The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 5.
State of Digital Rights in India (Delhi, March 24)
http://editors.cis-india.org/internet-governance/news/state-of-digital-rights-in-india-delhi-march-24
<b>The Centre for Communication Governance at National Law University, Delhi and the Internet Freedom Foundation, in association with Access Now, are hosting a discussion on The State of Digital Rights in India on March 24, 2017 (Friday) from 6.00 pm onwards at Lecture Room-I, India International Centre- Annexe, New Delhi. Japreet Grewal and Sumandro Chattapadhyay will participate in the panel discussions.</b>
<p> </p>
<h4>Registration: <a href="https://www.eventbrite.com/e/state-of-digital-rights-in-india-tickets-33001450226">Eventbrite</a></h4>
<hr />
<p>March 24, 2017 marks the two year anniversary of the landmark Shreya Singhal judgment. This was a very significant ruling on freedom of speech and expression and occupies an important place in the Supreme Court’s discourse on civil liberties. The judgment traces out the contours of free speech on the Internet in India and unequivocally holds that the right to freedom of expression provided under Article 19(1)(a) applies to speech over the Internet, making it clear that this is a medium-neutral right.</p>
<p>The event aims to shed some light on this key judgment and discuss ongoing discussions regarding our civil liberties and freedoms online before courts and the Parliament. We would also like to take this opportunity to discuss some of the other pressing issues like Network Neutrality, Internet shutdowns, Privacy and User Security which need immediate attention and engagement of our democratic institutions. We hope to formulate effective strategies which will further shape the legal and policy framework in India, and facilitate better collaborative efforts between stakeholders.</p>
<p>We hope to bring together everyone who contributed to the judgment, and those who do work connected with it, so that we may build on it to seek a better legal framework to protect online speech and to discuss the threats surrounding digital rights and how best build on the foundations of the judgment.</p>
<p>We would be grateful if you could take out some time on Friday evening (6PM) and be a part of this important discussion. The discussion will be followed by dinner and an Open Bar for an Open Internet, which will start from 9.00 pm at the Annexe Court in the India International Centre - Annexe. In case you are unable to attend the seminar, please do join us for dinner!</p>
<p>Featuring:</p>
<ul><li>A keynote address on our online freedoms and policymaking, by Shri Tathagata Satpathy (Member of Parliament, Lok Sabha)</li>
<li>A legal panel analysing the legacy of the Shreya Singhal v. Union of India judgment</li>
<li>Beyond Shreya Singhal: A conversation with women on the future of our digital rights</li>
<li>Briefings on the state of digital rights in our courts and in Parliament</li>
<li>A conversation on the path ahead for our civil liberties and digital rights community</li>
<p> </p>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/state-of-digital-rights-in-india-delhi-march-24'>http://editors.cis-india.org/internet-governance/news/state-of-digital-rights-in-india-delhi-march-24</a>
</p>
No publisherJapreet Grewal and Sumandro ChattapadhyayPrivacyInternet GovernanceCivil SocietySecurityDigital Rights2017-03-27T13:21:20ZBlog EntryDeveloper team fixed vulnerabilities in Honorable PM's app and API
http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryThe Constitutionality of Indian Surveillance Law: Public Emergency as a Condition Precedent for Intercepting Communications
http://editors.cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law
<b>Bedavyasa Mohanty analyses the nuances of interception of communications under the Indian Telegraph Act and the Indian Post Office Act. In this post he explores the historical bases of surveillance law in India and examines whether the administrative powers of intercepting communications are Constitutionally compatible.</b>
<h3>Introduction</h3>
<p style="text-align: justify; ">State authorised surveillance in India derives its basis from two colonial legislations; §26 of the Indian Post Office Act, 1898 and §5 of the Telegraph Act, 1885 (hereinafter the Act) provide for the interception of postal articles<a href="#_ftn1" name="_ftnref1">[1]</a> and messages transmitted via telegraph<a href="#_ftn2" name="_ftnref2">[2]</a> respectively. Both of these sections, which are analogous, provide that the powers laid down therein can only be invoked on the occurrence of a public emergency or in the interest of public safety. The task of issuing orders for interception of communications is vested in an officer authorised by the Central or the State government. This blog examines whether the preconditions set by the legislature for allowing interception act as adequate safeguards. The second part of the blog analyses the limits of discretionary power given to such authorised officers to intercept and detain communications.</p>
<p style="text-align: justify; ">Surveillance by law enforcement agencies constitutes a breach of a citizen’s Fundamental Rights of privacy and the Freedom of Speech and Expression. It must therefore be justified against compelling arguments against violations of civil rights. Right to privacy in India has long been considered too ‘broad and moralistic’<a href="#_ftn3" name="_ftnref3">[3]</a> to be defined judicially. The judiciary, though, has been careful enough to not assign an unbound interpretation to it. It has recognised that the breach of privacy has to be balanced against a compelling public interest <a href="#_ftn4" name="_ftnref4">[4]</a> and has to be decided on a careful examination of the facts of a certain case. In the same breath, Indian courts have also legitimised surveillance by the state as long as such surveillance is not illegal or unobtrusive and is within bounds <a href="#_ftn5" name="_ftnref5">[5]</a>. While determining what constitutes legal surveillance, courts have rejected “prior judicial scrutiny” as a mandatory requirement and have held that administrative safeguards are sufficient to legitimise an act of surveillance. <a href="#_ftn6" name="_ftnref6">[6]</a></p>
<h3>Conditions Precedent for Ordering Interception</h3>
<p style="text-align: justify; ">§§5(2) of the Telegraph Act and 26(2) of the Indian Post Office Act outline a two tiered test to be satisfied before the interception of telegraphs or postal articles. The first tier consists of sine qua nons in the form of an “occurrence of public emergency” or “in the interests of public safety.” The second set of requirements under the provisions is “the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence.” While vesting the power of interception in administrative officials, the sections contemplate a legal fiction where a public emergency exists and it is in the interest of sovereignty, integrity, security of the state or for the maintenance of public order/ friendly relations with foreign states. The term “public emergency,” however, has not been clearly defined by the legislature or by the courts. It thus vests arbitrary powers in a delegated official to order the interception of communication violating one’s Fundamental Rights.</p>
<h3>Tracing the History of the Expression “Public Emergency”</h3>
<p style="text-align: justify; ">The origins of the laws governing interception can be traced back to English laws of the late 19th Century; specifically one that imposed a penalty on a postal officer who delayed or intercepted a postal article.<a href="#_ftn7" name="_ftnref7">[7]</a> This law guided the drafting of the Indian Telegraph Act in 1885 that legitimised interception of communications by the state. The expression “public emergency” appeared in the original Telegraph Act of 1885 and has been adopted in that form in all subsequent renderings of provisions relating to interception. Despite the contentious and vague nature of the expression, no consensus regarding its interpretation seems to have been arrived at. One of the first post-independence analyses of this provision was undertaken by the Law Commission in 1968. The 38th Law Commission in its report on the Indian Post Office Act, raised concerns about the constitutionality of the expression. The Law Commission was of the opinion that the term not having been defined in the constitution cannot serve as a reasonable ground for suspension of Fundamental Rights.<a href="#_ftn8" name="_ftnref8">[8]</a> It further urged that a state of public emergency must be of such a nature that it is not secretive and is apparent to a reasonable man.<a href="#_ftn9" name="_ftnref9">[9]</a> It thus challenged the operation of the act in its then current form where the determination of public emergency is the discretion of a delegated administrative official. The Commission, in conclusion, implored the legislature to amend the laws relating to interception to bring them in line with the Constitution. This led to the Telegraph (Amendment) Act of 1981. Questions regarding the true meaning of the expression and its potential misuse were brought up in both houses of the Parliament during passing of the amendment. The Law Ministry, however, did not issue any additional clarifications regarding the terms used in the Act. Instead, the Government claimed that the expressions used in the Act are “exactly those that are used in the Constitution.” <a href="#_ftn10" name="_ftnref10">[10]</a> It may be of interest to note here that the Constitution of India, neither uses nor defines the term “public emergency.” Naturally, it is not contemplated as a ground for reasonably restricting Fundamental Rights provided under Article 19(1). <a href="#_ftn11" name="_ftnref11">[11]</a> Similarly, concerns regarding the potential misuse of the powers were defended with the logically incompatible and factually inaccurate position that the law had not been misused in the past.<a href="#_ftn12" name="_ftnref12">[12]</a></p>
<h3>Locating “Public Emergency” within a Proclamation of Emergency under the Constitution (?)</h3>
<p style="text-align: justify; ">Public emergency in not equivalent to a proclamation of emergency under Article 352 of the Constitution simply because it was first used in legislations over six decades before the drafting of the Indian Constitution began. Besides, orders for interception of communications have also been passed when the state was not under a proclamation of emergency. Moreover, public emergency is not the only prerequisite prescribed under the Act. §5(2) states that an order for interception can be passed either on the occurrence of public emergency or in the interest of public safety. Therefore, the thresholds for the satisfaction of both have to be similar or comparable. If the threshold for the satisfaction of public emergency is understood to be as high as a proclamation of emergency then any order for interception can be passed easily under the guise of public safety. The public emergency condition will then be rendered redundant. Public emergency is therefore a condition that is separate from a proclamation of emergency.</p>
<p style="text-align: justify; ">In a similar vein the Supreme Court has also clarified<a href="#_ftn13" name="_ftnref13">[13]</a> that terms like “public emergency” and “any emergency,” when used as statutory prerequisites, refer to the occurrence of different kinds of events. These terms cannot be equated with one another merely on the basis of the commonality of one word.</p>
<p style="text-align: justify; ">The Supreme Court in Hukam Chand v. Union of India,<a href="#_ftn14" name="_ftnref14">[14]</a> correctly stated that the terms public emergency and public safety must “take colour from each other.” However, the court erred in defining public emergency as a situation that “raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or the prevention of incitement to the commission of an offence.” This cyclic definition does not lend any clarity to the interpretive murk surrounding the term. The Act envisages public emergency as a sine qua non that must exist prior to a determination that there is a threat to public order and sovereignty and integrity of the state. The court’s interpretation on the other hand would suggest that a state of public emergency can be said to exist only when public order, sovereignty and integrity of the state are already threatened. Therefore, while conditions precedent exist for the exercise of powers under §5(2) of the Act, there are no objective standards against which they are to be tested.</p>
<h3>Interpretation of Threshold Requirements</h3>
<p style="text-align: justify; ">A similar question arose before the House of Lords in Liversidge v. Anderson.<a href="#_ftn15" name="_ftnref15">[15]</a> The case examined the vires of an Act that vested an administrative authority with the conditional power to detain a person if there was reasonable cause to believe that the person was of hostile origin. Therein, Lord Atkin dissenting with the majority opinion stated in no unclear terms that power vested in the secretary of state was conditional and not absolute. When a conditional authority is vested in an administrative official but there aren’t any prescriptive guidelines for the determination of the preconditions, then the statute has the effect of vesting an absolute power in a delegated official. This view was also upheld by the Supreme Court in State of Madhya Pradesh v. Baldeo Prasad.<a href="#_ftn16" name="_ftnref16">[16]</a> The court was of the opinion that a statute must not only provide adequate safeguards for the protection of innocent citizens but also require the administrative authority to be satisfied as to the existence of the conditions precedent laid down in the statute before making an order. If the statute failed to do so in respect of any condition precedent then the law suffered from an infirmity and was liable to be struck down as invalid.<a href="#_ftn17" name="_ftnref17">[17]</a> The question of the existence of public emergency, therefore being left to the sole determination of an administrative official is an absolute and arbitrary power and is ultra vires the Constitution</p>
<p style="text-align: justify; ">Interestingly, in its original unamended form, §5 contained a provisio stating that a determination of public emergency was the sole authority of the secretary of state and such a finding could not be challenged before a court of law. It is this provision that the government repealed through the Telegraph (Amendment) Act of 1981 to bring it in line with Constitutional principles. The preceding discussion shows that the amendment did not have the effect of rectifying the law’s constitutional infirmities. Nonetheless, the original Telegraph Act and its subsequent amendment are vital for understanding the compatibility of surveillance standards with the Constitutional principles. The draconian provisio in the original act vesting absolute powers in an administrative official illustrates that the legislative intent behind the drafting of a 130 year law cannot be relied on in today’s context. Vague terms like public emergency that have been thoughtlessly adopted from a draconian law find no place in a state that seeks to guarantee to its citizens rights of free speech and expression.</p>
<h3>Conclusion</h3>
<p style="text-align: justify; ">Interception of communications under the Telegraph Act and the Indian Post office act violate not only one’s privacy but also one’s freedom of speech and expression. Besides, orders for the tapping of telephones violate not only the privacy of the individual in question but also that of the person he/she is communicating with. Considering the serious nature of this breach it is absolutely necessary that the powers enabling such interception are not only constitutionally authorised but also adequately safeguarded. The Fundamental Rights declared by Article 19(1) cannot be curtailed on any ground outside the relevant provisions of Cls. 2-6.<a href="#_ftn18" name="_ftnref18">[18]</a> The restrictive clauses in Cls. (2)-(6) of Article 19 are exhaustive and are to be strictly construed.<a href="#_ftn19" name="_ftnref19">[19]</a> Public emergency is not one of the conditions enumerated under Article 19 for curtailing fundamental freedoms. Moreover, it lacks adequate safeguards by vesting absolute discretionary power in a non-judicial administrative authority. Even if one were to ignore the massive potential for misuse of these powers, it is difficult to conceive that the interception provisions would stand a scrutiny of constitutionality.</p>
<p style="text-align: justify; ">Over the course of the last few years, India has been dangerously toeing the line that keeps it from turning into a totalitarian surveillance state. <a href="#_ftn20" name="_ftnref20">[20]</a> In 2011, India was the third most intrusive state<a href="#_ftn21" name="_ftnref21">[21]</a> with 1,699 requests for removal made to Google; in 2012 that number increased to 2529<a href="#_ftn22" name="_ftnref22">[22]</a>. The media is abuzz with reports about the Intelligence Bureau wanting Internet Service Providers to log all customer details <a href="#_ftn23" name="_ftnref23">[23]</a> and random citizens being videotaped by the Delhi Police for “looking suspicious.” It becomes essential under these circumstances to question where the state’s power ends and a citizens’ privacy begins. Most of the information regarding projects like the CMS and the CCTNS is murky and unconfirmed. But under the pretext of national security, government officials have refused to divulge any information regarding the kind of information included within these systems and whether any accountability measures exist. For instance, there have been conflicting opinions from various ministers regarding whether the internet would also be under the supervision of the CMS <a href="#_ftn24" name="_ftnref24">[24]</a>. Even more importantly, citizens are unaware of what rights and remedies are available to them in instances of violation of their privacy.</p>
<p style="text-align: justify; ">The intelligence agencies that have been tasked with handling information collected under these systems have not been created under any legislation and therefore not subject to any parliamentary oversight. Attempts like the Intelligence Services (Powers and Regulation) Bill, 2011 have been shelved and not revisited since their introduction. The intelligence agencies that have been created through executive orders enjoy vast and unbridled powers that make them accountable to no one<a href="#_ftn25" name="_ftnref25">[25]</a>. Before, vesting the Indian law enforcement agencies with sensitive information that can be so readily misused it is essential to ensure that a mechanism to check the use and misuse of that power exists. A three judge bench of the Supreme Court has recently decided to entertain a Public Interest Litigation aimed at subjecting the intelligence agencies to auditing by the Comptroller and Auditor General of India. But the PIL even if successful will still only manage to scratch the surface of all the wide and unbridled powers enjoyed by the Indian intelligence agencies. The question of the constitutionality of interception powers, however, has not been subjected to as much scrutiny as is necessary. Especially at a time when the government has been rumoured to have already obtained the capability for mass dragnet surveillance such a determination by the Indian courts cannot come soon enough.</p>
<div>
<hr />
<div id="ftn1">
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1">[1]</a> Indian Post Office Act, 1898, § 26</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> Indian Telegraph Act, 1885 § 5(2)</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> PUCL v. Union of India, AIR 1997 SC 568</p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> Govind vs. State of Madhya Pradesh, (1975) 2 SCC 148</p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> Malak Singh vs. State Of Punjab & Haryana, AIR 1981 SC 760</p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> <i>Supra</i> note 3</p>
</div>
<div id="ftn7">
<p><a href="#_ftnref7" name="_ftn7">[7]</a> Law Commission, Indian Post Office Act, 1898 (38<sup>th</sup> Law Commission Report) para 84</p>
</div>
<div id="ftn8">
<p><a href="#_ftnref8" name="_ftn8">[8]</a> ibid</p>
</div>
<div id="ftn9">
<p><a href="#_ftnref9" name="_ftn9">[9]</a> id</p>
</div>
<div id="ftn10">
<p><a href="#_ftnref10" name="_ftn10">[10]</a> <i>Lok Sabha Debates</i> , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972</p>
</div>
<div id="ftn11">
<p><a href="#_ftnref11" name="_ftn11">[11]</a> The Constitution of India, Article 358- Suspension of provisions of Article 19 during emergencies</p>
</div>
<div id="ftn12">
<p><a href="#_ftnref12" name="_ftn12">[12]</a> <i>Lok Sabha Debates</i> , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972</p>
</div>
<div id="ftn13">
<p><a href="#_ftnref13" name="_ftn13">[13]</a> Hukam Chand v. Union of India, AIR 1976 SC 789</p>
</div>
<div id="ftn14">
<p><a href="#_ftnref14" name="_ftn14">[14]</a> ibid</p>
</div>
<div id="ftn15">
<p><a href="#_ftnref15" name="_ftn15">[15]</a> Liversidge v. Anderson [1942] A.C. 206</p>
</div>
<div id="ftn16">
<p><a href="#_ftnref16" name="_ftn16">[16]</a> State of M.P. v. Baldeo Prasad, AIR 1961 (SC) 293 (296)</p>
</div>
<div id="ftn17">
<p><a href="#_ftnref17" name="_ftn17">[17]</a> ibid</p>
</div>
<div id="ftn18">
<p><a href="#_ftnref18" name="_ftn18">[18]</a> Ghosh O.K. v. Joseph E.X. Air 1963 SC 812; 1963 Supp. (1) SCR 789</p>
</div>
<div id="ftn19">
<p><a href="#_ftnref19" name="_ftn19">[19]</a> Sakal Papers (P) Ltd. v. Union of India, AIR 1962 SC 305 (315); 1962 (3) SCR 842</p>
</div>
<div id="ftn20">
<p style="text-align: justify; "><a href="#_ftnref20" name="_ftn20">[20]</a> <i>See</i> Notable Observations- July to December 2012, Google Transparency Report, available at <a href="http://www.google.com/transparencyreport/removals/government/">http://www.google.com/transparencyreport/removals/government/</a> (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)</p>
</div>
<div id="ftn21">
<p style="text-align: justify; "><a href="#_ftnref21" name="_ftn21">[21]</a> Willis Wee, <i>Google Transparency Report: India Ranks as Third ‘Snoopiest’ Country</i>, July 6, 2011 available at <a href="http://www.techinasia.com/google-transparency-report-india/">http://www.techinasia.com/google-transparency-report-india/</a> (last visited on July 2, 2014)</p>
</div>
<div id="ftn22">
<p style="text-align: justify; "><a href="#_ftnref22" name="_ftn22">[22]</a> <i>See</i> Notable Observations- July to December 2012, Google Transparency Report, available at <a href="http://www.google.com/transparencyreport/removals/government/">http://www.google.com/transparencyreport/removals/government/</a> (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)</p>
</div>
<div id="ftn23">
<p style="text-align: justify; "><a href="#_ftnref23" name="_ftn23">[23]</a> Joji Thomas Philip, <i>Intelligence Bureau wants ISPs to log all customer details, </i>December 30, 2010 <a href="http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps"> http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps </a> (last visited on July 2, 2014)</p>
</div>
<div id="ftn24">
<p style="text-align: justify; "><a href="#_ftnref24" name="_ftn24">[24]</a> Deepa Kurup, <i>In the dark about ‘India’s Prism’</i> June 16, 2013 available at <a href="http://www.thehindu.com/sci-tech/technology/in-the-dark-about-indias-prism/article4817903.ece"> http://www.thehindu.com/sci-tech/technology/in-the-dark-about-indias-prism/article4817903.ece </a></p>
</div>
<div id="ftn25">
<p style="text-align: justify; "><a href="#_ftnref25" name="_ftn25">[25]</a> Saikat Dutta, We, The Eavesdropped May 3, 2010 available at <a href="http://www.outlookindia.com/article.aspx?265191">http://www.outlookindia.com/article.aspx?265191</a> (last visited on July 2, 2014)</p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law'>http://editors.cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law</a>
</p>
No publisherbedaavyasaPrivacyInternet GovernanceSurveillancesurveillance technologiesSecurityArticle 19(1)(a)2014-08-04T04:52:42ZBlog EntryElectoral Databases – Privacy and Security Concerns
http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns
<b>In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.</b>
<p></p>
<p> </p>
<p style="text-align: justify; ">The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.<a href="#_edn1" name="_ednref1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> After due consideration, the ECI has decided to drop the plan.<a href="#_edn2" name="_ednref2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a></p>
<p style="text-align: justify; ">The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.</p>
<p style="text-align: justify; "><b>Publication of Electoral Rolls</b><br />The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.</p>
<p style="text-align: justify; ">The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document<a href="#_edn3" name="_ednref3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> given that the roll is published and can be circulated on the direction of the ECI.</p>
<p style="text-align: justify; ">With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.<a href="#_edn4" name="_ednref4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> In addition to that, the electoral rolls for the entire country are available on the ECI website.<a href="#_edn5" name="_ednref5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.<a href="#_edn6" name="_ednref6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a></p>
<p style="text-align: justify; "><b>Security Concerns</b><br />The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.</p>
<p style="text-align: justify; ">In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “<i>With Great Computing Power Comes Great Surveillance”</i><a href="#_edn7" name="_ednref7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a> Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain</p>
<p style="text-align: justify; ">For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.</p>
<p style="text-align: justify; "><b>Current IT Laws does not mandate the protection of the electoral database</b><br />A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”<a href="#_edn8" name="_ednref8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> However, the appropriate Government has not notified the electoral database as a protected system<a href="#_edn9" name="_ednref9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a>. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.</p>
<p style="text-align: justify; ">The Information Technology Rules (IT Rules) are also not applicable to electoral databases, <i>per se</i>. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (<i>hereinafter </i>Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”<a href="#_edn10" name="_ednref10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> and should arguably be made subject to the Rules.</p>
<p style="text-align: justify; ">The intent of the ECI for hosting the entire country’s electoral database online <i>inter alia</i> is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”<a href="#_edn11" name="_ednref11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.</p>
<p style="text-align: justify; ">The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.</p>
<p style="text-align: justify; ">It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.</p>
<div>
<hr align="left" size="1" width="100%" />
<div id="edn1">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref1" name="_edn1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at <a class="external-link" href="http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss">http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss</a></p>
</div>
<div id="edn2">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref2" name="_edn2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
<div id="edn3">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref3" name="_edn3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> Section 74, Indian Evidence Act, 1872</p>
</div>
<div id="edn4">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref4" name="_edn4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/the_function.aspx">eci.nic.in/eci_main1/the_function.aspx</a></p>
</div>
<div id="edn5">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref5" name="_edn5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx">http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx</a></p>
</div>
<div id="edn6">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref6" name="_edn6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a> “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at e<a class="external-link" href="http://eci.nic.in/eci_main/eroll&epic/ins06012010.pdf">ci.nic.in/eci_main/eroll&epic/ins06012010.pdf</a><span dir="RTL"></span></p>
</div>
<div id="edn7">
<p class="MsoEndnoteText"><a href="#_ednref7" name="_edn7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a><a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf"><span><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"> </span></span></span>http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/</a></p>
</div>
<div id="edn8">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref8" name="_edn8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> Section 70, Information Technology Act, 2000</p>
</div>
<div id="edn9">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref9" name="_edn9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a> Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure</p>
</div>
<div id="edn10">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref10" name="_edn10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
</div>
<div id="edn11">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref11" name="_edn11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns'>http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns</a>
</p>
No publishersnehashishDigital GovernancePrivacyCybersecurityData ProtectionInternet GovernanceSafetyInformation TechnologyCyber SecuritySecuritye-GovernanceTransparency, PoliticsE-Governance2014-01-16T11:07:21ZBlog EntryIT Act and Commerce
http://editors.cis-india.org/internet-governance/blog/it-act-and-commerce
<b>This is a guest post by Rahul Matthan, partner in the law firm Trilegal, and widely regarded as one of the leading experts on information technology law in India. In this post, Mr. Matthan looks at the provisions in the amended Information Technology Act of interest to commerce, namely electronic signatures and data protection.</b>
<p>This post analyses the amendments brought about to the Information Technology Act, 2000 (“IT Act 2000”) through the recent 2008 amendments (“IT Act 2008”).</p>
<h2>Definitions</h2>
<p>The IT Act 2008 has introduced a few additional definitions to the list of definitions originally included in the IT Act 2000. These definitions have either amplified the existing provisions or been introduced in order to address new issues required to be defined in the context of the newly introduced provisions in the statute. Some of the significant definitions have been discussed below:</p>
<h3>Computer Network</h3>
<p>The definition of “computer network” has been amended to specifically include the wireless interconnection of computers. While wireless technology did fall within the scope of the IT Act under the rather generic head of “other communication media”, the Amendment Act clarifies the scope of the IT Act by expressly including the term “wireless”.</p>
<h3>Communication Devices</h3>
<p>The IT Amendment Bill, 2006, had provided an explanation for “communication devices” under Section 66A. This definition has been moved into the definition section and now applies across all sections of the IT Act 2008. “Communication devices” is defined to mean “a cell phone, personal digital assistance (PDA) device or combination of both or any device used to communicate, send or transmit any text, video, audio or image”.</p>
<p>There has been case law even under the IT Act that has held mobile phones to fall within the ambit of the IT Act, as a result of which all the provisions of the Act that apply to computers are equally applicable to mobile phones. This amendment only makes that position more explicit.</p>
<h2>Electronic Signatures<br /></h2>
<p>One of the major criticisms of the IT Act 2000 was the fact that it was not a technology neutral legislation. This was specifically so in relation to the provisions in the IT Act 2000 relating to the use of digital signatures for the purpose of authentication of electronic records. The statute made specific reference to the use of asymmetric cryptosystem technologies in the context of digital signatures, and, in effect, any authentication method that did not use this technology was not recognised under the IT Act 2000.</p>
<p>The IT Act 2008 has attempted to make this more technology neutral. In doing so, the attempt has been to bring the law in line with the United Nations Commission on International Trade Law Model Law on Electronic Signatures (“Model Law”).</p>
<h3>Replacement of Digital Signatures</h3>
<p>The first significant change in the IT Act 2008 is the replacement of the term “digital signatures” with “electronic signatures” in almost all the provisions in the IT Act 2000. In some provisions, reference continues to be made to digital signatures, but the net effect of the amendments is to treat digital signatures as a subset (or an example of one type) of electronic signatures.</p>
<p>Electronic signatures have been defined as the authentication of an electronic record using the authentication techniques specified in the 2nd Schedule to the Act, provided they are reliable. </p>
<p>The reliability criterion has been introduced, very much along the lines of the Model Law. However, the contents of the 2nd Schedule are yet to be stipulated, which means that despite the existence of a reliability standard, the only authentication method available at this point in time is the digital signature regime.</p>
<h3>Dual Requirement</h3>
<p>One significant implication of this amendment is the introduction of a dual requirement – to meet the reliability standard as well as to be included in the 2nd Schedule. However, structuring the authentication procedures in this manner offsets the objective tests of neutrality borrowed from the Model Law, since an authentication method may meet the reliability test but will not be deemed to be legally enforceable unless it is notified in the 2nd Schedule.</p>
<p>Additionally, there will be grounds for challenging electronic signatures that are notified to the 2nd Schedule, if it can be shown that the signature so notified is not reliable under the terms of the reliability criteria. This can act as an impediment to the recognition of electronic signatures by notification.</p>
<h3>Emphasis on Digital Signatures</h3>
<p>Another concern is the treatment of digital signatures in the post amendment statute. The IT Act 2008 continues to retain all the provisions relating to digital signatures within the main body of the statute. The term “digital signature” has not been uniformly substituted with “electronic signature” throughout the statute. In certain provisions this leads to a certain amount of absurdity, such as in those relating to representations made as to the issuance, suspension or revocation of digital signature certificates; due to the lack of uniformity, these principles now apply only to digital signatures and not to all types of electronic signatures. </p>
<p>It would have been preferable if the provisions relating to digital signatures had been moved in their entirety to the 2nd Schedule. Then, digital signatures would have become just another class of electronic signatures listed in the Schedule. By omitting to do this, the authors ensure that digital signature-specific provisions remaining in the main body of the statute challenge the technology neutrality of the statute.</p>
<h3>Certifying Authorities</h3>
<p>The IT Act 2008 has made the certifying authority the repository of all electronic signatures issued under the statute. Given that there are, at present, multiple certifying authorities, this provision is impractical. Instead, the statute should have either referred to the Controller of Certifying Authorities or should have been worded to state that each certifying authority would be the repository for all electronic signature certificates issued by it.</p>
<h3>Impact on Other Statutes</h3>
<p>Since the enactment of the IT Act 2000, amendments have been carried out in other statutes, relying on the concept of digital signatures. For instance, the Negotiable Instruments Act, 1881, makes the use of a digital signature essential for an electronic cheque.1 While the IT Act 2008 has expanded the scope of the available authentication measures, by introducing the technologically neutral concept of electronic signatures, corresponding amendments in other statutes like the Negotiable Instruments Act, 1881, will need to be carried out, so that they are not limited in their application to digital signatures.</p>
<h2>Data Protection<br /></h2>
<p>Prior to the passing of the IT Act 2008, the concept of 'data protection' was not recognised in India. The amendments have now introduced some amount of legal protection for data stored in the electronic medium. This chapter analyses the changes sought to be introduced and their impact on data protection law in India.</p>
<h3>Data under the IT Act 2000</h3>
<p>The only provision under the IT Act 2000, which dealt with unauthorised access and damage to data, was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.</p>
<h3>Data under the IT Act 2008</h3>
<p>Under the IT Act 2008, far-reaching changes have been made in relation to data. Two sections have been inserted specifically for that purpose – Sections 43-A and 72-A, one dealing with the civil and the other with the criminal remedies in relation to the breach of data related obligations.</p>
<h3>The Civil Remedies for Data Protection</h3>
<p>The newly introduced Section 43-A reads as follows:</p>
<blockquote>
<p>Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.</p>
<p> Explanation - For the purposes of this section:</p>
<p> (i) “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</p>
<p>(ii) “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; and</p>
<p>(iii) “Sensitive Personal Data or Information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.</p>
</blockquote>
<p>While at first this provision appears to address several long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.</p>
<h3>Non-Electronic Data</h3>
<p>In the first instance, there is no mention, under this provision, of non-electronic data. Most international data protection statutes recognise and protect data stored in any electronic medium or a relevant filing system (including, for instance, a salesperson's diary). The newly introduced provisions of the IT Act 2008 do not provide any protection for data stored in a non-electronic medium.</p>
<p>It could be argued that given the legislative focus of this statute (it has been called the Information Technology Act with a reason), it would be inappropriate to include within this statute protection for forms of data that do not relate to the digital or electronic medium. While that argument is valid to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions merely provide solutions for electronic data.</p>
<h3>Classification of Data</h3>
<p>Most international data protection statutes distinguish between different levels of personal data – specifying difference levels of protection for personal information and sensitive personal information. Depending on whether the data can be classified as one or the other, they have different levels of protection, as loss, unauthorised access or disclosure of sensitive personal information is considered to have a deeper impact on the data subject. </p>
<p>The new provisions of the IT Act 2008 make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data not deemed to be sensitive is to be treated. In essence, personal information and sensitive personal information do not appear to be differentially treated in the context of data protection.</p>
<h3>Consequences</h3>
<p>Under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated. </p>
<p>However, under the new provisions of the IT Act 2008, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act 2008 appears to have widened the net considerably.</p>
<h3>Negligence in Implementing Security Practices</h3>
<p>Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform.</p>
<p>There is a significant difference between the terms “negligence to implement” and “failure to implement”. The former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed; it has to be proved in addition that the body corporate was negligent.</p>
<h3>Wrongful Loss and Gain</h3>
<p>The Section appears to have been constructed on the basis that a breach has occurred in the event that any “wrongful gain” or “wrongful loss” was suffered. These terms have not been defined either under statutes or through any judicial precedents in the civil context. However, these terms do have a definition under criminal law in India. The Indian Penal Code, 1860 (“IPC”), defines “Wrongful Gain” to mean gain, by unlawful means, of property to which the person gaining is not legally entitled; and “Wrongful Loss” to mean the loss by unlawful means of property to which the person losing it is legally entitled.</p>
<p>There does not appear to be any greater significance in the use of these terms even though they are typically found in criminal statutes. Therefore, apart from the slight ambiguity as to purpose, their use in the IT Act does not appear to have any great significance.</p>
<h3>Limitation on Liability</h3>
<p>The provisions of Section 43 originally had the total liability for a breach capped at Rs. 5,00,00,000 (five crore rupees). The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liabilities.</p>
<h3>Reasonable Security Practices and Procedures</h3>
<p>Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:</p>
<ul><li> By agreement;</li><li>By law; and</li><li>By prescription by the Central Government.</li></ul>
<p><br />As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations, it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.</p>
<p>As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practices and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.</p>
<h3>The Criminal Remedies for Unlawful Disclosure of Information</h3>
<p>In addition to the civil remedies spelled out in such detail in Section 43-A, the newly introduced provisions of Section 72-A of the IT Act 2008 could be used to impose criminal sanctions against any person who discloses information in breach of a contract for services. While not exactly a data protection provision in the same way that Section 43-A is, there are enough similarities in purpose to achieve the same result.</p>
<p>Section 72-A reads:</p>
<blockquote>
<p> Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rupees five lakh, or with both.</p>
</blockquote>
<p>In substance, this provision appears to be focused on providing criminal remedies in the context of breach of confidentiality obligations under service contracts; given that the section specifically refers to the disclosure of personal information obtained under that service contract, it is fair to classify this as a provision that addresses data protection issues.</p>
<h3>Personal Information</h3>
<p>The IT Act 2008 does not define “personal information”. Equally, there are no judicial precedents that provide any clarity on the term. The Right to Information Act, 2005 does provide a definition for “personal information”, but that definition is inappropriate in the context of the IT Act 2008. In the absence of a useable definition for the term “personal information”, it becomes difficult to assess the scope and ambit of the provision and in particular to understand the extent to which it is enforceable.</p>
<h3>"Willful"</h3>
<p>The section would only apply to persons who willfully disclose personal information and cause wrongful loss or gain. Hence, in order to make a person liable it has to be proved that the person disclosing the personal information did so with an intention to cause wrongful loss or gain. It would be a valid defense to claim that any loss caused was unintentional.</p>
<h3>Service Contracts</h3>
<p>The section appears to be particular about the fact that it only applies in the context of personal information obtained under a contract for services. This appears to rule out confidential information (that is not of a personal nature) that has been received under any other form of agreement (including, for example, a technology license agreement). The section is clearly intended to protect against the misuse of personal information and cannot be adapted to provide a wider level of protection against all breaches of confidential information. That said, employers now have a much stronger weapon against employees who leave with the personal records of other fellow employees.</p>
<h3>Consent</h3>
<p>This section also clearly applies only to those disclosures of personal information with the intent to cause wrongful loss or gain which have taken place without the consent of the person whose personal information is being disclosed. What remains to be seen is how the law will deal with situations where a general consent for disclosures has been obtained at the time of recruitment.</p>
<p>Such clauses are made effective around the world by including opt in and opt out clauses, to allow the employee to either expressly agree to the disclosure of his personal information or to specifically exclude himself from the ambit of any such disclosures.</p>
<h3>Media of Material</h3>
<p>This section, unlike several other provisions of the IT Act 2008, deals with all manner of materials without requiring them to be digital. However, while disclosure of information stored in the non-electronic medium has been recognised, in the absence of a clear definition of personal information, it is difficult to ascertain the application and enforcement of this section.</p>
<h3>What’s Missing</h3>
<p>In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilisation and proper disposal of data. At present the statute is silent about these aspects. In many ways, the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/it-act-and-commerce'>http://editors.cis-india.org/internet-governance/blog/it-act-and-commerce</a>
</p>
No publisherpraneshIT ActDigital GovernanceData ProtectionAuthenticationSecurity2011-08-02T07:41:45ZBlog Entry