
<p class="western" style="text-align: justify; ">The proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India. However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.</p>
<p class="western" style="text-align: justify; ">The installation of RFID tags in vehicles is not only currently illegal, but it also raises majors privacy concerns. RFID tags yield locational information, and thus reveal information as to an individual’s whereabouts. This could lead to a serious invasion of the right to privacy, which is at the core of personal liberty, and constitutionally protected in India. Moreover, the installation of RFID tags in vehicles is not in compliance with the privacy principles of the Report of the Group of Experts on Privacy, as, among other things, the architecture of RFID tags does not allow for consent to be taken from individuals for the collection, use, disclosure, and storage of information generated by the technology.<a href="#fn1" name="fr1">[1]</a></p>
<p class="western" style="text-align: justify; ">The Centre for Internet and Society recently drafted the Privacy (Protection) Bill 2013 – a citizen's version of a possible privacy legislation for India.<a href="#fn2" name="fr2">[2]</a><sup> </sup>The Bill defines and establishes the right to privacy and regulates the interception of communications and surveillance, and would include the regulation of technologies like RFID tags. As this Bill has not been enacted into law and India lacks a privacy legislation which could safeguard individuals' data, we strongly urge you to not require the mandatory installation of RFID tags in vehicles, as this could potentially violate individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">As the proposed rule 138A, which mandates the installation of RFID tags in vehicles, is currently illegal and India lacks privacy legislation which would regulate the collection, use, sharing of, disclosure and retention of data, we strongly urge you to ensure that RFID tags are not installed in vehicles in India and to play a decisive role in protecting individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">Thank you for your time and for considering our request.</p>
<p class="western" style="text-align: justify; ">Sincerely,</p>
<p class="western" style="text-align: justify; ">Centre for Internet and Society (CIS)</p>
<p> </p>
<p id="sdfootnote1"> </p>
<p>[<a href="#fr1" name="fn1">1</a>]. Report of the Group of Experts on Privacy: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p>[<a href="#fr2" name="fn2">2</a>].Draft Privacy (Protection) Bill 2013: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles'>http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:59:31ZBlog EntryReport on the 4th Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; "><span>In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</span></p>
<p style="text-align: justify; "><span>In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</span></p>
<p style="text-align: justify; "><span>At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</span></p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>
<p align="JUSTIFY"><span>New Delhi Roundtable: 13 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Bangalore Roundtable: 20 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Chennai Roundtable: 18 May 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Mumbai Roundtable: 15 June 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Kolkata Roundtable: 13 July 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>New Delhi Final Roundtable and National Meeting: 17 August 2013</span></p>
</li>
</ol>
<p style="text-align: justify; "><span>Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.</span></p>
<h2><b><span>Discussion of the Draft Privacy (Protection) Bill 2013</span></b></h2>
<h3><b><span>Discussion of definitions: Chapter 1</span></b></h3>
<p style="text-align: justify; "><span>The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised. </span></p>
<p style="text-align: justify; "><span>Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection. </span></p>
<p style="text-align: justify; "><span>The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored. </span></p>
<p style="text-align: justify; "><span>Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards. </span></p>
<p style="text-align: justify; "><span>The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over. </span></p>
<p style="text-align: justify; "><span>The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.</span></p>
<p style="text-align: justify; "><span>In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts. </span></p>
<p style="text-align: justify; "><span>Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data. </span></p>
<p style="text-align: justify; "><span>On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions. </span></p>
<h3><b><span>Right to Privacy: Chapter 2</span></b></h3>
<p style="text-align: justify; "><span>The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill. </span></p>
<p style="text-align: justify; "><span>Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts. </span></p>
<p style="text-align: justify; "><span>The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.</span></p>
<p style="text-align: justify; "><span>Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly. </span></p>
<h3><b><span>Protection of Personal Data: Chapter 3</span></b></h3>
<p style="text-align: justify; "><span>Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data. </span></p>
<p style="text-align: justify; "><b><span>Collection of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention. </span></p>
<p style="text-align: justify; "><span>It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill. </span></p>
<p style="text-align: justify; "><span>Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty. </span></p>
<p style="text-align: justify; "><span>A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes. </span></p>
<p style="text-align: justify; "><span>The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill. </span></p>
<p style="text-align: justify; "><span>In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection. </span></p>
<p style="text-align: justify; "><span>It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well. </span></p>
<p style="text-align: justify; "><b><span>Storage and destruction of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data. </span></p>
<p style="text-align: justify; "><span>In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India. </span></p>
<p style="text-align: justify; "><span>Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases. </span></p>
<p style="text-align: justify; "><b><span>Security of personal data and duty of confidentiality</span></b></p>
<p style="text-align: justify; "><span>Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”. </span></p>
<p style="text-align: justify; "><span>One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India. </span></p>
<p style="text-align: justify; "><b><span>Disclosure of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to. </span></p>
<p style="text-align: justify; "><span>It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill. </span></p>
<p style="text-align: justify; "><span>Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism. </span></p>
<p style="text-align: justify; "><span>This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided. </span></p>
<p style="text-align: justify; "><span>Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill. </span></p>
<p style="text-align: justify; "><span>A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed. </span></p>
<p style="text-align: justify; "><span>However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed. </span></p>
<p style="text-align: justify; "><span>Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security. </span></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill. </span></p>
<h2><b><span>Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner</span></b></h2>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation. </span></p>
<p style="text-align: justify; "><span>There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a </span><i><span>competitive disadvantage </span></i><span>in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security. </span></p>
<p style="text-align: justify; "><span>As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control. </span></p>
<p style="text-align: justify; "><span>On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations. <br /></span></p>
<p style="text-align: justify; "><span>When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported. </span></p>
<p style="text-align: justify; "><span>Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on </span><i><span>accountability</span></i><span>. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached. </span></p>
<p style="text-align: justify; "><span>On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights. </span></p>
<h2><b><span>Meeting conclusion</span></b></h2>
<p style="text-align: justify; "><a name="_GoBack"></a><span>The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed. </span></p>
<p align="JUSTIFY"><span> </span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting'>http://editors.cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:04:25ZBlog EntryInterview with Mr. Billy Hawkes - Irish Data Protection Commissioner
http://editors.cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner
<b>Maria Xynou recently interviewed Mr. Billy Hawkes, the Irish Data Protection Commissioner, at the CIS´ 4th Privacy Round Table meeting. View this interview and gain an insight on recommendations for data protection in India!</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>The Irish Data Protection Commissioner was asked the following questions:</p>
<p>1. What powers does the Irish Data Commissioner´s office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?</p>
<p>2. Does your office differ from other EU data protection commissioner offices?</p>
<p>3. What challenges has your office faced? What is the most common type of privacy violation that your office has faced?</p>
<p>4. Why should privacy legislation be enacted in India?</p>
<p>5. Does India need a Privacy Commissioner? Why? If India creates a Privacy Commissioner, what structure / framework would you suggest for the office?</p>
<p>6. How do you think data should be regulated in India? Do you support the idea of co-regulation or self-regulation?</p>
<p>7. How can India protect its citizens´ data when it is stored in foreign servers?</p>
<p> </p>
<p>video <iframe frameborder="0" height="250" src="http://blip.tv/play/AYOTmT4A.html?p=1" width="250"></iframe></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner'>http://editors.cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:06:31ZBlog EntryOpen Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation
http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation
<b>India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, <a href="http://editors.cis-india.org/accessibility/blog/#fn1" name="fr1">[1]</a> and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.<a href="http://editors.cis-india.org/accessibility/blog/#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<p style="text-align: justify; ">The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.<a href="http://editors.cis-india.org/accessibility/blog/#fn3" name="fr3">[3]</a> In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. <a href="http://editors.cis-india.org/accessibility/blog/#fn4" name="fr4">[4]</a> In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.<a href="#fn5" name="fr5">[5]</a> The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.<a href="#fn6" name="fr6">[6]</a> Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.<a href="#fn7" name="fr7">[7]</a> The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; ">We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. CII asks EU to accept India as 'Data Secure' nation: <a class="external-link" href="http://bit.ly/15Z77dH">http://bit.ly/15Z77dH</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. India threatens to stall trade talks with EU: <a class="external-link" href="http://bit.ly/1716aF1">http://bit.ly/1716aF1</a><a class="moz-txt-link-freetext" href="http://www.business-standard.com/article/economy-policy/india-threatens-to-stall-trade-talks-with-eu-113050900020_1.html"></a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. New privacy Bill: Data Protection Authority, jail term for offence: <a class="external-link" href="http://bit.ly/emqkkH">http://bit.ly/emqkkH</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. The Report of the Group of Experts on Privacy <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Law Minister Seeks stand along privacy legislation, writes PM: <a class="external-link" href="http://bit.ly/16hewWs">http://bit.ly/16hewWs</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Privacy Protection Bill 2013 drafted by CIS: <a class="external-link" href="http://bit.ly/10eum5d">http://bit.ly/10eum5d</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Privacy Roundtable: <a class="external-link" href="http://bit.ly/12HYoj5">http://bit.ly/12HYoj5</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: <a class="external-link" href="http://bit.ly/Z2FjX6">http://bit.ly/Z2FjX6</a></p>
<div id="_mcePaste"><b>Note: CIS sent the letters to Data Protection Commissioners across Europe.</b></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation'>http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:07:58ZBlog EntryIndian surveillance laws & practices far worse than US
http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us
<b>Explosive would be just the word to describe the revelations by National Security Agency (NSA) whistleblower Edward Snowden. </b>
<hr />
<p style="text-align: justify; ">Pranesh Prakash's column was <a class="external-link" href="http://articles.economictimes.indiatimes.com/2013-06-13/news/39952596_1_nsa-india-us-homeland-security-dialogue-national-security-letters">published in the Economic Times</a> on June 13, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).</p>
<p><b>Nothing Quite Private </b></p>
<p>The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.</p>
<p style="text-align: justify; ">US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.</p>
<p><b>Worse, Indian-Style </b></p>
<p style="text-align: justify; ">That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.</p>
<p style="text-align: justify; ">To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.</p>
<p style="text-align: justify; ">The law we currently have — sections 69 and 69B of the Information Technology Act — is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.</p>
<p><b>Keeping it Safe </b></p>
<p style="text-align: justify; ">Recent reports reveal India's secretive National Technical Research Organisation (NTRO) — created under an executive order and not accountable to Parliament — often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.</p>
<p style="text-align: justify; ">While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.</p>
<p style="text-align: justify; ">The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.</p>
<p style="text-align: justify; ">Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.</p>
<div id="_mcePaste"><span><a href="http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us">http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a> </span> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us'>http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a>
</p>
No publisherpraneshSurveillanceInternet GovernanceCensorshipSAFEGUARDS2013-07-12T11:09:39ZBlog EntryIndia Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed
http://editors.cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance
<b>As of last week, it is officially confirmed that the metadata of everyone´s communications is under the NSA´s microscope. In fact, the leaked data shows that India is one of the countries which is under NSA surveillance the most! </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was <a class="external-link" href="http://www.medianama.com/2013/06/223-what-does-nsa-prism-program-mean-to-india-cis-india/">cross-posted in Medianama</a> on 24th June 2013. <br /></i></p>
<hr />
<p><span id="docs-internal-guid-5905db2c-6115-80fb-3332-1eaa5155c762"> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>¨Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, the democratic senator, </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining">Ron Wyden, asked James Clapper</a><span>, the director of national intelligence a few months ago. “No sir”, replied Clapper.</span></blockquote>
<p dir="ltr" style="text-align: justify; "> </p>
<p dir="ltr" style="text-align: justify; "><span>True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Americans, Indians, Egyptians, Iranians, Pakistanis and others</span></a><span> all around the world.</span></p>
<p><span> </span></p>
<h2>Leaked NSA surveillance</h2>
<p><span> </span></p>
<h3><span>Verizon Court Order</span></h3>
<p style="text-align: justify; ">Recently, the <a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order">Guardian released</a> a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://yahoo.usatoday.com/news/washington/2006-05-10-nsa_x.htm"><span>USA Today reported in 2006</span></a><span> that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the </span><a href="http://www.guardian.co.uk/world/interactive/2013/jun/06/verizon-telephone-data-court-order"><span>April 25 top secret order</span></a><span> is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes </span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span>metadata </span></a><span>such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. </span><a href="https://www.privacyinternational.org/blog/top-secret-nsa-program-spying-on-millions-of-us-citizens"><span>Privacy and human rights concerns</span></a><span> rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives.</span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span> Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically</span></a><span>, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.</span></p>
<p><span> </span></p>
<h3><span>PRISM</span></h3>
<p align="JUSTIFY">Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by <a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html">The Washington Post</a>. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to <a href="http://www.bbc.co.uk/news/business-22867185">disclose the security requests</a> they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Yet it appears that the </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>PRISM online surveillance programme</span></a><span> enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The </span><a href="http://www.guardian.co.uk/world/2013/jun/09/prism-gchq-william-hague-statement"><span>Guardian reported</span></a><span> that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>James R. Clapper, the US Director of National Intelligence, </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>stated</span></a><span>:</span></p>
<p><span> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>“</span><span>Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”</span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world. </span></p>
<h3><span>Boundless Informant</span></h3>
<p dir="ltr" style="text-align: justify; "><span>And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data? </span></p>
<p dir="ltr" style="text-align: justify; "><span>The Guardian released top secret documents about the NSA data mining tool, called </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span>; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide. </span></p>
<p dir="ltr" style="text-align: justify; "><span>The following </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>“global heat map”</span></a><span> reveals how much data is being collected by the NSA from around the world:</span></p>
<p dir="ltr" style="text-align: justify; "><span><img src="http://editors.cis-india.org/BoundlessInformantmap.jpg" alt="Boundless Informant: "Global Heat Map"" class="image-inline" title="Boundless Informant: "Global Heat Map"" /></span></p>
<p><span style="text-align: justify; ">The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.</span></p>
<p dir="ltr" style="text-align: justify; "><span>During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with </span><a href="http://epaper.timesofindia.com/Default/Scripting/ArticleWin.asp?From=Archive&Source=Page&Skin=ETNEW&BaseHref=ETBG/2013/06/12&PageLabel=20&ForceGif=true&EntityId=Ar02002&ViewMode=HTML"><span>15% of all information</span></a><span> being tapped by the NSA coming from India during February-March 2013. </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance"><span>Edward Snowden</span></a><span> is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.</span></p>
<p dir="ltr" style="text-align: justify; "><span>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="350" width="425">
<param name="src" value="http://www.youtube.com/v/5yB3n9fu-rM"><embed height="350" width="425" src="http://www.youtube.com/v/5yB3n9fu-rM" type="application/x-shockwave-flash"> </embed>
</object>
</span></p>
<p><br /><span> </span></p>
<h2><span>So what does this all mean for India?</span></h2>
<p dir="ltr" style="text-align: justify; "><span>In his </span><a href="http://www.youtube.com/watch?v=Wl5OQz0Ko8c"><span>keynote speech at the 29th Chaos Communications Congress</span></a><span>, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have </span><a href="http://space.jpl.nasa.gov/msl/Programs/corona.html"><span>a history in spying on civilians</span></a><span>, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?</span></p>
<p dir="ltr" style="text-align: justify; "><span>By </span><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=1&"><span>tapping into the servers of some of the biggest Internet companies in the world,</span></a><span> such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span> data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?</span></p>
<p dir="ltr" style="text-align: justify; "><span>India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, </span><a href="http://www.wired.com/politics/security/commentary/securitymatters/2008/05/securitymatters_0515"><span>Bruce Schneier</span></a><span>:</span></p>
<blockquote class="italized"><span> “Our data reflects our lives...and those who control our data, control our lives”. </span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in </span><a href="http://www.bbc.co.uk/news/business-22867185"><span>corporations seeking data request transparency</span></a><span>, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since </span><a href="http://www.statsoft.com/textbook/data-mining-techniques/"><span>the larger the database, the larger the probability for error</span></a><span>. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since </span><a href="http://dspace.flinders.edu.au/xmlui/bitstream/handle/2328/26269/wahlstrom%20on%20the%20impact.pdf;jsessionid=D948EDED21805D871C18E6E4B07DAE14?sequence=1"><span>technology is not infallible </span></a><span>and data trails are not always accurate.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even </span><a href="http://www.time.com/time/world/article/0,8599,2097899,00.html"><span>murdered - remember the drones</span></a><span>?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?</span></p>
<p><span> </span></p>
<h2><span>What can we do now?</span></h2>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>What type of data is collected from India and which parties have access to it?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>How long is such data retained for? Can the retention period be renewed and if so, for how long?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?</span></p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>On an individual level, Indians can protect their data by using encryption, such as </span><a href="http://www.gnupg.org/"><span>GPG encryption</span></a><span> for their emails and </span><a href="https://www.encrypteverything.ca/index.php/Setting_up_OTR_and_Pidgin"><span>OTR encryption</span></a><span> for instant messaging. </span><a href="https://www.torproject.org/"><span>Tor</span></a><span> is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>To avoid surveillance, the use of </span><a href="https://www.eff.org/https-everywhere"><span>HTTPS-Everywhere</span></a><span> in the </span><a href="https://www.torproject.org/download/download-easy.html"><span>Tor Browser</span></a><span> is recommended, as well as the use of combinations of additional software, such as </span><a href="https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/"><span>TorBirdy</span></a><span> and </span><a href="http://www.enigmail.net/home/index.php"><span>Enigmail</span></a><span>, OTR and </span><a href="https://joindiaspora.com/"><span>Diaspora</span></a><span>. </span><a href="https://blog.torproject.org/blog/prism-vs-tor"><span>Tor hidden services are communication endpoints </span></a><span>that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>The </span><a href="http://necessaryandproportionate.net/"><span>principles</span></a><span> formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these </span><a href="http://editors.cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights"><span>principles</span></a><span> are:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legality</b>: Limitations to the right to privacy must be prescribed by law</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legitimate purpose</b>: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Necessity</b>: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Adequacy</b>: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Competent authority</b>: Authorities must be competent when making determinations relating to communications or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Due process</b>: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>User notification</b>: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Integrity of communications and systems</b>: Service providers are responsible for the secure transmission and retention of communications data or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards for international cooperation</b>: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation</p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for </span><span>everyone </span><span>to fight for their right to be free.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span><i>Is a world without freedom worth living in?</i></span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance'>http://editors.cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T10:20:46ZBlog EntryComparative Analysis of DNA Profiling Legislations from Across the World
http://editors.cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world
<b>With the growing importance of forensic data in law enforcement and research, many countries have recognized the need to regulate the collection and use of forensic data and maintain DNA databases. Across the world around 60 countries maintain DNA databases which are generally regulated by specific legislations. Srinivas Atreya provides a broad overview of the important provisions of four different legislations which can be compared and contrasted with the Indian draft bill.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Efforts to regulate the collection and use of DNA data were started in India in 2007 by the Centre for DNA Fingerprinting and Diagnostics through their draft DNA Profiling Bill. Although the bill has evolved from its original conception, several concerns with regard to human rights and privacy still remain. The draft bill heavily borrows the different aspects related to collection, profiling and use of forensic data from the legislations of the United States, United Kingdom, Canada and Australia.</p>
<hr />
<p style="text-align: justify; "><a href="http://editors.cis-india.org/internet-governance/blog/comparative-analysis-dna-profiling-bill.xlsx" class="internal-link"><b>Click</b> to find an overview of a comparative analysis of DNA Profiling Legislations</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world'>http://editors.cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world</a>
</p>
No publisheratreyaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:30:17ZBlog EntryReport on the 3rd Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18th May 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><span>Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18</span><sup>th</sup><span> May 2013.</span></p>
<h2><span><span><b>Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´</b></span></span></h2>
<h2 style="text-align: justify; "></h2>
<p style="text-align: justify; ">The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.</p>
<p style="text-align: justify; ">The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.</p>
<p style="text-align: justify; ">In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers <i>choose </i>to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.</p>
<p style="text-align: justify; ">The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.</p>
<p style="text-align: justify; ">The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.</p>
<p style="text-align: justify; ">The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.</p>
<p style="text-align: justify; ">Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.</p>
<p style="text-align: justify; ">Co-regulation was once again supported by the DSCI through the argument that customers <i>choose </i>to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of <i>incentives</i> companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.</p>
<h1 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h1>
<h2 style="text-align: justify; ">Discussion of definitions: Chapter II</h2>
<p style="text-align: justify; ">The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.</p>
<p style="text-align: justify; ">The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.</p>
<p style="text-align: justify; ">The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.</p>
<p style="text-align: justify; "><b>Discussion of “Protection of Personal Data”: Chapter III </b><b> </b></p>
<p style="text-align: justify; ">The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers. <b> </b></p>
<p style="text-align: justify; "><b>Issue of Consent</b></p>
<p style="text-align: justify; ">The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.</p>
<p style="text-align: justify; "><b>Outsourcing of Data</b></p>
<p style="text-align: justify; ">It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.</p>
<p style="text-align: justify; ">Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.</p>
<p style="text-align: justify; "><b>Data Retention</b></p>
<p style="text-align: justify; ">Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.</p>
<p style="text-align: justify; ">It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.</p>
<p style="text-align: justify; "><b>Data Processing</b></p>
<p style="text-align: justify; ">The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.</p>
<p style="text-align: justify; "><b>Data Disclosure</b></p>
<p style="text-align: justify; ">The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.</p>
<p style="text-align: justify; ">According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.</p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; ">The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p style="text-align: justify; ">The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting'>http://editors.cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:35:22ZBlog EntryThe Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!
http://editors.cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers
<b>Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out! </b>
<hr />
<p style="text-align: justify; ">This blog post has been <a class="external-link" href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cross-posted</a> in Medianama on May 8, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">So yes, we live in an <a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">Internet Surveillance State</a>. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?</p>
<p style="text-align: justify; "><span>Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it</span><a href="http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting"> lacks privacy legislation </a><span>which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.</span></p>
<p style="text-align: justify; "><span>The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?</span></p>
<h2><b>A glimpse of the surveillance industry in India</b></h2>
<p style="text-align: justify; "><span>In light of the </span><a href="http://uidai.gov.in/">UID scheme</a><span>, the </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National Intelligence Grid</a><span> (NATGRID), the </span><a href="http://ncrb.nic.in/cctns.htm">Crime and Criminal Tracking Network System</a><span> (CCTNS) and the </span><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a><span> (CMS), who supplies law enforcement agencies the technology to surveille us?</span></p>
<p style="text-align: justify; "><span>In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies </span><a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html">simultaneously produce internet monitoring software and encryption tools</a><span>! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.</span></p>
<p style="text-align: justify; ">Companies selling surveillance technology in India are listed in <a href="http://editors.cis-india.org/internet-governance/blog/table-1.pdf" class="internal-link">Table 1</a>. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.</p>
<p style="text-align: justify; "><span><a href="http://editors.cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> shows the types of surveillance technology produced and sold by these 76 companies.</span></p>
<p style="text-align: justify; ">The graph below is based on <a href="http://editors.cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> and shows which types of surveillance are produced the most by the 76 companies.</p>
<table class="invisible">
<tbody>
<tr>
<th><img src="http://editors.cis-india.org/home-images/copy_of_Surveillancetechgraph.png" alt="Surveillance Graph" class="image-inline" title="Surveillance Graph" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Graph on types of surveillance sold to law enforcement agencies by 76 companies in India</p>
<p style="text-align: justify; "><span>Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the </span><a href="http://www.economist.com/node/21542814">UID scheme</a><span> which is rapidly expanding across India. Only </span><a href="http://www.clear-trail.com/">one company</a><span> from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the </span><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System (CMS)</a><span>, especially since the project would have to monitor and mine Big Data.</span></p>
<p style="text-align: justify; "><span>On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since </span><a href="https://opennet.net/research/profiles/india">the majority of the population in India does not even have Internet access</a><span>. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while </span><a href="http://www.thehindu.com/news/national/half-of-indias-homes-have-cellphones-but-not-toilets/article2992061.ece">more than half the population owns mobile phones</a><span>. Seeing as companies, such as </span><a href="http://www.clear-trail.com/">ClearTrail Technologies</a><span> and </span><a href="http://www.shoghicom.com/">Shoghi Communications</a><span>, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.</span></p>
<h2>Did you Know:</h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="http://editors.cis-india.org/home-images/spywarepic.jpg" alt="Spyware" class="image-inline" title="Spyware" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>CARLOS62 on flickr </span></p>
<ol>
<li>WSS Security Solutions Pvt. Ltd. is <a href="http://www.wssgroup.in/aboutus.html">north India´s first CCTV zone</a></li>
<li>Speck Systems Limited was <a href="http://www.specksystems.com/sub-links/Strengths/core-strengths-UAV.htm">the first Indian company to design, manufacture and fly a micro UAV indigenously</a></li>
<li>Mobile Spy India (Retina-X Studios) has the following <a href="http://www.mobilespy.co.in/">mobile spying features</a>: </li>
</ol>
<ul>
<li><i>SniperSpy</i>: remotely monitors smartphones and computers from any location</li>
</ul>
<ul>
<li><i>Mobile Spy: </i>monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces</li>
</ul>
<p>4. Infoserve India Private Limited produces an<a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html"> Internet monitoring System</a> with the following features:</p>
<ul>
<li>Intelligence gathering for an entire state or a region</li>
<li>Builds a chain of suspects from a single start point</li>
<li>Data loss of less than 2%</li>
<li>2nd Generation Interception System</li>
<li>Advanced link analysis and pattern matching algorithms</li>
<li>Completely Automated System</li>
<li>Data Processing of up to 10 G/s</li>
<li>Automated alerts on the capture of suspicious data (usually based on keywords)</li>
</ul>
<p>5. ClearTrail Technologies<b> </b>deploys <a href="https://www.documentcloud.org/documents/409231-111-cleartrail.html#document/p3/a68269">spyware into a target´s machine</a><br />6. Spy Impex<b> </b>sells <a href="http://www.tradedir.in/s/coca-cola-tin-camera">Coca Cola Tin Cameras</a>!<br />7. Nice Deal<b> </b>also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and <a href="http://www.indiamart.com/nicedeal/spy-hidden-cameras.html">Lighter Video Cameras</a> to name a few...<br />8. Raviraj Technologies<b> </b>is an Indian company which supplies <a href="http://www.ravirajtech.com/index.html">RFID and biometric technology</a> to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?</p>
<ul>
<li style="text-align: justify; ">Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further <a href="http://www.rogerclarke.com/DV/Biometrics.html">oppression</a> within these countries </li>
</ul>
<ul>
<li style="text-align: justify; ">Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards</li>
</ul>
<h2><b>“I´m not a terrorist, I have nothing to hide!”</b></h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="http://editors.cis-india.org/home-images/surveillancetechpic.jpg" alt="Surveillance Tec" class="image-inline" title="Surveillance Tec" /></th>
</tr>
</tbody>
</table>
<p><span> </span><a href="http://www.flickr.com/photos/r1chard/">r1chardm</a> on flickr</p>
<p style="text-align: justify; ">It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:</p>
<blockquote class="italized"><i>“I´m not a terrorist, I have nothing to hide!”</i></blockquote>
<p style="text-align: justify; "><span>Indeed. You may not be a terrorist...and you may </span><i>think </i><span>you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?</span></p>
<p style="text-align: justify; "><span>Last year at the </span><a href="http://lcaunderthestars.org.au/programme/schedule">linux.conf.au</a><span>, </span><a href="http://www.youtube.com/watch?v=GMN2360LM_U">Jacob Appelbaum</a><span> stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. </span><a href="http://www.schneier.com/essay-155.html">Bruce Schneier</a><span> has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.</span></p>
<p style="text-align: justify; "><span>That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, </span><a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">we are all potentially suspects</a><span>. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called </span><a href="http://www.computerworld.com/s/article/9176265/Half_of_social_networkers_post_risky_information_study_finds_">´risky information´</a><span>. As long as our data is being surveilled, we are all suspects, which means that </span><a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239412">we can all potentially be arrested, interrogated and maybe even tortured</a><span>, just like any other criminal suspect.</span></p>
<p style="text-align: justify; "><span>But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The </span><a href="http://www.sourcesecurity.com/news/articles/co-1753-ga.4047.html">market appears to demand for surveillance technologies</a><span> because a pre-existing </span><a href="http://www.abc.net.au/tv/bigideas/stories/2012/04/16/3476847.htm">surveillance culture</a><span> has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as </span><a href="http://money.cnn.com/magazines/fortune/global500/2012/snapshots/284.html">3M</a><span>, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that </span><a href="http://www.sscqueens.org/davidlyon/">surveillance is being socially integrated</a><span>. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.</span></p>
<p style="text-align: justify; "><span>By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID </a><span>and the </span><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><span> in India- or by handing over our data, </span><a href="http://www.schneier.com/essay-167.html"><i>we </i></a><a href="http://www.schneier.com/essay-167.html">are fuelling the surveillance state</a><span>. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution </span><i>and </i><span>of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.</span></p>
<p style="text-align: justify; "><span>Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because </span><a href="http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting">India lacks privacy legislation </a><span>which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.</span></p>
<p style="text-align: justify; "><span>Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as </span><a href="http://www.ravirajtech.com/index.html">Raviraj Technologies</a><span>, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus </span><a href="https://www.privacyinternational.org/reports/our-response-to-eu-consultation-on-legality-of-exporting-surveillance-and-censorship-3">export controls</a><span> are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even </span><a href="http://edition.cnn.com/2013/03/15/world/asia/u-n-drone-objections">murdered</a><span> in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers'>http://editors.cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers</a>
</p>
No publishermariasurveillance technologiesInternet GovernanceSAFEGUARDS2013-07-12T11:59:10ZBlog EntryReport on the 2nd Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table
<b>This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013. </b>
<hr />
<p>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Following the first Privacy Round Table in Delhi, this <a href="http://editors.cis-india.org/internet-governance/blog/report-on-bangalore-privacy-meeting" class="internal-link">report</a> entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20<sup>th</sup> April 2013.</p>
<h2 style="text-align: justify; ">Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13<sup>th</sup> April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.</p>
<p style="text-align: justify; ">DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.</p>
<p style="text-align: justify; ">The discussion points brought forward by DSCI were:</p>
<ul style="text-align: justify; ">
<li>What role should government and industry respectively play in developing and enforcing a regulatory framework? </li>
<li>How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?</li>
<li>How can an organization be incentivized to follow the codes of practice under the SRO?</li>
<li>What should be the role of SROs in redressal of complaints?</li>
<li>What should be the business model for SROs?</li>
</ul>
<p style="text-align: justify; ">DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.</p>
<p style="text-align: justify; "> </p>
<h2 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h2>
<h3 style="text-align: justify; ">Discussion of definitions and preamble: Chapter I & II</h3>
<p style="text-align: justify; ">The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.</p>
<h3 style="text-align: justify; ">Sensitive Personal Data</h3>
<p style="text-align: justify; ">The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.</p>
<h3 style="text-align: justify; ">Information vs. Data</h3>
<p style="text-align: justify; ">During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.</p>
<h3 style="text-align: justify; ">Exemptions</h3>
<p style="text-align: justify; ">Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.</p>
<h2 style="text-align: justify; ">Discussion of “Protection of Personal Data”: Chapter III</h2>
<p style="text-align: justify; ">Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.</p>
<h3 style="text-align: justify; ">Data Collection</h3>
<p style="text-align: justify; ">In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.</p>
<h3 style="text-align: justify; ">Consent</h3>
<p style="text-align: justify; ">On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they <i>choose </i>to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.</p>
<p style="text-align: justify; ">Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.</p>
<h3 style="text-align: justify; ">Data Disclosure</h3>
<p style="text-align: justify; ">In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.</p>
<p style="text-align: justify; ">A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.</p>
<h3 style="text-align: justify; ">Data Destruction</h3>
<p style="text-align: justify; ">In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.</p>
<h3 style="text-align: justify; ">Data Processing</h3>
<p style="text-align: justify; ">In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.</p>
<p style="text-align: justify; ">However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.</p>
<p style="text-align: justify; ">In brief, the following questions with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>Should consent be required prior to the collection of data?</li>
<li>Should consent be acquired prior and after the disclosure of data? </li>
<li>Should the purpose of data collection be the same as the purpose for the disclosure of data?</li>
<li>Should an executive order or a court order be required to disclose data?</li>
<li>At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?</li>
<li>An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?</li>
</ul>
<ul style="text-align: justify; ">
<li>Should companies notify individuals when they share their (individuals´) data with international third parties?</li>
</ul>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>The data subject has to be informed, unless there is a model contract. </li>
<li>The request for consent should depend on the type of data that is to be disclosed.</li>
<li>Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).</li>
<li>The shared data may be considered private data (need of a relevant regulatory framework).</li>
<li>An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.</li>
<li>If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country. </li>
<li>India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.</li>
<li>The problem with disclosure is when there is an exception for certain circumstances </li>
<li>Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability. </li>
<li>Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).</li>
<li>´Data ownership´ should be included in the definitions of the Bill. </li>
<li>What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.</li>
</ul>
<p> </p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.</p>
<p style="text-align: justify; ">Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.</p>
<h2 style="text-align: justify; ">Discussion on self-regulation and co-regulation</h2>
<p> </p>
<p style="text-align: justify; ">The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.</p>
<p style="text-align: justify; ">The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.</p>
<p style="text-align: justify; ">Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p> </p>
<p style="text-align: justify; ">The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table'>http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:54:28ZBlog EntryReport on the 1st Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li style="text-align: justify; ">New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p> </p>
<p>This <a href="http://editors.cis-india.org/internet-governance/blog/report-on-delhi-privacy-round-table.pdf" class="internal-link">report </a>entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</p>
<p> </p>
<h2><b>Overview of Justice A P Shah Report: Purpose, Principles and Framework</b></h2>
<p style="text-align: justify; ">The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.</p>
<p style="text-align: justify; ">During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.</p>
<p style="text-align: justify; ">Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:</p>
<ul style="text-align: justify; ">
<li>The purpose of the collection of data</li>
<li>The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case</li>
<li>Data is shared with third parties and it is hard to control how long they retain the data for</li>
<li>Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data</li>
</ul>
<p style="text-align: justify; ">Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.</p>
<p style="text-align: justify; ">While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.</p>
<p style="text-align: justify; ">The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.</p>
<p style="text-align: justify; ">The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.</p>
<h3 style="text-align: justify; ">Discussion Highlights:</h3>
<ul style="text-align: justify; ">
<li>The pros and cons of self-regulation and co-regulation</li>
<li>The national privacy principles – and how to build in insurance for technology</li>
<li>The role of the Privacy Commissioner</li>
<li>The definition of terms used in the draft Privacy (Protection) Bill 2013 </li>
</ul>
<p style="text-align: justify; "> </p>
<h2><b>Overview, explanation and discussion on the Privacy (Protection) Bill 2013</b></h2>
<p style="text-align: justify; ">The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.</p>
<p style="text-align: justify; ">During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.</p>
<p style="text-align: justify; ">Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.</p>
<p style="text-align: justify; ">As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.</p>
<p style="text-align: justify; ">Many participants agreed that India´s proposed Privacy Law should meet <i>global standards </i>in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.</p>
<p style="text-align: justify; ">The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.</p>
<p style="text-align: justify; ">The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.</p>
<p style="text-align: justify; ">The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.</p>
<p style="text-align: justify; ">Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.</p>
<p style="text-align: justify; ">During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on <i>where </i>it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.</p>
<p style="text-align: justify; ">The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.</p>
<p style="text-align: justify; ">The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.<span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills</li>
<li><span>Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)</span></li>
<li>If personal data should be distinguished in the private and public sector</li>
<li>If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards</li>
<li>The nuances of consumer consent</li>
<li>Various ways to define ´public figures´</li>
<li>Freedom of expression in the context of the draft Privacy (Protection) Bill 2013 </li>
<li>The distinction between exemptions and exceptions</li>
</ul>
<p> </p>
<h2><b>In depth explanation and discussions regarding the Privacy (Protection)</b></h2>
<h2><b> Bill 2013</b></h2>
<p style="text-align: justify; ">The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.</p>
<p style="text-align: justify; ">The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals <i>choose</i> to disclose a large amount of information.</p>
<p style="text-align: justify; ">The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.</p>
<p style="text-align: justify; ">Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.</p>
<p style="text-align: justify; ">A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.</p>
<p style="text-align: justify; ">In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.</p>
<p style="text-align: justify; ">In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.</p>
<p style="text-align: justify; ">Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.</p>
<p style="text-align: justify; ">The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.</p>
<p style="text-align: justify; ">The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should <i>not </i>be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.</p>
<p style="text-align: justify; ">The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies. <span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>The different instances of data collection and consumer consent</li>
<li>The nuances of data sharing </li>
<li>The issue of consumer consent and security assurances offered by companies</li>
<li>The pros and cons of having a data retention regulatory framework</li>
<li>How transparency is incorporated into the draft Privacy Protection Bill 2013 </li>
<li>What is needed in provisions that speak to data destruction</li>
</ul>
<h2>Meeting conclusion</h2>
<p style="text-align: justify; ">The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.</p>
<p style="text-align: justify; ">Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback" class="internal-link">Privacy Protection Bill, 2013</a> based on participants´ feedback, concerns, comments and ideas.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting'>http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-30T11:11:11ZBlog EntryComments on the Information Technology (Electronic Service Delivery) Rules, 2011
http://editors.cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Information Technology (Electronic Services Delivery) Rules, 2011. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; "><b>I <span><span>Preliminary</span></span></b></p>
<p style="text-align: justify; ">1.1 This submission presents comments from the Centre for Internet and Society (<b>“CIS”</b>) on the Information Technology (Electronic Service Delivery) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on 11 April 2011 (<b>“ESD Rules”</b> or <b>“Rules”</b>).</p>
<p style="text-align: justify; ">1.2 The ESD Rules were notified only eight months before the Electronic Delivery of Services Bill, 2011 was tabled in the Lok Sabha on 27 December 2011 (Bill 137 of 2011) (<b>“EDS Bill” </b>or<b> “Bill”</b>). Both the ESD Rules and the EDS Bill are concerned with enabling computer-based electronic delivery of government services to Indian citizens (<b>“electronic service delivery”</b>). Both the Rules and the Bill originate from the same government department: the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology. Since the EDS Bill seeks to enact a comprehensive legislative framework for mandating and enforcing electronic service delivery, the purpose of the ESD Rules are called into question.</p>
<p style="text-align: justify; "><b>II <span><span>Basic Issues Regarding Electronic Service Delivery</span></span></b></p>
<p style="text-align: justify; ">2.1 CIS believes that there are significant conceptual issues regarding electronic service delivery that demand attention. The Department-related Parliamentary Standing Committee on Information Technology of the Fifteenth Lok Sabha (<b>“Standing Committee”</b>) raised a few concerns when it submitted its 37th Report on the EDS Bill on 29 August 2012. There is a clear need for a national debate on the manner of effecting exclusive electronic service delivery to the exclusion of manual service delivery. Some of these issues are briefly summarised as follows:</p>
<p style="text-align: justify; ">(a) Mandatory exclusive electronic service delivery pre-supposes the ability of all Indian citizens to easily access such mechanisms. While there are no authoritative national statistics on familiarity with computer-related technologies, it is apparent that a large majority of Indians, most of whom are likely to be already marginalised and vulnerable, are totally unfamiliar with such technologies to endanger their ability to receive basic government services;</p>
<p style="text-align: justify; ">(b) Consequent upon mandatory exclusive electronic service delivery for basic government services, a large group of ‘middlemen’ will arise to facilitate access for that majority of Indians who cannot otherwise access these services. This group will control the interface between citizens and their government. As a result, citizens’ access to governance will deteriorate. This problem may be mitigated to a certain extent by creating a new class of public servants to solely facilitate access to electronic service delivery mechanisms;</p>
<p style="text-align: justify; ">(c) The issue of governmental incapacity at the citizen-government interface might be addressed by contracting private service providers to operate mandatory exclusive electronic service delivery mechanisms. However, it is difficult to see how commercialising access to essential government services serves the public interest, especially when public funds will be expended to meet the costs of private service providers. Permitting private service providers to charge a fee from the general public to allow access to essential government services is also ill advised;</p>
<p style="text-align: justify; ">(d) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must be accompanied by strong data protection measures to ensure the sanctity of sensitive personal information shared online with the state. At present, there are no specific laws that bind the state, or its agents, to the stringent requirements of privacy necessary to protect personal liberties. In the same vein, strong data security measures are necessary to prevent sensitive personal information from being compromised or lost;</p>
<p style="text-align: justify; ">(e) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must ensure ease and equality of accessibility. For this reason, electronic service delivery mechanisms should conform to the National Policy on Open Standards, 2010 (or the proposed National Electronic Access Policy which is currently awaiting adoption), the Interoperability Framework for E-Governance in India and the Website Guidelines of the National Informatics Centre;</p>
<p style="text-align: justify; ">(f) Electronic service delivery requires infrastructure which India does not currently have but can develop. Only 1.44 per cent of India’s population has access to a broadband internet connection<a href="#fn1" name="fr1">[1]</a> and current daily energy demand far exceeds supply. On the other hand, the number of broadband subscribers is increasing,<a href="#fn2" name="fr2">[2]</a> the annual installed capacity for electricity generation is growing<a href="#fn3" name="fr3">[3]</a> and the literacy rate is increasing.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">2.2 The ESD Rules do not address any of the issues raised in the preceding paragraph. As a result, they cannot be seen to represent the result of a national consensus on the crucial question of mandating exclusive electronic service delivery and the means of enforcing such a scheme. Further, very few of the provisions of the Rules are binding; instead, the Rules appear to be drafted to serve as a minimal model for electronic service delivery. <b>In this background, CIS believes that the Rules should be treated as an incomplete arrangement that prescribe the minimal standards necessary to bind private service providers before comprehensive and statutory electronic service delivery legislation is enacted, perhaps in the form of the EDS Bill or otherwise. </b>Therefore, without prejudice to the issues raised in the preceding paragraph, CIS offers the following comments on the provisions of the Rules while reserving the opportunity to make substantive submissions on electronic service delivery in general to an appropriate forum at a later date.</p>
<p style="text-align: justify; "><b>III <span>Improper Exercise of Subordinate Legislative Power</span></b></p>
<p style="text-align: justify; ">3.1 Rule 317 of the Rules of Procedure and Conduct of Business in the Lok Sabha (Fourteenth Edition, July 2010) (<b>“Rules of Procedure”</b>), which empowers the Committee on Subordinate Legislation to scrutinise exercises of statutory delegation of legislative powers for impropriety, states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>There shall be a Committee on Subordinate Legislation to scrutinize and report to the House whether the powers to make regulations, rules, subrules, bye-laws etc., conferred by the Constitution or delegated by Parliament are being properly exercised within such delegation.</i></p>
<p style="text-align: justify; ">Further, the Committee on Subordinate Legislation is specifically empowered by rule 320(vii) of the Rules of Procedure to examine any provision of the ESD Rules to consider “<i>whether it appears to make some unusual or unexpected use of the powers conferred by the Constitution or the Act pursuant to which it is made.</i>”</p>
<p style="text-align: justify; ">3.2 Accordingly, the attention of the Committee on Subordinate Legislation is called to an improper exercise of delegated power under rule 3(1) of the ESD Rules, which states:</p>
<p style="padding-left: 30px; "><i>The appropriate Government may on its own or through an agency authorised by it, deliver public services through electronically- enabled kiosks or any other electronic service delivery mechanism.</i></p>
<p style="text-align: justify; "><b>This sub-rule (1) empowers both the Central Government and State Governments to provide electronic service delivery on their own.</b></p>
<p style="text-align: justify; ">3.3 The ESD Rules are made in exercise of delegated powers conferred under section 87(2)(ca) read with section 6-A(2) of the Information Technology Act, 2000 (<b>“IT Act”</b>). Section 87(2)(ca) of the IT Act empowers the Central Government to make rules to provide for:</p>
<p style="padding-left: 30px; text-align: justify; "><i>the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A.</i></p>
<p>Section 6-A(2) of the IT Act states:</p>
<p style="padding-left: 30px; text-align: justify; "><i>The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.</i></p>
<p style="text-align: justify; "><i>Prima facie</i>, the delegated powers under section 87(2)(ca) read with section 6-A(2) of the IT Act, in exercise of which the ESD Rules are made, only permit delegated legislation to regulate private service providers, <span>they do not permit the executive to exercise these powers to empower itself to conduct electronic service delivery on its own</span>.<b> Therefore, to the extent that the ESD Rules authorise the Central Government and State Governments to provide electronic service delivery on their own, such authorisation constitutes an improper exercise of delegated power and is <i>ultra vires</i> the IT Act.</b> This may be resolved by deriving the delegated legislative competence of the ESD Rules from section 87(1) of the IT Act, instead of section 87(2)(ca) read with section 6-A(2).</p>
<p style="text-align: justify; "><b>IV <span>Clause-by-Clause Comments</span></b></p>
<p style="text-align: justify; "><span>Rule 2 - Definitions</span></p>
<p>4.1.1 Rule 2(c) of the ESD Rules states:</p>
<p style="text-align: justify; "><i>"authorised agent" means an agent of the appropriate Government or service provider and includes an operator of an electronically enabled kiosk who is permitted under these rules to deliver public services to the users with the help of a computer resource or any communication device, by following the procedure specified in the rules</i></p>
<p style="text-align: justify; ">In accordance with the argument regarding improper exercise of delegated power contained in paragraphs 3.1 – 3.3 of this submission, the appropriate Government cannot undertake electronic service delivery under these Rules. Consequently, the appropriate Government cannot appoint an agent to provide electronic service delivery on behalf, and under the control, of the appropriate Government since, as the principal, the appropriate Government would be responsible for the acts of its agents. Instead, private service providers may provide electronic service delivery as contractees of the appropriate Government who might enter into such contracts as a sovereign contractor. Therefore, only a private service provider may appoint an authorised agent under these Rules.</p>
<p style="text-align: justify; "><b>4.1.2 Therefore, it is proposed that rule 2(c) is amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">““authorised agent” means an agent of a service provider, and includes an operator of an electronically enabled kiosk, who is permitted under these rules to deliver public services with the help of a computer resource or any communication device, by following the procedure specified in these rules”</p>
<p style="text-align: justify; ">Rule 3 - <span>System of Electronic Service Delivery</span></p>
<p>4.2.1 Rule 3(3) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may determine the manner of encrypting sensitive electronic records requiring confidentiality, white they are electronically signed.</i></p>
<p style="text-align: justify; ">This sub-rule is supposed to prescribe stringent standards to maintain the security, confidentiality and privacy of all personal information used during electronic service delivery transactions. In the absence of transactional security, electronic service delivery will invite fraud, theft and other misuse to impugn its viability as a means of delivering public services. However, the use of the term “<i>may</i>” leaves the prescription of security standards up to the discretion of the appropriate Government. Further, the language of the sub-rule is unclear and imprecise.</p>
<p>4.2.2 <b>Therefore, it is proposed that rule 3(3) is amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“The appropriate Government shall, prior to any electronic service delivery, determine the manner of encrypting electronic records and shall prescribe standards for maintaining the safety, security, confidentiality and privacy of all information collected or used in the course of electronic service delivery.”</p>
<p>4.3.1 Rule 3(5) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may allow receipt of payments made by adopting the Electronic Service Delivery System to be a deemed receipt of payment effected in compliance with the financial code and treasury code of such Government.</i></p>
<p style="text-align: justify; "><span>Firstly</span>, if these Rules enable payments to be made electronically, they must also validate the receipt of these payments. Inviting citizens to make electronic payments for government services without recognising the receipt of those payments is farcical to attract abusive and corrupt practices. Therefore, it is imperative that these Rules compulsorily recognise receipt of payments, either by deeming their receipt to be valid receipts under existing law or by specially recognising their receipt by other means including the law of evidence. Either way, electronic receipts of electronic payments must be accorded the validity in law that manual/paper receipts have; and, copies of such electronic receipts must be capable of being adduced in evidence. <span>Secondly</span>, the use of the phrase “<i>financial code and treasury code</i>” is avoidable since these terms are undefined.</p>
<p><b>4.3.2 Therefore, it is proposed that rule 3(5) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“Any receipt of payment made by electronic service delivery shall be deemed to be a valid receipt of such payment under applicable law and shall be capable of being adduced as evidence of such payment.”</p>
<p>4.4.1 Rule 3(6) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may authorise service providers or their authorised agents to collect, retain and appropriate such service charges as may be specified by the appropriate Government for the purpose of providing such services from the person availing such services: </i></p>
<p><i> </i></p>
<p style="text-align: justify; padding-left: 30px; "><i>Provided that the apportioned service charges shall be clearly indicated on the receipt to be given to the person availing the services.</i></p>
<p style="text-align: justify; ">This sub-rule is an almost verbatim reproduction of the provisions of section 6-A(2) of the IT Act which reads as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.</i></p>
<p style="text-align: justify; ">Since the IT Act specifically delegates to the appropriate Governments the power to authorise service providers to levy charges, rule 3(6) of the ESD Rules that merely copies the provisions of the parent statute is meaningless. The purpose of delegated legislation is to give effect to the provisions of a statute by specifying the manner in which statutory provisions shall be implemented. Copying and pasting statutory provisions is a absurd misuse of delegated legislative powers.</p>
<p style="text-align: justify; "><b>4.4.2 Therefore, it is proposed that sub-rule (6) is deleted and the remaining sub-rules of rule 3 are renumbered.</b></p>
<p>4.5.1 Rule 3(7) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government shall by notification specify the scale of service charges which may be charged and collected by the service providers and their authorised agents for various kinds of services.</i></p>
<p>This is an almost verbatim reproduction of the provisions of section 6-A(4) of the IT Act which reads as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section.</i></p>
<p style="text-align: justify; ">As noted in paragraph 4.3.1 of this submission, the purpose of delegated legislation is not to copy the provisions of the parent statute, but to amplify the scope of the delegated power and the manner of effecting its implementation.</p>
<p style="text-align: justify; "><b>4.5.2 Therefore, it is proposed that sub-rule (7) is deleted and the remaining sub-rules of rule 3 are renumbered.</b></p>
<p>4.6.1 Rule 3(8) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may also determine the norms on service levels to be complied with by the Service Provider and the authorised agents.</i></p>
<p style="text-align: justify; ">There is no quarrel with the power of the government to determine norms for, or directly prescribe, service levels to regulate service providers. However, without a scheme of statutory or sub-statutory penalties for contravention of the prescribed service levels, a sub-delegated service level cannot enforce any penalties. Simply put, <span>the state cannot enforce penalties unless authorised by law</span>. Unfortunately, rule 3(8) contains no such authorisation. Service levels for service providers without a regime of penalties for non-compliance is meaningless, especially since service providers will be engaged in providing access to essential government services.</p>
<p><b>4.6.2 Therefore, it is proposed that rule 3(8) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“The appropriate Government shall prescribe service levels to be complied with by all service providers and their authorised agents which shall include penalties for failure to comply with such service levels.”</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Thirty-Seventh Report of the Standing Committee on Information Technology (2011-12) on the Electronic Delivery of Services Bill, 2011 (New Delhi: Lok Sabha Secretariat, 29 August 2012) at pp. 13, 17 and 34. See also, <i>Telecom Sector in India: A Decadal Profile</i> (New Delhi: Telecom Regulatory Authority of India, 8 June 2012).</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Annual Report (2011-12) of the Department of Telecommunications, Ministry of Communications and Information Technology, Government of India (New Delhi: Department of Telecommunications, 2012) at pp. 5 and 1-3.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Report of the Working Group on Power of the Twelfth Plan (New Delhi: Planning Commission, Government of India, January 2012).</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. Provisional Report of the Census of India 2011 (New Delhi: Registrar General and Census Commissioner, 2011) from p. 124.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011'>http://editors.cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T12:12:16ZBlog Entry