The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Surveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar
http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar
<b>Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.</b>
<p style="text-align: justify; ">In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report <a href="http://editors.cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa" class="internal-link">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar'>http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar</a>
</p>
No publisherShruti Trikanad and Vrinda BhandariSurveillanceAadhaarInternet GovernancePrivacy2022-08-09T08:17:32ZBlog EntryRethinking Acquisition of Digital Devices by Law Enforcement Agencies
http://editors.cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies
<b>This article has been selected as a part of The Right to Privacy and the Legality of Surveillance series organized in collaboration with the RGNUL Student Research Review (RSRR) Journal.</b>
<p>Read the article originally published in <a class="external-link" href="https://rsrr.in/blog/">RGNUL Student Research Review (RSRR) Journal </a></p>
<hr />
<p><strong>Abstract</strong></p>
<p style="text-align: justify;">The Criminal Procedure Code was created in the 1970s when the concept of the right to privacy was highly unacknowledged. Following the <em>Puttuswamy</em> <em>I </em>(2017) judgement of the Supreme Court affirming the right to privacy, these antiquated codes must be re-evaluated. Today, the police can acquire digital devices through summons and gain direct access to a person’s life, despite the summons mechanism having been intended for targeted, narrow enquiries. Once in possession of a device, the police attempt to circumvent the right against self-incrimination by demanding biometric passwords, arguing that the right does not cover biometric information . However, due to the extent of information available on digital devices, courts ought to be cautious and strive to limit the power of the police to compel such disclosures, taking into consideration the <em>right to privacy</em> judgement.</p>
<p><strong>Keywords: </strong>Privacy, Criminal Procedural Law, CrPc, Constitutional Law</p>
<p><strong>Introduction<em></em></strong></p>
<p style="text-align: justify;">New challenges confront the Indian criminal investigation framework, particularly in the context of law enforcement agencies (LEAs) acquiring digital devices and their passwords. Criminal procedure codes delimiting police authority and procedures were created before the widespread use of digital devices and are no longer pertinent to the modern age due to the magnitude of information available on a single device. A single device could provide more information to LEAs than a complete search of a person’s home; yet, the acquisition of a digital device is not treated with the severity and caution it deserves. Following the affirmation of the right to privacy in <em>Puttuswamy I </em>(2017), criminal procedure codes must be revamped, taking into consideration that the acquisition of a person’s digital device constitutes a major infringement on their right to privacy.</p>
<p><strong>Acquisition of digital devices by LEAs through summons</strong></p>
<p style="text-align: justify;"><a href="https://www.indiacode.nic.in/bitstream/123456789/15272/1/the_code_of_criminal_procedure%2C_1973.pdf">Section 91 of the Criminal Procedure Code</a> (CrPc) grants powers to a court or police officer in charge of a police station to compel a person to produce any form of document or ‘thing’ necessary and desirable to a criminal investigation. In <a href="https://indiankanoon.org/doc/1395576/"><em>Rama Krishna v State</em></a>,<em> </em>‘necessary’ and ‘desirable’ have been interpreted as any piece of evidence relevant to the investigation or a link in the chain of evidence. <a href="https://deliverypdf.ssrn.com/delivery.php?ID=040088020003014069081068085012117023096031065012091090091115088031084097097081123000002033027047006112028087095120074083084003037094022080065067076089116106115025106025062083007085091067067124080091064096069093075026018100087109120024076084123086119022&EXT=pdf&INDEX=TRUE">Abhinav Sekhri</a>, a criminal law litigator and writer, has argued that the wide wording of this section allows summons to be directed towards the retrieval of specific digital devices.</p>
<p style="text-align: justify;">As summons are target-specific, the section has minimal safeguards. However, several issues arise in the context of summons regarding digital devices. In the current day, access to a user’s personal device can provide comprehensive insight into their life and personality due to the vast amounts of private and personal information stored on it. In <a href="https://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf"><em>Riley v California</em></a>, the Supreme Court of the United States (SCOTUS) observed that due to the nature of the content present on digital devices, summons for them are equivalent to a roving search, i.e., demanding the simultaneous production of all contents of the home, bank records, call records, and lockers. The <em>Riley</em> decision correctly highlights the need for courts to recognise that digital devices ought to be treated distinctly compared to other forms of physical evidence due to the repository of information stored on digital devices.</p>
<p style="text-align: justify;">The burden the state must surpass in order to issue summons is low as the relevancy requirement is easily provable. As noted in <a href="https://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf"><em>Riley</em></a>, police must identify which evidence on a device is relevant. Due to the sheer amount of data on phones, it is very easy for police to claim that there will surely be some form of connection between the content on the device and the case. Due to the wide range of offences available for Indian LEAs to cite, it is easy for them to argue that the content on the device is relevant to any number of possible offences. LEAs rarely face consequences for slamming the accused with a huge roster of charges – even if many of them are baseless – leading to the system being prone to abuse. The Indian Supreme Court in its judgement in <a href="https://indiankanoon.org/doc/1068532/"><em>Canara Bank</em></a> noted that the burden of proof must be higher for LEAs when investigations violate the right to privacy. <a href="https://www.ijlt.in/_files/ugd/066049_03e4a2b28a5e49f6a59b861aa4554ede.pdf">Tarun Krishnakumar</a> notes that the trickle-down effect of <em>Puttuswamy I</em> will lead to new privacy challenges with regards to a summons to appear in court. <em>Puttuswamy I</em>, will provide the bedrock and constitutional framework, within which future challenges to the criminal process will be undertaken. It is important for the court to recognise the transformative potential within the <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy</em></a> judgement to help ensure that the right to privacy of citizens is safeguarded. The colonial logic of policing – wherein criminal procedure law was merely a tool to maximise the interest of the state at the cost of the people – must be abandoned. Courts ought to devise a framework under Section 91 to ensure that summons are narrowly framed to target specific information or content within digital devices. Additionally, the digital device must be collected following a judicial authority issuing the summons and not a police authority. Prior judicial warrants will require LEAs to demonstrate their requirement for the digital device; on estimating the impact on privacy, the authority can issue a suitable summons. Currently, the only consideration is if the item will furnish evidence relevant to the investigation; however, judges ought to balance the need for the digital device in the LEA’s investigation with the users’ right to privacy, dignity, and autonomy.</p>
<p style="text-align: justify;"><a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy I</em></a><em> </em>provides a triple test encompassing legality, necessity, and proportionality to test privacy claims. Legality requires that the measure be prescribed by law, necessity analyses if it is the least restrictive means being adopted by the state, and proportionality checks if the objective pursued by the measure is proportional to the degree of infringement of the right. The relevance standard, as mentioned before, is inadequate as it does not provide enough safeguards against abuse. The police can issue summons based on the slightest of suspicions and thus get access to a digital device, following which they can conduct a roving enquiry of the device to find evidence of any other offence, unrelated to the original cause of suspicion.</p>
<p style="text-align: justify;">Unilateral police summons of digital devices cannot pass the triple test as it is grossly disproportionate and lacks any form of safeguard against the police. The current system has no mechanism for overseeing the LEAs; as long as LEAs themselves are of the view that they require the device, they can acquire it. In <a href="https://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf"><em>Riley</em></a>, SCOTUS has already held that warrantless seizure of digital devices constitutes a violation of the right to privacy. India ought to also adopt a requirement of a prior judicial warrant for the procurement of devices by LEAs. A re-imagined criminal process would have to abide by the triple test in particular proportionality wherein the benefit claimed by the state ought not to be disproportionate to the impact on the fundamental right to privacy; and further, a framework must be proposed to provide safeguards against abuse.</p>
<p><strong>Compelling the production of passwords of devices</strong></p>
<p style="text-align: justify;">In police investigations, gaining possession of a physical device is merely the first step in acquiring the data on the device, as the LEAs still require the passcodes needed to unlock the device. LEAs compelling the production of passcodes to gain access to potentially incriminating data raises obvious questions regarding the right against self-incrimination; however, in the context of digital devices, several privacy issues may crop up as well.</p>
<p style="text-align: justify;">In <a href="https://main.sci.gov.in/judgment/judis/4157.pdf"><em>Kathi Kalu Oghad</em></a>, the SC held that compelling the production of fingerprints of an accused person to compare them with fingerprints discovered by the LEA in the course of their investigation does not violate the right to protection against self-incrimination of the accused. <a href="https://lawschoolpolicyreview.com/2019/10/16/biometrics-as-passwords-the-slippery-scope-of-self-incrimination/">It has been argued</a> that the ratio in the judgement prohibits the compelling of disclosure of passwords and biometrics for unlocking devices because <a href="https://main.sci.gov.in/judgment/judis/4157.pdf"><em>Kathi Kalu Oghad</em></a> only dealt with the production of fingerprints in order to compare the fingerprints with pre-existing evidence, as opposed to unlocking new evidence by utilising the fingerprint. However, the judgement deals with self-incrimination and does not address any privacy issues.</p>
<p style="text-align: justify;">The right against self-incrimination approach alone may not be enough to resolve all concerns. Firstly, there may be varying levels of protection provided to different forms of password protections on digital devices; text- and pattern-based passcodes are inarguably protected under Art. 20(3) of the Constitution. However, the protection of biometrics-based passcodes relies upon the correct interpretation of the <a href="https://main.sci.gov.in/judgment/judis/4157.pdf"><em>Kathi Kalu Oghad</em></a> precedent. Secondly, Art. 20(3) only protects the accused in investigations and not when non-accused digital devices are acquired by LEAs and the passcodes of the devices demanded.</p>
<p style="text-align: justify;">Therefore, considering the aforementioned points, it is pertinent to remember that the right against self-incrimination does not exist in a vacuum separate from privacy. It originates from the concept of decisional autonomy – the right of individuals to make decisions about matters intimate to their life without interference from the state and society. <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy I</em></a> observed that decisional autonomy is the bedrock of the right to privacy, as privacy allows an individual to make these intimate decisions away from the glare of society and/or the state. This has heightened importance in this context as interference with such autonomy could lead to the person in question facing criminal prosecution. The SC in <a href="https://main.sci.gov.in/jonew/judis/36303.pdf"><em>Selvi v Karnataka</em></a><em> </em>and <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy I</em></a> has repeatedly affirmed that the right against self-incrimination and the right to privacy are linked concepts, with the court observing that the right to remain silent is an integral aspect of decisional autonomy.</p>
<p style="text-align: justify;">In <a href="http://karnatakajudiciary.kar.nic.in:8080/repository/rep_judgmentcase.php"><em>Virendra Khanna</em></a>, the Karnataka High Court (HC) dealt with the privacy and self-incrimination concerns caused by LEAs compelling the disclosure of passwords. The HC brushes aside concerns related to privacy by noting that the right to privacy is not absolute and that an exception to the right to privacy is state interest and protection of law and order (para 5.11), and that unlawful disclosure of material to third parties could be an actionable wrong (para 15). The court’s interpretation of privacy effectively provides a free pass for the police to interfere with the right to privacy under the pretext of a criminal investigation. This conception of privacy is inadequate as the issue of proportionality is avoided, and the court does not attempt to ensure that the interference is proportionate with the outcome.</p>
<p style="text-align: justify;">US courts also see the compelling of production of passcodes as an issue of self-incrimination as well as privacy. In its judgement in <a href="https://casetext.com/case/in-re-application-for-a-search-warrant?__cf_chl_f_tk=lTxiJpZIvKfkIBtGQJtMObSmqhdRUZdjGk5hXeMfprQ-1642253001-0-gaNycGzNCJE"><em>Application for a Search Warrant</em></a>, a US court observed that compelling the disclosure of passcodes existed at an intersection of the right to privacy and self-incrimination; the right against self-incrimination serves to protect the privacy interests of suspects.</p>
<p style="text-align: justify;">Disclosure of passwords to digital devices amounts to an intrusion of the privacy of the suspect as the collective contents on the digital device effectively amount to providing LEAs with a method to observe a person’s mind and identity. Police investigative techniques cannot override fundamental rights and must respect the personal autonomy of suspects – particularly, the choice between silence and speech. Through the production of passwords, LEAs can effectively get a snapshot of a suspect’s mind. This is analogous to the polygraph and narco-analysis test struck down as unconstitutional by the SC in <a href="https://main.sci.gov.in/jonew/judis/36303.pdf"><em>Selvi</em></a> as it violates decisional autonomy.</p>
<p style="text-align: justify;">As <a href="https://theproofofguilt.blogspot.com/2021/03/mobile-phones-and-criminal.html">Sekhri</a> noted, a criminal process that reflects the aspirations of the <em>Puttuswamy </em>judgement would require LEAs to first explain with reasonable detail the material which they wish to find in the digital devices. Secondly, they must provide a timeline for the investigation to ensure that individuals are not subjected to inexhaustible investigations with police roving through their devices indefinitely. Thirdly, such a criminal process must demand, a higher burden to be discharged from the state if the privacy of the individual is infringed upon. These aspirations should form the bedrock of a system of judicial warrants that LEAs ought to be required to comply with if they wish to compel the disclosure of passwords from individuals. The framework proposed above is similar to the <a href="http://karnatakajudiciary.kar.nic.in:8080/repository/rep_judgmentcase.php"><em>Virendra Khanna</em></a><em> </em>guidelines, as they provide a system of checks and balances that ensure that the intrusion on privacy is carried out proportionately; additionally, it would require LEAs to show a real requirement to demand access to the device. The independent eyes of a judicial magistrate provide a mechanism of oversight and a check against abuse of power by LEAs.</p>
<p><strong>Conclusion</strong></p>
<p style="text-align: justify;">The criminal law apparatus is the most coercive power available to the state, and, therefore, privacy rights will become meaningless unless they can withstand it. Several criminal procedures in the country are rooted in colonial statutes, where the rights of the populace being policed were never a consideration; hence, a radical shift is required. However, post-1947 and <em>Puttuswamy</em>, the ignorance and refusal to submit to the rights of the population can no longer be justified and significant reformulation is necessary to guarantee meaningful protections to device owners. There is a need to ensure that the rights of individuals are protected, especially when the motivation for their infringement is the supposed noble intentions of the criminal justice system. Failing to defend the right to privacy in these moments would be an invitation for allowing the power of the state to increase and inevitably become absolute.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies'>http://editors.cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies</a>
</p>
No publisherHarikartik RameshSurveillanceInternet GovernancePrivacy2022-05-02T09:27:54ZBlog EntryResponse to the Pegasus Questionnaire issued by the SC Technical Committee
http://editors.cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee
<b>On March 25, 2022, the Supreme Court appointed Technical Committee constituted to examine the allegations of alleged unauthorised surveillance using the Pegasus software released a questionnaire seeking responses and comments from the general public.</b>
<p style="text-align: justify; ">The questionnaire had 11 questions and the responses had to be submitted through an online form- which was available <a class="external-link" href="https://pegasus-india-investigation.in/invitation-to-comment/-">here</a>. The last date for submitting the response was March 31, 2022. CIS had submitted the following responses to the questions in the questionnaire. Access the <b><a href="http://editors.cis-india.org/internet-governance/response-to-the-pegasus-investigation" class="internal-link">Response to the Questionnaire</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee'>http://editors.cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee</a>
</p>
No publisherAnamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi BediIT ActSurveillanceInternet GovernancePrivacy2022-04-13T14:45:41ZBlog EntryGender, Health, & Surveillance in India - A Panel Discussion
http://editors.cis-india.org/raw/gender-health-surveillance-in-india-panel-discussion
<b>Women and LGBTHIAQ-identifying persons face intensive and varied forms of surveillance as they access reproductive health systems. Increasingly, these systems are also undergoing rapid digitisation. The panel was set-up to discuss the discursive, experiential and policy implications of these data-intensive developments on access to public health and welfare systems by women and LGBTHIAQ-identifying persons in India. The panelists presented studies undertaken as part of two projects at CIS, one of which is supported by Privacy International, UK, and the other by Big Data for Development network established by International Development Research Centre, Canada.</b>
<p> </p>
<h4>Event note and agenda: <a href="https://cis-india.org/raw/files/gender-health-surveillance-in-india-panel-agenda" target="_blank">Read</a> (PDF)</h4>
<h4>Recording of the discussion: <a href="https://www.youtube.com/watch?v=QgYxcD3NUuo" target="_blank">Watch</a> (YouTube)</h4>
<hr />
<iframe src="https://www.youtube-nocookie.com/embed/QgYxcD3NUuo" frameborder="0" height="315" width="560"></iframe>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/gender-health-surveillance-in-india-panel-discussion'>http://editors.cis-india.org/raw/gender-health-surveillance-in-india-panel-discussion</a>
</p>
No publisherAayush Rathi and Ambika TandonData SystemsRAW EventsGenderReproductive and Child HealthSurveillanceResearchers at WorkEvent2020-12-23T14:03:13ZBlog EntryUnpacking video-based surveillance in New Delhi
http://editors.cis-india.org/raw/unpacking-video-based-surveillance-in-new-delhi-urban-data-justice
<b>Aayush Rathi and Ambika Tandon presented at an international workshop on 'Urban Data, Inequality and Justice in the Global South', on 14 June 2019, at the University of Manchester. The agenda for the workshop and the slides from the presentation by Aayush and Ambika are available below.</b>
<p> </p>
<h4>Agenda of the workshop: <a href="https://github.com/cis-india/website/raw/master/docs/UDJWorkshop2019_Timetable.docx">Download</a> (DOCX)</h4>
<h4>Slides from the presentation: <a href="https://github.com/cis-india/website/raw/master/docs/CIS_AayushAmbika_UDJWorkshop2019_Slides.pdf">Download</a> (PDF)</h4>
<hr />
<p>The aim of the workshop was to present findings from case studies on urban data justice commissioned by the Sustainable Consumption Institute and Centre for Development Informatics at the University of Manchester, on aspects of justice in data systems in cities across the world. Aayush and Ambika presented their study on video-based surveillance in New Delhi, which was conducted across a period of 3 months earlier this year. The study aimed to assess the extent to which CCTV surveillance systems in Delhi support the needs of women in the city, including lower class women and those from informal settlements. The study will be published as a working paper by the University of Manchester in the coming months.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/unpacking-video-based-surveillance-in-new-delhi-urban-data-justice'>http://editors.cis-india.org/raw/unpacking-video-based-surveillance-in-new-delhi-urban-data-justice</a>
</p>
No publisherAayush Rathi and Ambika TandonBig DataData JusticeSurveillanceFeaturedUrban Data JusticeResearchResearchers at Work2019-06-20T05:13:25ZBlog EntryWorkshop on 'Urban Data, Inequality and Justice in the Global South'
http://editors.cis-india.org/internet-governance/news/workshop-on-urban-data-inequality-and-justice-in-the-global-south
<b>Aayush Rathi and Ambika Tandon presented our research on video-based surveillance in New Delhi at a workshop on urban data, inequality, and justice in the global South at the University of Manchester on 14 June 2019.</b>
<p style="text-align: justify; ">The agenda for the workshop and the presentations made by CIS can be <a class="external-link" href="https://cis-india.org/raw/unpacking-video-based-surveillance-in-new-delhi-urban-data-justice">accessed here</a>. <span>The research was conducted as part of a grant from the University, as part of a project on justice in data systems within cities. It will bepublished as a working paper by the university in July-August.</span></p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/workshop-on-urban-data-inequality-and-justice-in-the-global-south'>http://editors.cis-india.org/internet-governance/news/workshop-on-urban-data-inequality-and-justice-in-the-global-south</a>
</p>
No publisherAdminSurveillanceInternet GovernancePrivacy2019-07-06T01:30:16ZNews ItemCIS Submission to the UN Special Rapporteur on Freedom of Speech and Expression: Surveillance Industry and Human Rights
http://editors.cis-india.org/internet-governance/blog/cis-submission-to-the-un-special-rapporteur-on-freedom-of-speech-and-expression-surveillance-industry-and-human-rights
<b>CIS responded to the call for submissions from the UN Special Rapporteur on Freedom of Speech and Expression. The submission was on the Surveillance Industry and Human Rights.</b>
<p>CIS is grateful for the opportunity to submit the United Nations (UN) Special Rapporteur on call for submissions on the surveillance industry and human rights.1 Over the last decade, CIS has worked extensively on research around state and private surveillance around the world. In this response, individuals working at CIS wish to highlight these programs, with a special focus on India.</p>
<p>The response can be accessed <a href="https://cis-india.org/internet-governance/resources/the-surveillance-industry-and-human-rights.pdf">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-submission-to-the-un-special-rapporteur-on-freedom-of-speech-and-expression-surveillance-industry-and-human-rights'>http://editors.cis-india.org/internet-governance/blog/cis-submission-to-the-un-special-rapporteur-on-freedom-of-speech-and-expression-surveillance-industry-and-human-rights</a>
</p>
No publisherElonnai Hickok, Arindrajit Basu, Gurshabad Grover, Akriti Bopanna, Shweta Mohandas, Martyna KalvaityteHuman RightsInternet GovernanceSurveillance2019-02-20T10:48:24ZBlog EntryData Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?
http://editors.cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india
<b>In order to bring out certain conceptual and procedural problems with health monitoring in the Indian context, this article by Aayush Rathi and Ambika Tandon posits health monitoring as surveillance and not merely as a “data problem.” Casting a critical feminist lens, the historicity of surveillance practices unveils the gendered power differentials wedded into taken-for-granted “benign” monitoring processes. The unpacking of the Mother and Child Tracking System and the National Health Stack reveals the neo-liberal aspirations of the Indian state. </b>
<p> </p>
<p><em>The article was first published by <a href="https://www.epw.in/engage/article/data-infrastructures-inequities-why-does-reproductive-health-surveillance-india-need-urgent-attention" target="_blank">EPW Engage, Vol. 54, Issue No. 6</a>, on 9 February 2019.</em></p>
<hr />
<h3><strong>Framing Reproductive Health as a Surveillance Question</strong></h3>
<p>The approach of the postcolonial Indian state to healthcare has been Malthusian, with the prioritisation of family planning and birth control (Hodges 2004). Supported by the notion of socio-economic development arising out of a “modernisation” paradigm, the target-based approach to achieving reduced fertility rates has shaped India’s reproductive and child health (RCH) programme (Simon-Kumar 2006).</p>
<p>This is also the context in which India’s abortion law, the Medical Termination of Pregnancy (MTP) Act, was framed in 1971, placing the decisional privacy of women seeking abortions in the hands of registered medical practitioners. The framing of the MTP act invisibilises females seeking abortions for non-medical reasons within the legal framework. The exclusionary provisions only exacerbated existing gaps in health provisioning, as access to safe and legal abortions had already been curtailed by severe geographic inequalities in funding, infrastructure, and human resources. The state has concomitantly been unable to meet contraceptive needs of married couples or reduce maternal and infant mortality rates in large parts of the country, mediating access along the lines of class, social status, education, and age (Sanneving et al 2013).</p>
<p>While the official narrative around the RCH programme transitioned to focus on universal access to healthcare in the 1990s, the target-based approach continues to shape the reality on the ground. The provision of reproductive healthcare has been deeply unequal and, in some cases, in hospitals. These targets have been known to be met through the practice of forced, and often unsafe, sterilisation, in conditions of absence of adequate provisions or trained professionals, pre-sterilisation counselling, or alternative forms of contraception (Sama and PLD 2018). Further, patients have regularly been provided cash incentives, foreclosing the notion of free consent, especially given that the target population of these camps has been women from marginalised economic classes in rural India.</p>
<p>Placing surveillance studies within a feminist praxis allows us to frame the reproductive health landscape as more than just an ill-conceived, benign monitoring structure. The critical lens becomes useful for highlighting that taken-for-granted structures of monitoring are wedded with power differentials: genetic screening in fertility clinics, identification documents such as birth certificates, and full-body screeners are just some of the manifestations of this (Adrejevic 2015). Emerging conversations around feminist surveillance studies highlight that these data systems are neither benign nor free of gendered implications (Andrejevic 2015). In continual remaking of the social, corporeal body as a data actor in society, such practices render some bodies normative and obfuscate others, based on categorisations put in place by the surveiller.</p>
<p>In fact, the history of surveillance can be traced back to the colonial state where it took the form of systematic sexual and gendered violence enacted upon indigenous populations in order to render them compliant (Rifkin 2011; Morgensen 2011). Surveillance, then, manifests as a “scientific” rationalisation of complex social hieroglyphs (such as reproductive health) into formats enabling administrative interventions by the modern state. Lyon (2001) has also emphasised how the body emerged as the site of surveillance in order for the disciplining of the “irrational, sensual body”—essential to the functioning of the modern nation-state—to effectively happen.</p>
<h3><strong>Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric</strong></h3>
<p>Information and Communications Technology (ICT) and data-driven approaches to the development of a robust health information system, and by extension, welfare, have been offered as solutions to these inequities and exclusions in access to maternal and reproductive healthcare in the country.</p>
<p>The move towards data-driven development in the country commenced with the introduction of the Health Management Information System in Andhra Pradesh in 2008, and the Mother and Child Tracking System (MCTS) nationally in 2011. These are reproductive health information systems (HIS) that collect granular data about each pregnancy from the antenatal to the post-natal period, at the level of each sub-centre as well as primary and community health centre. The introduction of HIS comprised cross-sectoral digitisation measures that were a part of the larger national push towards e-governance; along with health, thirty other distinct areas of governance, from land records to banking to employment, were identified for this move towards the digitalised provisioning of services (MeitY 2015).</p>
<p>The HIS have been seen as playing a critical role in the ecosystem of health service provision globally. HIS-based interventions in reproductive health programming have been envisioned as a means of: (i) improving access to services in the context of a healthcare system ridden with inequalities; (ii) improving the quality of services provided, and (iii) producing better quality data to facilitate the objectives of India’s RCH programme, including family planning and population control. Accordingly, starting 2018, the MCTS is being replaced by the RCH portal in a phased manner. The RCH portal, in areas where the ANMOL (ANM Online) application has been introduced, captures data real-time through tablets provided to health workers (MoHFW 2015).</p>
<p>A proposal to mandatorily link the Aadhaar with data on pregnancies and abortions through the MCTS/RCH has been made by the union minister for Women and Child Development as a deterrent to gender-biased sex selection (Tembhekar 2016). The proposal stems from the prohibition of gender-biased sex selection provided under the Pre-Conception and Pre-Natal Diagnostics Techniques (PCPNDT) Act, 1994. The approach taken so far under the PCPNDT Act, 2014 has been to regulate the use of technologies involved in sex determination. However, the steady decline in the national sex ratio since the passage of the PCPNDT Act provides a clear indication that the regulation of such technology has been largely ineffective. A national policy linking Aadhaar with abortions would be aimed at discouraging gender-biased sex selection through state surveillance, in direct violation of a female’s right to decisional privacy with regards to their own body.</p>
<p>Linking Aadhaar would also be used as a mechanism to enable direct benefit transfer (DBT) to the beneficiaries of the national maternal benefits scheme. Linking reproductive health services to the Aadhaar ecosystem has been critiqued because it is exclusionary towards women with legitimate claims towards abortions and other reproductive services and benefits, and it heightens the risk of data breaches in a cultural fabric that already stigmatises abortions. The bodies on which this stigma is disproportionately placed, unmarried or disabled females, for instance, experience the harms of visibility through centralised surveillance mechanisms more acutely than others by being penalised for their deviance from cultural expectations. This is in accordance with the theory of "data extremes,” wherein marginalised communities are seen as living on the extremes of data capture, leading to a data regime that either refuses to recognise them as legitimate entities or subjects them to overpolicing in order to discipline deviance (Arora 2016). In both developed and developing contexts, the broader purpose of identity management has largely been to demarcate legitimate and illegitimate actors within a population, either within the framework of security or welfare.</p>
<h3><strong>Potential Harms of the Data Model of Reproductive Health Provisioning</strong></h3>
<p>Informational privacy and decisional privacy are critically shaped by data flows and security within the MCTS/RCH. No standards for data sharing and storage, or anonymisation and encryption of data have been implemented despite role-based authentication (NHSRC and Taurus Glocal 2011). The risks of this architectural design are further amplified in the context of the RCH/ANMOL where data is captured real-time. In the absence of adequate safeguards against data leaks, real-time data capture risks the publicising of reproductive health choices in an already stigmatised environment. This opens up avenues for further dilution of autonomy in making future reproductive health choices.</p>
<p>Several core principles of informational privacy, such as limitations regarding data collection and usage, or informed consent, also need to be reworked within this context.<sup>[1]</sup> For instance, the centrality of the requirement of “free, informed consent” by an individual would need to be replaced by other models, especially in the context of reproductive health of rape survivors who are vulnerable and therefore unable to exercise full agency. The ability to make a free and informed choice, already dismantled in the context of contemporary data regimes, gets further precluded in such contexts. The constraints on privacy in decisions regarding the body are then replicated in the domain of reproductive data collection.</p>
<p>What is uniform across these digitisation initiatives is their treatment of maternal and reproductive health as solely a medical event, framed as a data scarcity problem. In doing so, they tend to amplify the understanding of reproductive health through measurable indicators that ignore social determinants of health. For instance, several studies conducted in the rural Indian context have shown that the degree of women’s autonomy influences the degree of usage of pregnancy care, and that the uptake of pregnancy care was associated with village-level indicators such as economic development, provisioning of basic infrastructure and social cohesion. These contextual factors get overridden in pervasive surveillance systems that treat reproductive healthcare as comprising only of measurable indicators and behaviours, that are dependent on individual behaviour of practitioners and women themselves, rather than structural gaps within the system.</p>
<p>While traditionally associated with state governance, the contemporary surveillance regime is experienced as distinct from its earlier forms due to its reliance on a nexus between surveillance by the state and private institutions and actors, with both legal frameworks and material apparatuses for data collection and sharing (Shepherd 2017). As with historical forms of surveillance, the harms of contemporary data regimes accrue disproportionately among already marginalised and dissenting communities and individuals. Data-driven surveillance has been critiqued for its excesses in multiple contexts globally, including in the domains of predictive policing, health management, and targeted advertising (Mason 2015). In the attempts to achieve these objectives, surveillance systems have been criticised for their reliance on replicating past patterns, reifying proximity to a hetero-patriarchal norm (Haggerty and Ericson 2000). Under data-driven surveillance systems, this proximity informs the preexisting boxes of identity for which algorithmic representations of the individual are formed. The boxes are defined contingent on the distinct objectives of the particular surveillance project, collating disparate pieces of data flows and resulting in the recasting of the singular offline self into various 'data doubles' (Haggerty and Ericson 2000). Refractive, rather than reflective, the data doubles have implications for the physical, embodied life of individual with an increasing number of service provisioning relying on the data doubles (Lyon 2001). Consider, for instance, apps on menstruation, fertility, and health, and wearables such as fitness trackers and pacers, that support corporate agendas around what a woman’s healthy body should look, be or behave like (Lupton 2014). Once viewed through the lens of power relations, the fetishised, apolitical notion of the data “revolution” gives way to what we may better understand as “dataveillance.”</p>
<h3><strong>Towards a Networked State and a Neo-liberal Citizen</strong></h3>
<p>Following in this tradition of ICT being treated as the solution to problems plaguing India’s public health information system, a larger, all-pervasive healthcare ecosystem is now being proposed by the Indian state (NITI Aayog 2018). Termed the National Health Stack, it seeks to create a centralised electronic repository of health records of Indian citizens with the aim of capturing every instance of healthcare service usage. Among other functions, it also envisions a platform for the provisioning of health and wellness-based services that may be dispensed by public or private actors in an attempt to achieve universal health coverage. By allowing private parties to utilise the data collected through pullable open application program interfaces (APIs), it also fits within the larger framework of the National Health Policy 2017 that envisions the private sector playing a significant role in the provision of healthcare in India. It also then fits within the state–private sector nexus that characterises dataveillance. This, in turn, follows broader trends towards market-driven solutions and private financing of health sector reform measures that have already had profound consequences on the political economy of healthcare worldwide (Joe et al 2018).</p>
<p>These initiatives are, in many ways, emblematic of the growing adoption of network governance reform by the Indian state (Newman 2001). This is a stark shift from its traditional posturing as the hegemonic sovereign nation state. This shift entails the delayering from large, hierarchical and unitary government systems to horizontally arranged, more flexible, relatively dispersed systems.<sup>[2]</sup> The former govern through the power of rules and law, while the latter take the shape of self-regulating networks such as public–private contractual arrangements (Snellen 2005). ICTs have been posited as an effective tool in enabling the transition to network governance by enhancing local governance and interactive policymaking enabling the co-production of knowledge (Ferlie et al 2011). The development of these capabilities is also critical to addressing “wicked problems” such as healthcare (Rittel and Webber 1973).<sup>[3]</sup> The application of the techno-deterministic, data-driven model to reproductive healthcare provision, then, resembles a fetishised approach to technological change. The NHSRC describes this as the collection of data without an objective, leading to a disproportional burden on data collection over use (NHSRC and Taurus Glocal 2011).</p>
<p>The blurring of the functions of state and private actors is reflective of the neo-liberal ethic, which produces new practices of governmentality. Within the neo-liberal framework of reproductive healthcare, the citizen is constructed as an individual actor, with agency over and responsibility for their own health and well-being (Maturo et al 2016).</p>
<h3><strong>“Quantified Self” of the Neo-liberal Citizen</strong></h3>
<p>Nowhere can the manifestation of this neo-liberal citizen can be seen as clearly as in the “quantified self” movement. The quantified self movement refers to the emergence of a whole range of apps that enable the user to track bodily functions and record data to achieve wellness and health goals, including menstruation, fertility, pregnancies, and health indicators in the mother and baby. Lupton (2015) labels this as the emergence of the “digitised reproductive citizen,” who is expected to be attentive to her fertility and sexual behaviour to achieve better reproductive health goals. The practice of collecting data around reproductive health is not new to the individual or the state, as has been demonstrated by the discussion above. What is new in this regime of datafication under the self-tracking movement is the monetisation of reproductive health data by private actors, the labour for which is performed by the user. Focusing on embodiment draws attention to different kinds of exploitation engendered by reproductive health apps. Not only is data about the body collected and sold, the unpaid labour for collection is extracted from the user. The reproductive body can then be understood as a cyborg, or a woman-machine hybrid, systematically digitising its bodily functions for profit-making within the capitalist (re)production machine (Fotoloulou 2016). Accordingly, all major reproductive health tracking apps have a business model that relies on selling information about users for direct marketing of products around reproductive health and well-being (Felizi and Varon nd).</p>
<p>As has been pointed out in the case of big data more broadly, reproductive health applications (apps) facilitate the visibility of the female reproductive body in the public domain. Supplying anonymised data sets to medical researchers and universities fills some of the historical gaps in research around the female body and reproductive health. Reproductive and sexual health tracking apps globally provide their users a platform to engage with biomedical information around sexual and reproductive health. Through group chats on the platform, they are also able to engage with experiential knowledge of sexual and reproductive health. This could also help form transnational networks of solidarity around the body and health (Fotopoulou 2016).</p>
<p style="text-align: justify;">This radical potential of network-building around reproductive and sexual health is, however, tempered to a large extent by the reconfiguration of gendered stereotypes through these apps. In a study on reproductive health apps on Google Play Store, Lupton (2014) finds that products targeted towards female users are marketed through the discourse of risk and vulnerability, while those targeted towards male users are framed within that of virility. Apart from reiterating gendered stereotypes around the male and female body, such a discourse assumes that the entire labour of family planning is performed by females. This same is the case with the MCTS/RCH.</p>
<p>Technological interventions such as reproductive health apps as well as HIS are based on the assumption that females have perfect control over decisions regarding their own bodies and reproductive health, despite this being disproved in India. The Guttmacher Institute (2014) has found that 60% of women in India report not having control over decisions regarding their own healthcare. The failure to account for the husband or the family as stakeholder in decision-making around reproductive health has been a historical failure of the family planning programme in India, and is now being replicated in other modalities. This notion of an autonomous citizen who is able to take responsibility of their own reproductive health and well-being does not hold true in the Indian context. It can even be seen as marginalising females who have already been excluded from the reproductive health system, as they are held responsible for their own inability to access healthcare.</p>
<h3><strong>Concluding Remarks</strong></h3>
<p>The interplay that emerges between reproductive health surveillance and data infrastructures is a complex one. It requires the careful positioning of the political nature of data collection and processing as well as its hetero-patriarchal and colonial legacies, within the need for effective utilisation of data for achieving developmental goals. Assessing this discourse through a feminist lens identifies the web of power relations in data regimes. This problematises narratives of technological solutions for welfare provision.</p>
<p>The reproductive healthcare framework in India then offers up a useful case study to assess these concerns. The growing adoption of ICT-based surveillance tools to equalise access to healthcare needs to be understood in the socio-economic, legal, and cultural context where these tools are being implemented. Increased surveillance has historically been associated with causing the structural gendered violence that it is now being offered as a solution to. This is a function of normative standards being constructed for reproductive behaviour that necessarily leave out broader definitions of reproductive health and welfare when viewed through a feminist lens. Within the larger context of health policymaking in India, moves towards privatisation then demonstrate the peculiarity of dataveillance as it functions through an unaccountable and pervasive overlapping of state and private surveillance practises. It remains to be seen how these trends in ICT-driven health policies affect access to reproductive rights and decisional privacy for millions of females in India and other parts of the global South.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india'>http://editors.cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india</a>
</p>
No publisherAayush Rathi and Ambika TandonBig DataData SystemsPrivacyResearchers at WorkInternet GovernanceResearchBD4DHealthcareSurveillanceBig Data for Development2019-12-30T16:44:32ZBlog EntryRegulating the Internet: The Government of India & Standards Development at the IETF
http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf
<b>The institution of open standards has been described as a formidable regulatory regime governing the Internet. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.</b>
<p>This brief was authored by Aayush Rathi, Gurshabad Grover and Sunil Abraham. Click <a class="external-link" href="http://cis-india.org/internet-governance/files/regulating-the-internet">here</a> to download the policy brief.</p>
<hr />
<h2>Executive Summary</h2>
<div> </div>
<p style="text-align: justify;">The institution of open standards has been described as a formidable regulatory regime governing the Internet. As the Internet has moved to facilitate commerce and communication, governments and corporations find greater incentives to participate and influence the decisions of independent standards development organisations.</p>
<p style="text-align: justify;">While most such bodies have attempted to systematise fair and transparent processes, this brief highlights how they may still be susceptible to compromise. Documented instances of large private companies like Microsoft, and governmental instrumentalities like the US National Security Agency (NSA) exerting disproportionate influence over certain technical standards further the case for increased Indian participation.</p>
<p style="text-align: justify;">The debate around Transport Layer Security (TLS) 1.3 at the Internet Engineering Task Force (IETF) forms an important case for studying how a standards body responded to political developments, and how the Government of India participated in the ensuing discussions. Lasting four years, the debate ended in favour of greater communications security. One of the security improvements in TLS 1.3 over its predecessor is that is makes less information available to networking middleboxes. Considering that Indian intelligence agencies and government departments have expressed fears of foreign-manufactured networking equipment being used by foreign intelligence to eavesdrop on Indian networks, the development is potentially favourable for the security of Indian communication in general, and the security of military and intelligence systems in particular. India has historically procured most networking equipment from foreign manufacturers. While there have been calls for indigenised production of such equipment, achieving these objectives will necessarily be a gradual process. Participating in technical standards can, then, be an effective interim method for intelligence agencies, defence wings and law enforcement for establishing trust in critical networking infrastructure sourced from foreign enterprises.</p>
<p style="text-align: justify;">Outlining some of the existing measures the Indian government has put in place to build capacity for and participate in standard setting, this brief highlights that while these are useful starting points, they need to be harmonised and strengthened to be more fruitful. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.</p>
<hr />
<p>Click <a class="external-link" href="http://cis-india.org/internet-governance/files/regulating-the-internet">here</a> to download the policy brief.</p>
<p style="text-align: justify;">Note: The recommendations in the brief were updated on 17 December 2018 to reflect the relevance of technical standard-setting in the recent discussions around Indian intelligence concerns about foreign-manufactured networking equipment.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf'>http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf</a>
</p>
No publisherAayush Rathi, Gurshabad Grover and Sunil AbrahamOpen StandardsCryptographyCybersecurityInternet GovernanceSurveillanceIETFEncryption Policy2019-01-22T07:29:39ZBlog EntrySurveillance Stories: Optimizing rights and governance
http://editors.cis-india.org/internet-governance/news/surveillance-stories-optimizing-rights-and-governance
<b>Sunil Abraham gave a talk at the National Centre for Biological Sciences, Tata Institute of Fundamental Research, Bangalore on October 16, 2018. Sunil used a series of stories to explain how surveillance works and fails in the context of theft, murder, insider trading, terrorism, demonetization and encounter killings. </b>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Abraham.jpg/@@images/27cd9d50-b82d-4556-aad2-431d99174b07.jpeg" alt="Surveillance Talk" class="image-inline" title="Surveillance Talk" /></p>
<p style="text-align: justify; ">These stories were used to explore multiple technical solutions for solving the “surveillance optimization problem”. Policy makers have to simultaneously maximize various rights — the right to privacy, the right to transparency, the right to free speech — and uphold the imperatives of the nation state: national security, law enforcement and effective governance. <br /> <br />Two decades ago, Lawrence Lessig introduced a socioeconomic theory of regulation called the ‘pathetic dot theory’, which discusses how individuals in a society are regulated by four forces — law, code or technical infrastructure, market and social norms. The talk will explore how these four regulatory options contribute to solving the surveillance optimization problem.</p>
<hr />
<p style="text-align: justify; ">This was published on the website of <a class="external-link" href="https://www.ncbs.res.in/events/apls-20181016-surveillance-abraham">National Centre for Biological Sciences</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/surveillance-stories-optimizing-rights-and-governance'>http://editors.cis-india.org/internet-governance/news/surveillance-stories-optimizing-rights-and-governance</a>
</p>
No publisherAdminSurveillanceInternet GovernancePrivacy2018-10-31T01:39:56ZNews ItemWhy Data Localisation Might Lead To Unchecked Surveillance
http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance
<b>In recent times, there has been a rash of policies and regulations that propose that the data that Indian entities handle be physically stored on servers in India, in some cases exclusively. In other cases, only a copy needs to be stored.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.bloombergquint.com/opinion/why-data-localisation-might-lead-to-unchecked-surveillance">Bloomberg Quint</a> on October 15, 2018 and also mirrored in the <a class="external-link" href="https://www.thequint.com/voices/opinion/why-data-localisation-might-lead-to-unchecked-surveillance">Quint</a>.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In April 2018, the Reserve Bank of India put out a<a href="https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0" target="_blank"> circular </a>requiring that all “data relating to payment systems operated by them are stored in a system only in India” <a href="https://www.bloombergquint.com/business/rbi-sticks-to-oct-15-deadline-for-data-localisation" target="_blank">within six months</a>. Lesser requirements have been imposed on all Indian companies’ accounting data since 2014 (the back-up of the books of account and other books that are stored electronically must be stored in India, the broadcasting sector under the Foreign Direct Investment policy, must locally store subscriber information, and the telecom sector under the Unified Access licence, may not transfer their subscriber data outside India).</p>
<p style="text-align: justify; ">The draft e-commerce policy has a wide-ranging requirement of exclusive local storage for “community data collected by Internet of Things devices in public space” and “data generated by users in India from various sources including e-commerce platforms, social media, search engines, etc.”, as does the draft e-pharmacy regulations, which stipulate that “the data generated” by e-pharmacy portals be stored only locally.</p>
<p style="text-align: justify; ">While companies such as Airtel, Reliance, PhonePe (majority-owned by Walmart) and Alibaba, have spoken up in support the government’s data localisation efforts, others like Facebook, Amazon, Microsoft, and Mastercard have led the way in opposing it.</p>
<p style="text-align: justify; ">Just this week, two U.S. Senators <a href="https://www.bloombergquint.com/business/us-senators-write-to-pm-modi-seek-soft-stance-on-indias-data-localisation" target="_blank">wrote to</a> the Prime Minister’s office arguing that the RBI’s data localisation regulations along with the proposals in the draft e-commerce and cloud computing policies are “key trade barriers”. In her dissenting note to the Srikrishna Committee's report, Rama Vedashree of the Data Security Council of India notes that, “mandating localisation may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the IT-BPM (information technology-business process management) industry.”</p>
<h2 style="text-align: justify; ">Justification For Data Localisation</h2>
<p style="text-align: justify; ">What are the reasons for these moves towards data localisation?</p>
<blockquote style="text-align: justify; ">Given the opacity of policymaking in India, many of the policies and regulations provide no justification at all. Even the ones that do, don’t provide cogent reasoning.</blockquote>
<p style="text-align: justify; ">The RBI says it needs “unfettered supervisory access” and hence needs data to be stored in India. However, it fails to state why such unfettered access is not possible for data stored outside of India.</p>
<blockquote style="text-align: justify; ">As long as an entity can be compelled by Indian laws to engage in local data storage, that same entity can also be compelled by that same law to provide access to their non-local data, which would be just as effective.</blockquote>
<p style="text-align: justify; ">What if they don’t provide such access? Would they be blacklisted from operating in India, just as they would if they didn’t engage in local data storage? Is there any investigatory benefit to storing data in India? As any data forensic expert would note, chain of custody and data integrity are what are most important components of data handling in fraud investigation, and not physical access to hard drives. It would be difficult for the government to say that it will block all Google services if the company doesn’t provide all the data that Indian law enforcement agencies request from it. However, it would be facile for the RBI to bar Google Pay from operating in India if Google doesn’t provide it “unfettered supervisory access” to data.</p>
<p style="text-align: justify; ">The most exhaustive justification of data localisation in any official Indian policy document is that contained in the <a href="http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf" target="_blank">Srikrishna Committee’s report</a> on data protection. The report argues that there are several benefits to data localisation:</p>
<ol style="text-align: justify; ">
<li>Effective enforcement,</li>
<li>Avoiding reliance on undersea cables,</li>
<li>Avoiding foreign surveillance on data stored outside India,</li>
<li>Building an “Artificial Intelligence ecosystem”</li>
</ol>
<p style="text-align: justify; ">Of these, the last three reasons are risible.</p>
<h2 style="text-align: justify; ">Not A Barrier To Surveillance</h2>
<p style="text-align: justify; ">Requiring mirroring of personal data on Indian servers will not magically give rise to experts skilled in statistics, machine learning, or artificial intelligence, nor will it somehow lead to the development of the infrastructure needed for AI.</p>
<p style="text-align: justify; ">The United States and China are both global leaders in AI, yet no one would argue that China’s data localisation policies have helped it or that America’s lack of data localisation polices have hampered it.</p>
<blockquote style="text-align: justify; ">On the question of foreign surveillance, data mirroring will not have any impact, since the Srikrishna Committee’s recommendation would not prevent companies from storing most personal data outside of India.</blockquote>
<p style="text-align: justify; ">Even for “sensitive personal data” and for “critical personal data”, which may be required to be stored in India alone, such measures are unlikely to prevent agencies like the U.S. National Security Agency or the United Kingdom’s Government Communications Headquarters from being able to indulge in extraterritorial surveillance.</p>
<p style="text-align: justify; ">In 2013, slides from an NSA presentation that were leaked by Edward Snowden showed that the NSA’s “BOUNDLESSINFORMANT” programme collected 12.6 billion instances of telephony and Internet metadata (for instance, which websites you visited and who all you called) from India in just one month, making India one of the top 5 targets.</p>
<p style="text-align: justify; ">This shows that technically, surveillance in India is not a challenge for the NSA.</p>
<p style="text-align: justify; ">So, forcing data mirroring enhances Indian domestic intelligence agencies’ abilities to engage in surveillance, without doing much to diminish the abilities of skilled foreign intelligence agencies.</p>
<p style="text-align: justify; ">As I have <a href="https://slides.com/pranesh/digital-security-for-journalists#/5/1" target="_blank">noted in the past</a>, the technological solution to reducing mass surveillance is to use decentralised and federated services with built-in encryption, using open standards and open source software.</p>
<p style="text-align: justify; ">Reducing reliance on undersea cables is, just like reducing foreign surveillance on Indians’ data, a laudable goal. However, a mandate of mirroring personal data in India, which is what the draft Data Protection Bill proposes for all non-sensitive personal data, will not help. Data will stay within India if the processing happens within India. However, if the processing happens outside of India, as is often the case, then undersea cables will still need to be relied upon.</p>
<p style="text-align: justify; ">The better way to keep data within India is to incentivise the creation of data centres and working towards reducing the cost of internet interconnection by encouraging more peering among Internet connectivity providers.</p>
<blockquote style="text-align: justify; ">While data mirroring will not help in improving the enforcement of any data protection or privacy law, it will aid Indian law enforcement agencies in gaining easier access to personal data.</blockquote>
<h2 style="text-align: justify; ">The MLAT Route</h2>
<p style="text-align: justify; ">Currently, many forms of law enforcement agency requests for data have to go through onerous channels called ‘mutual legal assistance treaties’. These MLAT requests take time and are ill-suited to the needs of modern criminal investigations. However, the U.S., recognising this, passed a law called the CLOUD Act in March 2018. While the CLOUD Act compels companies like Google and Amazon, which have data stored in Indian data centres, to provide that data upon receiving legal requests from U.S. law enforcement agencies, it also enables easier access to foreign law enforcement agencies to data stored in the U.S. as long as they fulfill certain procedural and rule-of-law checks.</p>
<blockquote style="text-align: justify; ">While the Srikrishna Committee does acknowledge the CLOUD Act in a footnote, it doesn’t analyse its impact, doesn’t provide suggestions on how India can do this, and only outlines the negative consequences of MLATs.</blockquote>
<p style="text-align: justify; ">Further, it is inconceivable that the millions of foreign services that Indians access and provide their personal data to will suddenly find a data centre in India and will start keeping such personal data in India. Instead, a much likelier outcome, one which the Srikrishna Committee doesn’t even examine, is that many smaller web services may find such requirements too onerous and opt to block users from India, similar to the way that Indiatimes and the Los Angeles Times opted to block all readers from the European Union due to the coming into force of the new data protection law.</p>
<p style="text-align: justify; ">The government could be spending its political will on finding solutions to the law enforcement agency data access question, and negotiating solutions at the international level, especially with the U.S. government. However it is not doing so.</p>
<p style="text-align: justify; ">Given this, the recent spate of data localisation policies and regulation can only be seen as part of an attempt to increase the scope and ease of the Indian government’s surveillance activities, while India’s privacy laws still remain very weak and offer inadequate legal protection against privacy-violating surveillance. Because of this, we should be wary of such requirements, as well as of the companies that are vocal in embracing data localisation.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance'>http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance</a>
</p>
No publisherpraneshSurveillanceInternet GovernancePrivacy2018-10-16T14:08:34ZBlog EntryCritics of India's ID card project say they have been harassed, put under surveillance
http://editors.cis-india.org/internet-governance/news/reuters-february-13-2018-rahul-bhatia-critics-of-indias-id-card-project-say-they-have-been-harassed-put-under-surveillance
<b>Researchers and journalists who have identified loopholes in India’s massive national identity card project have said they have been slapped with criminal cases or harassed by government agencies because of their work.</b>
<p style="text-align: justify; ">This was published by <a class="external-link" href="https://www.reuters.com/article/us-india-aadhaar-breach/critics-of-indias-id-card-project-say-they-have-been-harassed-put-under-surveillance-idUSKBN1FX0H0">Reuters</a> on February 13, 2018. <span>Reporting by Rahul Bhatia; Editing by Raju Gopalakrishnan</span></p>
<hr />
<p style="text-align: justify; ">Last month, the Unique Identification Authority of India (UIDAI), the semi-government body responsible for the national identity project, called Aadhaar, or “Basis”, filed a criminal case against the Tribune newspaper for publishing a story that said access to the card’s database could be bought for 500 rupees ($7.82).</p>
<p style="text-align: justify; ">Reuters spoke to eight additional researchers, activists and journalists who have complained of being harassed after writing about Aadhaar. They said UIDAI and other government agencies were extremely sensitive to criticism of the Aadhaar programme.</p>
<p style="text-align: justify; ">Aadhaar is a biometric identification card that is becoming integral to the digitisation of India’s economy, with over 1.1 billion users and the world’s biggest database.</p>
<p style="text-align: justify; ">Indians have been asked to furnish their Aadhaar numbers for a host of transactions including accessing bank accounts, paying taxes, receiving subsidies, acquiring a mobile number, settling a property deal and registering a marriage.</p>
<p style="text-align: justify; ">The Tribune said one of its reporters purchased access to a portal that could provide data linked to any Aadhaar cardholder.</p>
<p style="text-align: justify; ">The UIDAI complaint, filed with the police cyber cell in the capital, New Delhi, accused the newspaper, the reporter, and others of cheating by impersonation, forgery and unauthorised access to a computer network.</p>
<p style="text-align: justify; ">Media associations sharply criticised the action - the Editors Guild of India said UIDAI’s move was “clearly meant to browbeat a journalist whose story was of great public interest. It is unfair, unjustified and a direct attack on the freedom of the press.”</p>
<p style="text-align: justify; ">In response, the agency said “an impression was being created in media that UIDAI is targeting the media or whistleblowers or shooting the messenger.”</p>
<p style="text-align: justify; ">“That is not at all true. It is for the act of unauthorised access, criminal proceedings have been launched,” it said in a statement.</p>
<p style="text-align: justify; ">Osama Manzar, the director of the Digital Empowerment Foundation, a New Delhi-based NGO, called the government’s prickliness “a clear sign that rather than it wanting to learn how to make Aadhaar a tool of empowerment, it actually wants to use it as a coercive tool of disempowerment”.</p>
<h3 style="text-align: justify; ">Data Leakage</h3>
<p style="text-align: justify; ">Last May, the Centre for Internet and Society (CIS), an independent Indian advocacy group, published a report that government websites had inadvertently leaked several million identification numbers from the project.</p>
<p style="text-align: justify; ">UIDAI sent the CIS a legal notice within days, said Srinivas Kodali, one of the authors of the report.</p>
<p style="text-align: justify; ">The notice alleged that some of the data cited in the report would only be available if the site had been accessed illegally. The UIDAI wrote that the people involved had to be “brought to justice.”</p>
<p style="text-align: justify; ">According to Kodali, two more notices followed, addressed to the group’s directors and two researchers, containing more accusations. “They said it was a criminal conspiracy, and demanded that we send individual responses,” he said.</p>
<p style="text-align: justify; ">CIS then received questions about its funding from the home ministry section that grants NGOs permission to receive foreign funding, said a source in the group who saw the letter. CIS viewed this as a threat to its funding, the source said. CIS declined to comment on the notices or on the questions about funding.</p>
<p style="text-align: justify; ">UIDAI did not reply to multiple e-mails seeking comment on the accusations about CIS and similar complaints by other activists and journalists, and officials could not be reached by phone. Officials at the Ministry of Information Technology that supervises UIDAI were unreachable by phone.<br />In a column in the Economic Times newspaper in January, Ajay Pandey, the head of the UIDAI, wrote: “The data of all Aadhaar holders is safe and secure. One should not believe rumours or claims made on its so-called ‘breach’.”</p>
<p style="text-align: justify; ">R.S. Sharma, the head of India’s telecom regulatory body, said there was an “orchestrated campaign” against Aadhaar as it was against the interests of those who operated in the shadow economy with fictitious names, or were skimming off subsidies.</p>
<p style="text-align: justify; ">“It is going to clean up many systems,” Sharma told a television channel last month. “That’s probably one of the reasons why people realise that this is now becoming too difficult or too dangerous for them.”</p>
<h3 style="text-align: justify; ">That trip to Turkey</h3>
<p style="text-align: justify; ">A Bangalore researcher who contributed to the CIS report said scrutiny by police and government officials was a common occurrence, but harassment was stepped up after it was published.</p>
<p style="text-align: justify; ">“Sometimes people from the police station visit you. Other times from the Home Ministry. It was intimidating,” the researcher said.</p>
<p style="text-align: justify; ">The person, who asked not to be named for fear of reprisal, said police officers asked questions like “How was that trip to Turkey?',” to make it clear the subjects were under surveillance.</p>
<p style="text-align: justify; ">When Sameer Kochhar, a social scientist and author of books on Aadhaar, demonstrated how the system’s biometrics safeguards could be bypassed last year, UIDAI filed a police report in New Delhi, a person familiar with the matter said.</p>
<p style="text-align: justify; ">Subsequently, Kochhar received at least three notices from the Delhi Police alleging that he had violated 14 sections under three separate laws, the person said.</p>
<p style="text-align: justify; ">Kochhar’s lawyer declined comment. Delhi Police officials declined comment.</p>
<p style="text-align: justify; ">Critics have warned Aadhaar could be used as an instrument of state surveillance while data security and privacy regulations are still to be framed.</p>
<p style="text-align: justify; ">Former central bank governor Raghuram Rajan said last month that the government needed to prove it would protect the privacy of Aadhaar.</p>
<p style="text-align: justify; ">“I do think that we have to assure the public that their data is safe,” Rajan said. “All these reports about easy availability of data are worrying and we have to ensure security. We cannot just say trust us, trust us, it’s all secure.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/reuters-february-13-2018-rahul-bhatia-critics-of-indias-id-card-project-say-they-have-been-harassed-put-under-surveillance'>http://editors.cis-india.org/internet-governance/news/reuters-february-13-2018-rahul-bhatia-critics-of-indias-id-card-project-say-they-have-been-harassed-put-under-surveillance</a>
</p>
No publisherAdminInternet GovernanceSurveillance2018-02-24T07:50:55ZNews ItemParanoid about state surveillance? Here’s the FD Guide to living in the age of snoops
http://editors.cis-india.org/internet-governance/news/factor-daily-sriram-sharma-december-12-2017-paranoid-about-state-surveillance-here-s-the-fd-guide-to-living-in-the-age-of-snoops
<b>The US does it, so does China. Ever since Edward Snowden’s revelations back in 2013, which exposed the extent of the US’s global surveillance apparatus, the public has been fairly clued into the extent of mass surveillance.</b>
<p style="text-align: justify; ">The blog post by Sriram Sharma was published in Factor Daily on December 12, 2017</p>
<p style="text-align: justify; ">It doesn’t take a conspiracy theorist to worry that India does it (or wants to), too, especially with the high decibel campaigns by banks, telecom service providers and others to have Indians link Aadhaar, the unique citizen ID, to multiple services.</p>
<p style="text-align: justify; ">If you want a dystopian picture of the future of surveillance, look no further than China, considered the world’s worst abuser of internet freedom for the third year in a row, according to the new Freedom House, a US-based NGO that conducts research and analysis on the internet. With a <a href="https://freedomhouse.org/report/freedom-net/2017/china" rel="noopener nofollow external noreferrer" target="_blank">score of 87/100</a> (higher is worse), the Chinese state is renowned for its Great Firewall, which filters access to the wider internet. “Digital activism has declined amid growing legal and technical restrictions as well as heavy prison sentences against prominent civil society figures,” the latest Freedom House report notes.</p>
<p style="text-align: justify; "><img class="size-full wp-image-12235" height="396" src="https://i0.wp.com/factordaily.com/wp-content/uploads/2017/12/freedom-of-net-india-2017.jpg?resize=660%2C416&ssl=1" width="629" /></p>
<p style="text-align: justify; ">India is rated “Partly Free” with a score of 41/100 (lower is better) in Freedom House’s 2017 report on internet freedom</p>
<p style="text-align: justify; ">While it’s a long way away from China, India scores <a href="https://freedomhouse.org/report/freedom-net/2017/india" rel="noopener nofollow external noreferrer" target="_blank">41/100</a> on Internet Freedom in 2017 but is still considered only ‘partly free’ owing to blocking of internet and telecom service providers in Kashmir and detainment of citizens for expressing their views online. The India report from Freedom House highlights Aadhaar’s mandatory linking for a wide range of schemes and records concerns regarding its privacy and security implications.</p>
<p style="text-align: justify; ">In this guide, we take a look at the why, what and how of India’s surveillance apparatus, the legal provisions in the Indian constitution that enables them, ask domain experts to provide us with tips on living in an age of state surveillance. We also take a look at a variety of widely used tools and apps that help you countering state surveillance or tracking of any kind.</p>
<p style="text-align: justify; "><b>Know your Big Brother: India’s State Surveillance Programs </b></p>
<p style="text-align: justify; ">Right to privacy organisation Privacy International has a detailed dossier on the <a href="https://www.privacyinternational.org/node/975#toc-4" rel="noopener nofollow external noreferrer" target="_blank">state of privacy in India</a>, which examines India’s surveillance schemes, laws around interception and access, and central intelligence agencies that carry out surveillance. Apart from the state police and the army, surveillance is carried out at least 16 different intelligence agencies, it notes.</p>
<p style="text-align: justify; ">The Centre for Internet and Society (CIS) and Software Freedom Law Centre (SFLC) have done extensive research in the past on India’s surveillance apparatus. Earlier <a href="https://cis-india.org/internet-governance/blog/the-design-technology-behind-india2019s-surveillance-programmes" rel="noopener nofollow external noreferrer" target="_blank">this year</a>, CIS reported on the various programs and tech infrastructure behind India’s surveillance state: these include Central Monitoring System (CMS), National Intelligence Grid (NATGRID), Network Traffic Analysis System (NETRA), etc. An earlier <a href="https://cis-india.org/internet-governance/blog/surveillance-industry-india.pdf" rel="noopener nofollow external noreferrer" target="_blank">CIS report</a> highlights a boom in surveillance tech in India following the 26/11 terror attacks in Mumbai.</p>
<p style="text-align: justify; ">Based on an RTI (Right to Information) filing, SFLC’s <a href="https://www.sflc.in/indias-surveillance-state-our-report-on-communications-surveillance-in-india" rel="noopener nofollow external noreferrer" target="_blank">2014 report</a> on India’s Surveillance State reveals that around 7,500 to 9,000 telephone interception orders are issued by the central government alone each month. State surveillance of citizens’ private communications is authorised by laws that let them monitor phone calls, texts, e-mails and Internet activity on a number of broadly worded grounds such as such as ‘security of the state’, ‘defence of India’, and ‘public safety’.</p>
<p style="text-align: justify; ">The Government of India is also known to said to work with private third parties, some of which go so far as to infect target devices using malicious software to extract information on the subject. A 2013 Citizen Lab report titled ‘<a href="https://citizenlab.ca/storage/finfisher/final/fortheireyesonly.pdf" rel="noopener nofollow external noreferrer" target="_blank">The Commercialisation of Digital Spying</a>’ found command and control servers (used to control the host system) for FinFisher (a remote computer monitoring software suite) in India. A Wikileaks <a href="https://gadgets.ndtv.com/internet/news/upa-was-client-of-controversial-italian-spyware-firm-claim-leaked-mails-713879" rel="noopener nofollow external noreferrer" target="_blank">expose in 2015</a> dumped over a million emails belonging to Italian surveillance malware vendor HackingTeam. The emails revealed how India’s top intelligence agencies and the government expressed interest in buying Hacking Team’s malware interception tools.</p>
<h3 style="text-align: justify; ">Fears of an Aadhaar Surveillance State</h3>
<p style="text-align: justify; ">Thejesh G N, an infoactivist wrote in <i>FactorDaily</i> about <a href="https://factordaily.com/hyderabad-police-surveillance-integrated-information-hub/">Hyderabad’s surveillance hub</a>, which wants to collect all manner of details. Aadhaar is one of the primary keys to matching profiles with external data sources, he notes.</p>
<p style="text-align: justify; "><img class="size-full wp-image-12230" height="457" src="https://i2.wp.com/factordaily.com/wp-content/uploads/2017/12/Aadhaar_Surveillance_infographic.jpg?resize=660%2C480&ssl=1" width="629" /></p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><figure class="aligncenter wp-caption" id="attachment_12230">A look at data points gathered by Hyderabad’s Integrated Information Hub</figure></p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">“The end product shows on a map where you live, what you consume, did you take PDS, move to some other place, your mobile number, gender… there’s a lot of data in the hands of the very lowest level of government, which doesn’t have any protection as by a parliamentary committee or anything like that. It’s run by bureaucrats, so that has huge implications,” he says. “If you see Citizen Four (a 2014 documentary about Edward Snowden), it shows a similar system, where you enter one’s SSN, and it shows everything you have done, and are planning to do. We are building the same system…Governments change, today we might have a good government, tomorrow we might have the worst possible government on the planet.”</p>
<p style="text-align: justify; ">Pranesh Prakash, Policy Director of CIS says he doesn’t regard Aadhaar as a surveillance project. “I see Aadhaar as something that can facilitate surveillance, but by and of itself, it isn’t surveillance,” he says, adding that it does so in a non-consensual manner. “By having Aadhaar numbers across multiple databases, you make surveillance easier. But you need to tie it up to a surveillance system. For instance, Aadhaar without NATGRID isn’t surveillance, but Aadhaar with NATGRID can be helpful for surveillance.” NATGRID (National Intelligence Grid) was first proposed in late 2009 following 26/11 attacks by the Union Home Minister, to enhance India’s counter-terror capabilities. It links 21 citizen databases for access to intelligence/enforcement agencies.</p>
<p style="text-align: justify; "><img class="size-full wp-image-12236" height="354" src="https://i1.wp.com/factordaily.com/wp-content/uploads/2017/12/screenshot.jpg?resize=660%2C371&ssl=1" width="629" /></p>
<p style="text-align: justify; ">Ongrid’s website earlier had this visualisation depicting its verification service, which made privacy advocates cringe. Source: Twitter.</p>
<p style="text-align: justify; ">We discussed some worst-case scenarios around the commercial use of Aadhaar and India Stack companies with Thejesh. “Let’s say there’s a screening company and they have your Aadhaar ID. They will send it to Airtel, or Vodafone, and ask for a list of all the websites you have viewed. Maybe you’ve watched porn or something, at some point in your life, and that could hurt your employment,” he says.</p>
<h2 style="text-align: justify; "><b>Curbing your data exhaust</b></h2>
<p style="text-align: justify; ">The EFF (Electronic Frontier Foundation) has published a number of<a href="https://www.eff.org/deeplinks/2013/10/ten-steps-against-surveillance" rel="noopener nofollow external noreferrer" target="_blank"> useful articles</a> and<a href="https://ssd.eff.org/en" rel="nofollow external noopener noreferrer"> resources</a> for countering internet surveillance. Recommendations include using end-to-end encryption through tools such as OTR (a messaging protocol available on Adium),<a href="https://ssd.eff.org/en/module/how-use-pgp-mac-os-x" rel="noopener nofollow external noreferrer" target="_blank"> PGP</a> (to exchange secure emails), and Signal (messenger).</p>
<p style="text-align: justify; ">Other useful tips:</p>
<h2 style="text-align: justify; "><b>Use VPNs </b><b><br /> </b></h2>
<p style="text-align: justify; ">VPNs (virtual private networks) use encryption protocols and secure tunneling techniques to keep your internet activity impervious to snooping. With a VPN, you can bypass ISP restrictions on blocked websites or access services (Spotify) not available in your country, making it appear that you are browsing from another part of the world. Keep in mind that you can still be outed by your VPN provider, so it’s important to choose one that respects your privacy. There are hundreds of VPN service providers to choose from, <a href="https://thatoneprivacysite.net/vpn-comparison-chart/" rel="noopener nofollow external noreferrer" target="_blank">That One Privacy Guy</a> maintains a detailed comparison chart of over a hundred VPN providers, with details on jurisdiction, price, ethics, logging policies, VPN protocols supported, and more. Out of these, the country that the VPN provider is based in is a key filter: you don’t want to choose a VPN service based out of the ‘<a href="https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/" rel="noopener nofollow external noreferrer" target="_blank">14 eyes</a>‘, as they are known to do mass surveillance.</p>
<h2 style="text-align: justify; "><b>Use TOR</b></h2>
<p style="text-align: justify; ">Tor, an acronym for ‘The Onion Router’, is a free app that lets you anonymise your online communication by directing a web browser’s traffic through a volunteer-run network of thousands of servers. It is funded by the US-based National Science Foundation, Mozilla, and Open Technology Fund, among others. Tor is <a href="https://www.torproject.org/download/download-easy.html.en" rel="noopener nofollow external noreferrer" target="_blank">available for download</a> on Windows, Mac, Linux, and Android.</p>
<p style="text-align: justify; "><img class="wp-image-12257 size-full" height="579" src="https://i0.wp.com/factordaily.com/wp-content/uploads/2017/12/tor-web-browser.jpg?resize=660%2C607&ssl=1" width="629" /></p>
<p style="text-align: justify; "><figure class="aligncenter wp-caption" id="attachment_12257">Browsing on Tor can be far slower than a regular web browser, but it keeps you anonymous.</figure></p>
<h2 style="text-align: justify; "><b>Encrypt your storage</b></h2>
<p style="text-align: justify; ">It’s now a default feature on your phone, or computer, so there’s no reason why you shouldn’t make use of it. To check if it is turned on in Windows 10, Go to Settings > System > About, and look for a “Device encryption” setting at the bottom of the About tab. Keep in mind that you need to sign into Windows with a Microsoft account <a href="http://www.independent.co.uk/news/edward-snowden-claims-microsoft-collaborated-with-nsa-and-fbi-to-allow-access-to-user-data-8705755.html" rel="noopener nofollow external noreferrer" target="_blank">to enable this setting</a>, so it’s likely that the NSA or FBI might be able to bypass it.</p>
<p style="text-align: justify; ">On a Mac, you turn on full-disk encryption through FileVault, accessible in > System Preferences > Security & Privacy.</p>
<p style="text-align: justify; ">On an iPhone, data protection is enabled once you set up a passcode on your device.</p>
<p style="text-align: justify; ">Android 5.0 and above devices support full-disk encryption. If it isn’t turned on by default on your device, you can turn on encryption under the Security menu.</p>
<p style="text-align: justify; ">Sensitive documents can also be encrypted using <a href="http://truecrypt.sourceforge.net" rel="noopener nofollow external noreferrer" target="_blank">TrueCrypt</a>. Though you must keep in mind that key disclosure laws apply in India, under the Section 69 of the <a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20(amendment).pdf" rel="noopener nofollow external noreferrer" target="_blank">Information Technology Act</a>, which states that there’s a seven-year prison sentence for failing to assist the central and state governments in decrypting information on a computer resource.</p>
<h2 style="text-align: justify; "><b>Use an air-gapped PC</b></h2>
<p style="text-align: justify; ">An air-gapped PC is one that is not connected to the internet or to any computers that are connected to the internet. Air-gapped PCs are typically used when handling critical infrastructure, and this is an extreme measure one can take when working with sensitive data that you don’t want to be leaked.</p>
<h2 style="text-align: justify; "><b>Use</b><a href="https://www.eff.org/https-everywhere" rel="noopener nofollow external noreferrer" target="_blank"> <b>HTTPS everywhere</b></a></h2>
<p style="text-align: justify; ">HTTPS Everywhere offers plugins for Firefox, Chrome, and Opera, and turns every link you open or key in, to a secure version of the HTTP protocol, which is encrypted by Transport Layer Security (TLS). The tool protects you from eavesdropping or tampering with the site you are visiting, but only works on sites that support HTTPS. Keep in mind that this tool won’t conceal the sites you have accessed from eavesdroppers but it won’t reveal the specific URL that you visited.</p>
<h2 style="text-align: justify; "><b>Turn on Advanced Protection in Gmail</b></h2>
<p style="text-align: justify; ">If you trust Gmail with your data, take the relationship to the next level with <a href="https://landing.google.com/advancedprotection/" rel="noopener nofollow external noreferrer" target="_blank">Advanced Protection</a>, which safeguards your account against phishing attacks, limits access to trusted apps, and adds extra verification features to block fraudulent account access. You will need a <a href="https://myaccount.google.com/advanced-protection/enroll/details?pli=1" rel="noopener nofollow external noreferrer" target="_blank">Bluetooth key and a USB key</a> to turn this feature on.</p>
<h2 style="text-align: justify; "><b>Some other don’ts</b></h2>
<ul style="text-align: justify; ">
<li>Don’t leave any cameras open. Tape them up if you are a potential surveillance target.</li>
<li>Don’t use freemium apps, which trade in your privacy. A recent example of a<a href="http://www.zdnet.com/article/popular-virtual-keyboard-leaks-31-million-user-data/" rel="noopener nofollow external noreferrer" target="_blank"> worst-case scenario</a>.</li>
<li>Don’t send any data via free email services that you would like to keep private.</li>
<li>Don’t use Google or Facebook, as Snowden says, if you value your privacy. Don’t take our <a href="https://techcrunch.com/2014/10/11/edward-snowden-new-yorker-festival/" rel="noopener nofollow external noreferrer" target="_blank">word for it</a>.</li>
</ul>
<p style="text-align: justify; ">As for Aadhaar, Thejesh says that there isn’t much one can do as it is forcibly linked to many essential services. He recommends using different email ids for official work and unofficial work. “Use one email ID for Aadhaar and mobile related accounts, and use the other one for regular communication. It separates the accounts from surveillance and adds a layer of security,” he says. “Don’t use Aadhaar until is necessary. If you use Aadhaar and you are not in a mood to resist everything, then don’t use it where it is not required. Don’t use it like a regular address proof,” he adds.</p>
<p style="text-align: justify; ">If you are already an Aadhaar holder, it makes sense to use the biometric locking system provided by UIDAI on <a href="https://resident.uidai.gov.in/biometric-lock" rel="noopener nofollow external noreferrer" target="_blank">its website</a> to protect against identity theft and unauthorised access. The biometric locking feature sends an OTP code to your registered mobile number to unlock or disable the locking system.</p>
<p style="text-align: justify; ">If someone is concerned about surveillance, CIS’s Prakash recommends not having a cell phone. “The cellphone is the single largest means of data gathering about you,” he says.</p>
<p style="text-align: justify; ">Surveillance can take many forms: it can be physical or off-the-air surveillance (an interception technique used to snoop on phone calls), he points out.</p>
<p style="text-align: justify; "><figure class="aligncenter wp-caption" id="attachment_12232"><img class="size-full wp-image-12232" height="415" src="https://i2.wp.com/factordaily.com/wp-content/uploads/2017/12/surveillance-cctv.jpg?resize=660%2C436&ssl=1" width="629" />A CCTV camera fitted on top of a Hyderabad Police vehicle</figure></p>
<p style="text-align: justify; ">Surveillance is not always bad: medical surveillance, for instance, an entire field around the spread of diseases, is necessary, Prakash clarifies. “Even state surveillance for national security purposes is absolutely necessary. A nation-state can’t survive without surveillance so I am quite clear that those who oppose all forms of surveillance are opposing all kinds of rights – because you can’t have rights without security. And indeed, individual security is a human right guaranteed under the Universal Declaration of Human Rights and guaranteed in Article 21 of the Indian Constitution. Without security of the person, you can’t have the right to freedom of speech, you can’t enjoy the right to privacy… If you’re in a state of war or in a state of terror, then you can’t enjoy rights – so clearly for me, surveillance is necessary,” he says.</p>
<p style="text-align: justify; ">That said, surveillance in India is highly problematic as the laws and the democratic framework for surveillance is very weak, and enforcement of that framework is even worse, Prakash adds. “One of the best ways of countering surveillance, I would suggest, is to actually demand a democratic framework for surveillance in India. Demand that your MLA and MP take up this issue at the state and central level… and that we have a democratic framework for both our intelligence agencies and for all the surveillance that is conducted by the state in India,” he says.</p>
<p style="text-align: justify; ">He calls everything else – “the technological stuff, using anonymising networks, end-to-end encryption” – a second order issue. “It can help you as an individual, but it doesn’t help us as a society.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/factor-daily-sriram-sharma-december-12-2017-paranoid-about-state-surveillance-here-s-the-fd-guide-to-living-in-the-age-of-snoops'>http://editors.cis-india.org/internet-governance/news/factor-daily-sriram-sharma-december-12-2017-paranoid-about-state-surveillance-here-s-the-fd-guide-to-living-in-the-age-of-snoops</a>
</p>
No publisherAdminInternet GovernanceSurveillance2017-12-16T13:38:46ZNews ItemHow Aadhaar compromises privacy? And how to fix it?
http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it
<b>Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens. </b>
<p style="text-align: justify; ">The op-ed was published in the <a class="external-link" href="http://www.thehindu.com/opinion/op-ed/is-aadhaar-a-breach-of-privacy/article17745615.ece">Hindu</a> on March 31, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.</p>
<p style="text-align: justify; "><b>Shift from biometrics to smart cards:</b><span> In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.</span></p>
<p style="text-align: justify; "><b>Destroy the authentication transaction database:</b><span> The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.</span></p>
<p style="text-align: justify; "><b>Prohibit the use of Aadhaar number in other databases:</b><span> We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.</span></p>
<p style="text-align: justify; "><span>To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it'>http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it</a>
</p>
No publishersunilSurveillanceAadhaarInternet GovernancePrivacy2017-04-01T07:00:06ZBlog EntrySurveillance in India: Policy and Practice
http://editors.cis-india.org/internet-governance/news/surveillance-in-india-policy-and-practice
<b>The National Institute of Public Finance and Policy organized a brainstorming session on net neutrality on February 8, 2017 and a public seminar on surveillance in India the following day on February 9, 2017 in New Delhi. Pranesh Prakash gave a talk. </b>
<p style="text-align: justify; ">Pranesh presented a narrative of the current state of surveillance law, our knowledge of current surveillance practices (including noting where programmes like Natgrid, CMS, etc. fit in), and charted a rough map of reforms needed and outstanding policy research questions.</p>
<h3 style="text-align: justify; ">Pranesh Prakash</h3>
<p style="text-align: justify; ">Pranesh Prakash is a Policy Director at - and was part of the founding team of - the Centre for Internet and Society, a non-profit organisation that engages in research and policy advocacy. He is also the Legal Lead at Creative Commons India and an Affiliated Fellow at the Yale Law School's Information Society Project, and has been on the Executive Committee of the NCUC at ICANN. In 2014, he was selected by Forbes India for its inaugural "30 under 30" list of young achievers, and in 2012 he was recognized as an Internet Freedom Fellow by the U.S. government.</p>
<p style="text-align: justify; ">His research interests converge at the intersections of technology, culture, economics, law, and justice. His current work focuses on interrogating, promoting, and engaging with policymakers on the areas of access to knowledge (primarily copyright reform), 'openness' (including open government data, open standards, free/libre/open source software, and open access), freedom of expression, privacy, digital security, and Internet governance. He is a prominent voice on these issues, with the newspaper Mint calling him “one of the clearest thinkers in this area”, and his research having been quoted in the Indian parliament. He regularly speaks at national and international conferences on these topics. He has a degree in arts and law from the National Law School in Bangalore, and while there he helped found the Indian Journal of Law and Technology, and was part of its editorial board for two years.</p>
<p style="text-align: justify; "><a class="external-link" href="http://cis-india.org/internet-governance/files/workshop-on-net-neutrality">Click here</a> to see the agenda for the brainstorming session on net neutrality.</p>
<hr />
<h3>Video <br /> <iframe frameborder="0" height="315" src="https://www.youtube.com/embed/6KfyQ7y6TNE" width="560"></iframe></h3>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/surveillance-in-india-policy-and-practice'>http://editors.cis-india.org/internet-governance/news/surveillance-in-india-policy-and-practice</a>
</p>
No publisherpraskrishnaVideoNet NeutralityInternet GovernanceSurveillance2017-03-15T01:05:07ZNews Item