The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1001 to 1015.
Limits to Privacy
http://editors.cis-india.org/internet-governance/publications/limits-privacy.pdf
<b>In this chapter we attempt to build a catalogue of these various
justifications, without attempting to be exhaustive, with the objective of arriving at a
rough taxonomy of such frequently invoked terms. In addition we also examine some the
more important justifications such as “public interest” and “security of the state” that
have been invoked in statutes and upheld by courts to deprive persons of their privacy.
</b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/publications/limits-privacy.pdf'>http://editors.cis-india.org/internet-governance/publications/limits-privacy.pdf</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2012-12-14T10:28:59ZFilePrivacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?
http://editors.cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy
<b>How do the provisions of the Information Technology Act measure up to the challenges of privacy infringement? Does it provide an adequate and useful safeguard for our electronic privacy? Prashant Iyengar gives a comprehensive analysis on whether and how the Act fulfils the challenges and needs through a series of FAQs while drawing upon real life examples. </b>
<h2>What kinds of computer related activities impinge on privacy?</h2>
<p>Although Information and Communications Technologies (ICTs) have greatly enhanced our capacities to collect, store, process and communicate information, it is ironically these very capacities of technology which make us vulnerable to intrusions of our privacy on a previously impossible scale. Firstly, data on our own personal computers can compromise us in unpleasant ways — with consequences ranging from personal embarrassment to financial loss. Secondly, transmission of data over the Internet and mobile networks is equally fraught with the risk of interception — both lawful and unlawful — which could compromise our privacy. Thirdly, in this age of cloud computing when much of "our" data — our emails, chat logs, personal profiles, bank statements, etc., reside on distant servers of the companies whose services we use, our privacy becomes only as strong as these companies’ internal electronic security systems. Fourthly, the privacy of children, women and minorities tend to be especially fragile in this digital age and they have become frequent targets of exploitation. Fifthly, Internet has spawned new kinds of annoyances from electronic voyeurism to spam or offensive email to ‘phishing’ — impersonating someone else’s identity for financial gain — each of which have the effect of impinging on one’s privacy.</p>
<p>Although there are a number of technological measures through which these risks can be reduced, it is equally important to have a robust legal regime in place which lays emphasis on the maintenance of privacy. This note looks at whether and how the Information Technology Act that we currently have in India measures up to these challenges of electronic privacy [<a href="#1">1</a>].</p>
<h2><span class="Apple-style-span">What provisions in the IT Act protect against violations of privacy?</span></h2>
<p><span class="Apple-style-span">At the outset, it would be pertinent to note that the IT Act defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software” [<a href="#2">2</a>]. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly. These will be examined in detail in the following sub-sections.</span></p>
<div><span class="Apple-style-span"><span class="Apple-style-span">
<div><span class="Apple-style-span">Intrusions into computers and mobile devices</span></div>
</span></span></div>
<ul>
<li>accessing</li>
</ul>
<ul>
<li>downloading/copying/extraction of data or extracts any data</li>
</ul>
<ul>
<li>introduction of computer contaminant[<a href="#3">3</a>];or computer virus[<a href="#4">4</a>]</li>
</ul>
<ul>
<li>causing damage either to the computer resource or data residing on it</li>
</ul>
<ul>
<li>disruption</li>
</ul>
<ul>
<li>denial of access</li>
</ul>
<ul>
<li>facilitating access by an unauthorized person</li>
</ul>
<ul>
<li>charging the services availed of by a person to the account of another person,</li>
</ul>
<ul>
<li>destruction or diminishing of value of information</li>
</ul>
<ul>
<li>stealing, concealing, destroying or altering source code with an intention</li>
</ul>
<p><span class="Apple-style-span">
<div><span class="Apple-style-span"><span class="Apple-style-span">
<p>The Act provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both[<a href="#5">5</a>].</p>
</span></span></div>
</span></p>
<table class="plain">
<tbody>
<tr>
<td>
<p><b>Bangalore techie convicted for hacking govt site (2009, Deccan Herald)</b>[<a href="#6">6</a>]</p>
<p><span class="Apple-style-span">In November 2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (hacking).</span></p>
<p><span class="Apple-style-span"> </span><span class="Apple-style-span">Investigations had revealed that Kumar was logging on to the BSNL broadband Internet connection as if he was the authorised genuine user and ‘made alteration in the computer database pertaining to broadband Internet user accounts’ of the subscribers.</span></p>
<p><span class="Apple-style-span"> </span><span class="Apple-style-span">The CBI had registered a cyber crime case against Kumar and carried out investigations on the basis of a complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of broadband Internet.</span></p>
<p><span class="Apple-style-span"> </span><span class="Apple-style-span">The complaint also stated that the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from Chennai and other cities, they said.</span></p>
</td>
</tr>
</tbody>
</table>
<h3>Children's privacy online</h3>
<p>As computers and the Internet become ubiquitous children have increasingly become exposed to crimes such as pornography and stalking that make use of their private information. The newly inserted section 67B of the IT Act (2008) attempts to safeguard the privacy of children below 18 years by creating a new enhanced penalty for criminals who target children.</p>
<p>The section firstly penalizes anyone engaged in child pornography. Thus, any person who “publishes or transmits” any material which depicts children engaged in sexually explicit conduct, or anyone who creates, seeks, collects, stores, downloads, advertises or exchanges this material may be punished with imprisonment upto five years (seven years for repeat offenders) and with a fine of upto Rs. 10 lakh.</p>
<p>Secondly, this section punishes the online enticement of children into sexually explicitly acts, and the facilitation of child abuse, which are also punishable as above.</p>
<p>Viewed together, these provisions seek to carve out a limited domain of privacy for children from would-be sexual predators.</p>
<p>The section exempts from its ambit, material which is justified on the grounds of public good, including the interests of "science, literature, art, learning or other objects of general concern". Material which is kept or used for bona fide "heritage or religious purpose" is also exempt.</p>
<p>In addition, the newly released Draft Intermediary Due-Diligence Guidelines, 2011 [<a href="#7">7</a>]require ‘intermediaries’[<a href="#8">8</a>]to notify users not to store, update, transmit and store any information that is inter alia, “pedophilic” or “harms minors in any way”. An intermediary who obtains knowledge of such information is required to “act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity”. Further, the intermediary is required to inform the police about such information and preserve the records for 90 days.</p>
<h3>Electronic Voyeurism</h3>
<p>Although once regarded as only the stuff of spy cinema, the explosion in consumer electronics has lowered the costs and the size of cameras to such an extent that the threat of hidden cameras recording people’s intimate moments has become quite real. Responding to the growing trend of such electronic voyeurism, a new section 66E has been inserted into the IT Act which penalizes the capturing, publishing and transmission of images of the "private area" [<a href="#9">9</a>]of any person without their consent, "under circumstances violating the privacy" [<a href="#10">10</a>] of that person.</p>
<p>This offence is punishable with imprisonment of upto three years or with a fine of upto Rs. two lakh or both.</p>
<h3>Phishing – or Identity Theft</h3>
<p><span class="Apple-style-span"> </span></p>
<p>The word 'phishing' is commonly used to describe the offence of electronically impersonating someone else for financial gain. This is frequently done either by using someone else’s login credentials to gain access to protected systems, or by the unauthorized application of someone else’s digital signature in the course of electronic contracts. Increasingly a new type of crime has emerged wherein sim cards of mobile phones have been ‘cloned’ enabling miscreants to make calls on others' accounts. This is also a form of identity theft.</p>
<p>Two sections of the amended IT Act penalize these crimes:</p>
<p>Section 66C makes it an offence to “fraudulently or dishonestly” make use of the electronic signature, password or other unique identification feature of any person. Similarly, section 66D makes it an offence to “cheat by personation” [<a href="#11">11</a>] by means of any ‘communication device’[<a href="#12">12</a>] or 'computer resource'.</p>
<p>Both offences are punishable with imprisonment of upto three years or with a fine of upto Rs. one lakh.</p>
<table class="plain">
<tbody>
<tr>
<td>
<p><b>Mumbai Police Solves Phishing scam</b> <span class="Apple-style-span">[<a href="#13">13</a>]</span></p>
<p>In 2005, a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s email ID.</p>
<p>An investigation was carried out with the emails received by the customers of that financial institute and the accused were arrested. The place of offence, Vijaywada was searched for the evidence. One laptop and mobile phone used for committing the crime was seized.</p>
<p>The arrested accused had used open source code email application software for sending spam e-mails. He had downloaded the same software from the Internet and then used it as it is.</p>
<p>He used only VSNL to spam the e-mail to customers of the financial institute because VSNL email service provider does not have spam box to block the unsolicited emails.</p>
<p>After spamming e-mails to the institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because they do not have debit card details as required for e-banking."</p>
<p>The customers who received his e-mail felt that it originated from the bank. When they filled the confidential information and submitted it the said information was directed to the accused. This was possible because the dynamic link was given in the first page (home page) of the fake website. The dynamic link means when people click on the link provided in spam that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer onclick () event and the information of the form will be submitted to the web server (where the fake website is hosted). Then server will send the data to the configured e-mail address and in this case the e-mail configured was to the e-mail of the accused. All the information after phishing (user name, password, transaction password, debit card number and PIN, mother’s maiden name) which he had received through the Wi-Fi Internet connectivity of Reliance.com was now available on his Acer laptop.</p>
<p>This crime was registered under section 66 of the IT Act, sections 419, 420, 465, 468 and 471 of the Indian Penal Code and sections 51, 63 and 65 of the Indian Copyright Act, 1957 which attract the punishment of three years imprisonment and fine upto Rs 2 lac which the accused never thought of.</p>
</td>
</tr>
</tbody>
</table>
<h3>Spam and Offensive Messages</h3>
<p>Although the advent of e-mail has greatly enhanced our communications capacities, most e-mail networks today remain susceptible to attacks from spammers who bulk-email unsolicited promotional or even offensive messages to the nuisance of users. Among the more notorious of these scams is/was the so-called "section 409 scam" in which victims receive e-mails from alleged millionaires who induce them to disclose their credit information in return for a share in millions.</p>
<p>Section 66A of the IT Act attempts to address this situation by penalizing the sending of:</p>
<ul>
<li>any message which is grossly offensive or has a menacing character</li>
<li>false information for the purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity, hatred or ill-will</li>
<li>any electronic e-mail for the purpose of causing annoyance or inconvenience, or to deceive the addressee about the origin of such messages;</li>
</ul>
<p>This offence is punishable with imprisonment upto three years and with a fine[<a href="#14">14</a>]</p>
<table class="plain">
<tbody>
<tr>
<td><span class="Apple-style-span"><b>Hoax E-mails</b> [<a href="#15">15</a>]</span><br /><br />
<p><span class="Apple-style-span">In 2009, a 15-year-old Bangalore teenager was arrested by the cyber crime investigation cell (CCIC) of the city crime branch for allegedly sending a hoax e-mail to a private news channel. In the e-mail, he claimed to have planted five bombs in Mumbai, challenging the police to find them before it was too late.</span></p>
<p><span class="Apple-style-span"> </span><span class="Apple-style-span">According to police officials, at around 1p.m. on May 25, the news channel received an e-mail that read: “I have planted five bombs in Mumbai; you have two hours to find it.” The police, who were alerted immediately, traced the Internet Protocol (IP) address to Vijay Nagar in Bangalore. The Internet service provider for the account was BSNL, said officials.</span></p>
<pre><span class="Apple-style-span"><b>Minor Hoax Spells Major Trouble</b></span></pre>
<ul>
<li><span class="Apple-style-span">Sixteen-year-old Rakesh Patel (name changed), a student from Ahmedabad, sent an e-mail to a private news channel on March 18, 2008, warning officials of a bomb on an Andheri-bound train. In the e-mail, he claimed to be a member of the Dawood Ibrahim gang. Three days later, the crime investigation cell (CCIC) of the city police arrested the boy under section 506 (ii) for criminal intimidation. He was charge-sheeted on November 28, 2008.<br /></span><span class="Apple-style-span">Status: Patel was given a warning by a juvenile court</span></li>
<li><span class="Apple-style-span"> </span><span class="Apple-style-span">A 14-year-old Colaba boy sent a hoax e-mail to a TV channel in Madhya Pradesh, three days after the July 26, 2008, Ahmedabad bomb blasts. He claimed that 29 bombs would go off in Jabalpur. He was picked up by officers of the anti-terrorism squad (ATS) who, with the help of the MP police, were able to trace the e-mail to a cyber café in Colaba.</span><br /><span class="Apple-style-span">Status: No FIR was registered. The Cuffe Parade police registered a non-cognizable (NC) complaint </span><span class="Apple-style-span">against him, and the boy was allowed to go home after the police gave him a “strict warning”.</span></li>
<li>Shariq Khan, 18, was arrested in Bhopal on July 26, 2006, for sending out three e-mails claiming to be a member of the terrorist organisation, which the police believed was behind the 7/11 train bombings. He was arrested by the Bhopal police. Later, the ATS brought the boy to Mumbai and also booked him for a five-year-old unsolved case where an unknown accused had sent e-mail warnings to the department of Atomic Energy (DAE) in 2001.<br />Status: The police filed a charge-sheet against Shariq who claimed that he had sent the e-mails for fun. Trial is pending in a juvenile court. Shariq is presently out on bail in Bhopal.</li>
<li>On February 26, 2006, a 17-yearold student from Jamnabai Narsee School called an Alitalia flight bound to Milan at 2 a.m. telling them there was a bomb on board. He wanted to stop his girlfriend from going abroad. She was one of the 12 students on their way to attend a mock United Nations session in Geneva.<br />Status: After being grilled by the police, he was arrested, but let out on bail.</li>
</ul>
</td>
</tr>
</tbody>
</table>
<h2>Lawful Interception and monitoring of electronic communications under the IT Act</h2>
<p>In addition to violations of privacy by criminal and the mischievous minded, electronic communications and storage are also a goldmine for governmental supervision and surveillance. This section provides a brief overview of the provisions in the IT Act which circumscribe the powers of the state to intercept electronic communications.</p>
<p>The newly amended IT Act completely rewrote its provisions in relation to lawful interception. The new section 69 dealing with “power to issue directions for interception or monitoring or decryption of any information through any computer resource” is much more elaborate than the one it replaced, In October 2009, the Central Government notified rules under section 69 which lay down procedures and safeguards for interception, monitoring and decryption of information (the “Interception Rules 2009”). This further thickens the legal regime in this context.</p>
<p><span class="Apple-style-span"> </span></p>
<table class="plain">
<tbody>
<tr>
<td>
<p><b>Unlawful Intercept</b></p>
<p>In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and detained for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.</p>
<p>Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages [<a href="#16">16</a>].</p>
<p>The incident highlights how minor privacy violations by ISPs and intermediaries could have impacts that gravely undermine other basic human rights [<a href="#17">17</a>].</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p><span class="Apple-style-span">In addition to section 69, the Government has been empowered under the newly inserted section 69B to "monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource".</span></p>
<p><span class="Apple-style-span"> </span><span class="Apple-style-span">"Traffic data" has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.” Rules have been issued by the Central Government under this section (the “Monitoring and Collecting Traffic Data Rules, 2009”) which are similar, although with important distinctions, to the rules issued under section 69. </span></p>
<p>Thus, there are two parallel interception and monitoring regimes in place under the Information Technology Act. In the paragraphs that follow, we provide an overview of the regime of surveillance under section 69 — since they are more targeted towards the individual, and consequently the threats to privacy are more severe — while highlighting important differences in the rules drafted under section 69.</p>
<h3>Who may lawfully intercept?</h3>
<p>Section 69 empowers the “Central Government or a state government or any of its officers specially authorised by the Central Government or the state government, as the case may be” to exercise powers of interception under this section.</p>
<p>Under the Interception Rules 2009, the secretary in the Ministry of Home Affairs has been designated as the "competent authority", with respect to the Central Government, to issue directions pertaining to interception, monitoring and decryption. Similarly, the respective state secretaries in charge of Home Departments of the various states and union territories are designated as "competent authorities" to issue directions with respect to the state government [<a href="#18">18</a>].</p>
<div>
<table class="plain">
<tbody>
<tr>
<td></td>
<td>Central Government</td>
<td>State/Union Territory</td>
</tr>
<tr>
<td>Ordinary Circumstances</td>
<td>Secretary in the Ministry of Home Affairs</td>
<td>Secretary in charge of Home Departments of State</td>
</tr>
<tr>
<td>Emergency</td>
<td>Head or second senior most officer of security and law enforcement</td>
<td>Authorized officer not below the rank of Inspectors General of Police</td>
</tr>
</tbody>
</table>
</div>
<p>However, an exception is made in cases of emergency, either</p>
<ul>
<li>in remote areas where obtaining prior directions from the competent authority is not feasible or</li>
</ul>
<ul>
<li>for ‘operational reasons’ where obtaining prior directions is not feasible.</li>
</ul>
<p>In such cases it would be permissible to carry out interception after obtaining the orders of the Head or second senior most officer of security and law enforcement at the central level, and an authorized officer not below the rank of Inspector General of Police at the state or union territory level. The order must be communicated to the competent authority within three days of its issue, and approval must be obtained from the authority within seven working days, failing which the order would lapse.</p>
<p>Where a state/union territory wishes to intercept/monitor or decrypt information beyond its territory, the competent authority for that state must make a request to the competent authority of the Central Government to issue appropriate directions.</p>
<h2>Under what circumstances a direction to intercept may be issued?</h2>
<h3>Purposes for which interception may be directed</h3>
<p>Under section 69, the powers of interception may be exercised by the authorized officers “when they are satisfied that it is necessary or expedient” to do so in the interest of:</p>
<ul>
<li>sovereignty or integrity of India,</li>
</ul>
<ul>
<li>defense of India,</li>
</ul>
<ul>
<li>security of the state,</li>
</ul>
<ul>
<li>friendly relations with foreign states or</li>
</ul>
<ul>
<li>public order or</li>
</ul>
<ul>
<li>preventing incitement to the commission of any cognizable offence relating to above or</li>
</ul>
<ul>
<li>for investigation of any offence.</li>
</ul>
<p>Under section 69B, the competent authority may issue directions for monitoring for a range of “cyber security”[<a href="#20">20</a>] purposes including, inter alia, “identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security”.</p>
<h3>Contents of direction</h3>
<p>The reasons for ordering interception must be recorded in writing [<a href="#21">21</a>].</p>
<p><span class="Apple-style-span">In the case of a direction under section 69, in arriving at its decision, the competent authority must consider alternate means of acquiring the information other than issuing a direction for interception [</span><a href="#22">22</a><span class="Apple-style-span">]. The direction must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources [</span><a href="#23">23</a><span class="Apple-style-span">]. The direction must specify the name and designation of the officer to whom information obtained is to be disclosed, and also specify the uses for which the information is to be employed [</span><a href="#24">24</a><span class="Apple-style-span">].</span></p>
<h3>Duration of interception and periodic review</h3>
<p>Once issued, an interception direction issued under section 69 remains in force for a period of 60 days (unless withdrawn earlier), and may be renewed for a total period not exceeding 180 days [<a href="#25">25</a>]. A direction issued under section 69B does not expire automatically through the lapse of time and theoretically would continue until withdrawn.</p>
<p>Within seven days of its issue, a copy of a direction issued under either section 69 or section 69B must be forwarded to the review committee constituted to oversee wiretapping under the Indian Telegraph Act [<a href="#26">26</a>]. Every two months, the review committee is required to meet and record its findings as to whether the direction was validly issued in light of section 69(3) [<a href="#27">27</a>]. If the review committee is of the opinion that it was not, it can set aside the direction and order destruction of all information collected [<a href="#28">28</a>].</p>
<h3>What powers of interception do they have?</h3>
<p>The competent authority may, in his written direction “direct any agency of the appropriate government to intercept monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource”[<a href="#29">29</a>].</p>
<p>Accordingly, the subscriber or intermediary or any person in charge of the computer resource is must, if required by the designated government agency, extend all facilities, equipment and technical assistance to:</p>
<ul>
<li>provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or</li>
</ul>
<ul>
<li>intercept, monitor, or decrypt[<a href="#30">30</a>] the information, as the case may be; or</li>
</ul>
<ul>
<li>provide information stored in computer resource.</li>
</ul>
<p>The intermediary must maintain records mentioning the intercepted information, the particulars of the person, e-mail account, computer resource, etc., that was intercepted, the particulars of the authority to whom the information was disclosed, number of copies of the information that were made, the date of their destruction, etc. [<a href="#31">31</a>]. This list of requisitions received must be forwarded to the government agency once every 15 days to ensure their authenticity [<a href="#32">32</a>].</p>
<p>In addition, a responsibility is cast on the intermediary to put in place adequate internal checks to ensure that unauthorized interception does not take place, and extreme secrecy of intercepted information is maintained [<a href="#33">33</a>].</p>
<h2>How long can information collected during interception be retained?</h2>
<p><span class="Apple-style-span">Interception rules require all records, including electronic records pertaining to interception to be destroyed by the government agency “in every six months except in cases where such information is required or likely to be required for functional purposes”. In the case of the Monitoring and Collecting of Traffic Data Rules 2009, this period is nine months from the date of creation of record.</span></p>
<p>In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the intermediary within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings. In the case of Monitoring Rules, this period is six months from the date of discontinuance.</p>
<h2>What penalties accrue to intermediaries and subscribers for resisting interception?</h2>
<p><span class="Apple-style-span">Section 69 stipulates a penalty of imprisonment upto a term of seven years and fine for any “subscriber or intermediary or any person who fails to assist the agency” empowered to intercept.</span></p>
<h2>Data Protection under the IT Act</h2>
<h3>Data Retention Requirements of 'Intermediaries'</h3>
<p><span class="Apple-style-span">Section 67C of the amended IT Act mandates ‘intermediaries’[<a href="#34">34</a>] to maintain and preserve certain information under their control for durations which are to be specified by law. </span></p>
<p><span class="Apple-style-span"> </span>Any intermediary who fails to retain such electronic records may be punished with imprisonment up to three years and a fine.</p>
<h3>Liability for body-corporates under section 43A</h3>
<p><span class="Apple-style-span">The newly inserted section 43A makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure. </span></p>
<p><span class="Apple-style-span"> </span><span class="Apple-style-span">It is only the narrowly-defined ‘body corporates’ [<a href="#35">35</a>] engaged in ‘commercial or professional activities’ who are the targets of this section. Thus government agencies and non-profit organisations are entirely excluded from the ambit of this section [<a href="#36">36</a>]. </span></p>
<p><span class="Apple-style-span"> </span>“Sensitive personal data or information” is any information that the Central Government may designate as such, when it sees fit to.</p>
<p>The “reasonable security practices” which the section obliges body corporates to observe are restricted to such measures as may be specified either “in an agreement between the parties” or in any law in force or as prescribed by the Central Government.</p>
<p>By defining both “sensitive personal data” and “reasonable security practice” in terms that require executive elaboration, the section in effect pre-empts the courts from evolving an iterative, contextual definition of these terms.</p>
<div>
<table class="plain">
<tbody>
<tr>
<td><b>Mphasis BPO Fraud: 2005</b> [<a href="#37">37</a>]<br /><br />
<p><span class="Apple-style-span">In December 2004, four call centre employees, working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the PINs. </span></p>
<p><span class="Apple-style-span"> </span><span class="Apple-style-span">In association with others, the call centre employees opened new accounts at Indian banks using false identities. Within two months, they used the PINs and account information gleaned during their employment at MphasiS to transfer money from the bank accounts of CitiGroup customers to the new accounts at Indian banks. </span></p>
<p><span class="Apple-style-span"></span>By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly identified the individuals involved in the scam. Arrests were made when those individuals attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount recovered was $230,000.</p>
</td>
</tr>
</tbody>
</table>
</div>
<h3>Draft Reasonable Security Practices Rules 2011 <span class="Apple-style-span">[<a href="#38">38</a>]</span></h3>
<p>In February 2011, the Ministry of Information and Technology, published draft rules under section 43A in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold.</p>
<p><b>Sensitive Personal Information</b><br />Rule 3 of these Draft Rules designates the following types of information as ‘sensitive personal information’:</p>
<ul>
<li>password;</li>
</ul>
<ul>
<li>user details as provided at the time of registration or thereafter;</li>
</ul>
<ul>
<li>information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users;</li>
</ul>
<ul>
<li>physiological and mental health condition;</li>
</ul>
<ul>
<li>medical records and history;(vi) Biometric information;</li>
</ul>
<ul>
<li>information received by body corporate for processing, stored or processed under lawful contract or otherwise;</li>
</ul>
<div>
<div>
<ul>
<li>call data records;</li>
</ul>
</div>
</div>
<p>This however, does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”.</p>
<p>They and “any person” holding sensitive personal information are forbidden from “keeping that information for longer than is required for the purposes for which the information may lawfully be used”[<a href="#40">40</a>]</p>
<h3>Mandatory Privacy Policies for body corporates</h3>
<p><span class="Apple-style-span">Rule 4 of the draft rules enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” [<a href="#41">41</a>]. The policy must provide details of:</span></p>
<div>
<div>
<ul>
<li>Type of personal or sensitive information collected under sub-rule (ii) of rule 3;</li>
<li>Purpose, means and modes of usage of such information;</li>
<li>Disclosure of information as provided in rule 6 [<a href="#42">42</a>]. </li>
</ul>
</div>
</div>
<div><b>Prior Consent and Use Limitation during Data Collection</b></div>
<div><span class="Apple-style-span"><br /></span></div>
<p><span class="Apple-style-span">In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information”. The body corporate is required to “take such steps as are, in the circumstances, reasonable”[<a href="#43">43</a>] to ensure that the individual from whom data is collected is aware of :</span></p>
<div>
<ul>
<li>the fact that the information is being collected; and</li>
<li>the purpose for which the information is being collected; and</li>
<li>the intended recipients of the information; and</li>
<li>the name and address of :</li>
<li>the agency that is collecting the information; and</li>
<li>the agency that will hold the information. </li>
</ul>
</div>
<p>During data collection, body corporates are required to give individuals the option to opt-in or opt-out from data collection [<a href="#44">44</a>]. They must also permit individuals to review and modify the information they provide "wherever necessary" [<a href="#45">45</a>]. Information collected is to be kept securely [<a href="#46">46</a>], used only for the stated purpose [<a href="#47">47</a>] and any grievances must be addressed by the body corporate “in a time bound manner” [<a href="#48">48</a>].</p>
<p>Unlike "sensitive personal information" there is no obligation to retain information only for as long as is it is required for the purpose collected.</p>
<h3>Limitations on Disclosure of Information</h3>
<p><span class="Apple-style-span">The draft rules require a body corporate to obtain prior permission from the provider of such information obtained either “under lawful contract or otherwise” before information is disclosed [<a href="#49">49</a>]. The body corporate or any person on its behalf shall not publish the sensitive personal information [<a href="#50">50</a>]. Any third party receiving this information is prohibited from disclosing it further [<a href="#51">51</a>]. However, a proviso to this sub-rule mandates information to be provided to ‘government agencies’ for the purposes of “verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences”. In such cases, the government agency is required to send a written request to the body corporate possessing the sensitive information, stating clearly the purpose of seeking such information. The government agency is also required to “state that the information thus obtained will not be published or shared with any other person” [<a href="#52">52</a>].</span></p>
<p>Sub-rule (2) of rule 6 requires “any information” to be “disclosed to any third party by an order under the law for the time being in force.” This is to be done “without prejudice” to the obligations of the body corporate to obtain prior permission from the providers of information [<a href="#53">53</a>].</p>
<h3>Reasonable Security Practices</h3>
<p><span class="Apple-style-span">Rule 7 of the draft rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require:</span></p>
<ul>
<li>a comprehensive documented information security program; and</li>
</ul>
<ul>
<li>information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.</li>
</ul>
<p>In case of an information security breach, such body corporate will be “required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies”.</p>
<p>The rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”, a body corporate will be deemed to have complied with reasonable security practices and procedures.</p>
<p>The rule also permits “industry associations or industry clusters” who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of sub-rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of section 43A.</p>
<h2>Penalties and Remedies for breach of Data Protection</h2>
<h3>Civil Liability for Corporates</h3>
<div><span class="Apple-style-span">As mentioned above, any body corporates who fail to observe data protection norms may be liable to pay compensation if:</span></div>
<ul>
<li>it is negligent in implementing and maintaining reasonable security practices, and thereby </li>
</ul>
<ul>
<li>causes wrongful loss or wrongful gain to any person;[<a href="#54">54</a>]</li>
</ul>
<p>Claims for compensation are to be made to the adjudicating officer appointed under section 46 of the IT Act. Further, details of the powers and functions of this officer are given in succeeding sections of this note.</p>
<h3>Criminal liability for disclosure of information obtained in the course of exercising powers under the IT Act</h3>
<p><span class="Apple-style-span">Section 72 of the Information Technology Act imposes a penalty on “any person” who, having secured access to any electronic record, correspondence, information, document or other material using powers conferred by the Act or rules, discloses such information without the consent of the person concerned. Such unauthorized disclosure is punishable “with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”</span></p>
<h3>Criminal Liability for unauthorized disclosure of information by any person of information obtained under contract</h3>
<p>Section 72A of the IT Act imposes a penalty on any person [<a href="#55">55</a>] (including an intermediary) who</p>
<ul>
<li>has obtained personal information while providing services under a lawful contract and</li>
</ul>
<ul>
<li>discloses the personal information without consent of the person, </li>
</ul>
<ul>
<li>with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss [<a href="#56">56</a>]</li>
</ul>
<p>Such unauthorised disclosure to a third person is punishable with imprisonment upto three years or with fine upto Rs five lakh, or both.</p>
<h2>Whom to call? Adjudicatory Mechanism and Remedies under the IT Act</h2>
<p><span class="Apple-style-span">This section provides a brief outline of the mechanism installed by the IT Act to activate the various remedies and penalties prescribed in various sections of the Act. As a victim of online intrusion, how does one use the IT Act to seek redressal?</span></p>
<p><span class="Apple-style-span"></span><span class="Apple-style-span">As mentioned above, the IT Act provides for both the civil remedy of damages in compensation (Chapter IX) as well as criminal penalties for offences such as imprisonment and fine (Chapter XI). In general, claiming a civil remedy does not bar one from seeking criminal prosecution and ideally both should be pursued together. For clarity, in the sections that follow, we will be discussing the two procedures separately.</span></p>
<h2>Civil Damages and Compensation</h2>
<h3>Whom to approach?</h3>
<p><span class="Apple-style-span">Section 46 of the IT Act empowers the Central Government to appoint “adjudication officers” to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act (See section 2.1 and 4.2 above) and to determine the quantum of compensation payable. Accordingly, the Central Government has designated the secretaries of the Department of Information Technology of each of the states or union territories as the “adjudicating officer” with respect to each of their territories [<a href="#57">57</a>].</span></p>
<p>However, a pecuniary limit has been placed on the powers of adjudicating officers, and they may only adjudicate cases where the quantum of compensation claimed does not exceed Rs. five crores. In cases where the compensation claimed exceeds this amount, jurisdiction would vest in the “competent court”, under the Code of Civil Procedure [<a href="#58">58</a>].</p>
<p>Section 61 of the Act bars ordinary civil courts from jurisdiction over matters which the adjudicating officers have been empowered to decide under this Act.</p>
<h2>When must a complaint be filed?</h2>
<div><span class="Apple-style-span">The Limitation Act provides that a suit must be filed within three years from when the right to sue accrues [<a href="#59">59</a>].</span></div>
<h2>What is the procedure?</h2>
<p><span class="Apple-style-span">Section 46 and the rules framed under that section provide elaborate guidelines on the procedure that is to be followed by the adjudicating officer. Thus, the adjudicating officer is required to give the accused person “a reasonable opportunity for making representation in the matter”. Thereafter, if , on an inquiry, “he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.”</span></p>
<p>In order to carry out their duties adjudicating officer have been invested with the powers of a civil court which are conferred on the cyber appellate tribunal [<a href="#60">60</a>]. Additionally, they have the power to punish for their contempt undert the Code of Criminal Procedure.</p>
<p>Rules framed under the section provide further details on the procedure that must be followed and provide for the issuance of a “show cause notice”, manner of holding enquiry, compounding of offences, etc. [<a href="#61">61</a>].</p>
<p>Section 47 provides that in adjudging the quantum of compensation, the adjudicating officer shall have due regard to the following factors, namely:—</p>
<ul>
<li>the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; </li>
</ul>
<ul>
<li>the amount of loss caused to any person as a result of the default;</li>
</ul>
<ul>
<li>the repetitive nature of the default.</li>
</ul>
<h2>Where must a complaint be filed and in what format?</h2>
<p>The complaint must be made to the adjudicating officer of the state or union territory on the basis of location of computer system, computer network. The complaint must be made on a plain paper in the format provided in the Performa attached to the rules [<a href="#62">62</a>].</p>
<p>In case the offender or computer resource is located abroad, it would be deemed, for the purpose of prosecution to be located in India [<a href="#63">63</a>].</p>
<h2>How long does the process take?</h2>
<div>
<div>The Rules direct that the whole matter should be heard and decided “as far as possible” within a period of six months [<a href="#64">64</a>].</div>
</div>
<h2>How much does it cost?</h2>
<p>The Rules stipulates a variable fee payable by a bank draft calculated on the basis of damages claimed by way of compensation</p>
<div></div>
<div>
<table class="plain">
<tbody>
<tr>
<td>
<p>a) Upto Rs. 10,000</p>
</td>
<td>
<p><span class="Apple-style-span">10% ad valorem rounded off to nearest next hundred</span></p>
</td>
</tr>
<tr>
<td>
<p>b) From 10001 to Rs.50000</p>
</td>
<td>
<p>Rs. 1000 plus 5% of the amount exceeding Rs.10,000 rounded off to nearest next hundred</p>
</td>
</tr>
<tr>
<td>
<p>c) From Rs.50001 to Rs.100000</p>
</td>
<td>
<p>Rs. 3000/- plus 4% of the amount exceeding Rs. 50,000 rounded off to nearest next hundred</p>
</td>
</tr>
<tr>
<td>
<p>d) More than Rs. 100000</p>
</td>
<td>
<p>Rs.5000/- plus 2% of the amount exceeding Rs. 100,000 rounded off to nearest next hundred</p>
</td>
</tr>
</tbody>
</table>
</div>
<h3>Appeals to the Cyber Appellate Tribunal and the High Court</h3>
<p>The Act provides for the constitution of a cyber appellate tribunal to hear appeals from cases decided by the adjudicating officer.</p>
<p><span class="Apple-style-span"></span><span class="Apple-style-span">Within 25 days of the copy of the decision being made available by the adjudicating officer, the aggrieved party may file an appeal before the cyber appellate tribunal.</span></p>
<p><span class="Apple-style-span"></span>Section 57 provides that the appeal filed before the cyber appellate tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order. Such an appeal must be filed within 60 days from the date of communication of the decision or order of the cyber appellate tribunal.</p>
<h3>Can contraventions be compounded (compromised) with the offender?</h3>
<p>Except in the case of repeat offenders, contraventions may be compromised by the adjudicating officer or between the parties either before or after institution of the suit. Where any contravention has been compounded the IT Act provides that “no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded”[<a href="#65">65</a>].</p>
<h3>Criminal Penalties</h3>
<p>The process described above applies to “contraventions” under Chapter IX of the Act. In addition to being liable to pay compensation, in the cases falling under section 43, such offenders may also be liable for criminal penalties such as imprisonment and fines [<a href="#66">66</a>]. This sub-section of this paper deals with the procedure to be followed with respect to the criminal offences set out under Chapter XI of the Act (for example, see sections 2.2 to 2.5 above).</p>
<h2>Whom to approach? Who can take cognizance of offences and investigate them?</h2>
<p>Section 78 of the IT Act empowers police officers of the rank of Inspectors and above to investigate offences under the IT Act.</p>
<p>Many states have set up dedicated cyber crime police stations to investigate offences under this Act [<a href="#67">67</a>]. Thus, for example, the State of Karnataka has set up a special cyber crime police station responsible for investigating all offences under the IT Act with respect to the entire territory of Karnataka [<a href="#68">68</a>].</p>
<h2>When must a complaint be lodged?</h2>
<p>Although there is no time limit prescribed by the IT Act or the Code of Criminal Procedure with respect to when an FIR must be filed, in general, courts tend to take an adverse view when a significant delay has occurred between the time of occurrence of an offence and it’s reporting to the nearest police station.</p>
<p>The Code of Criminal Procedure forbids courts from taking cognizance of cases after three years “if the offence is punishable with imprisonment for a term exceeding one year but not exceeding three years”. Where either the commission of the offence was not known to the person aggrieved, or where it is not known by whom the offence committed, this period is computed from the date on which respectively the offence or the identity of the offender comes to the knowledge of the person aggrieved [<a href="#69">69</a>].</p>
<h2>What is the procedure?</h2>
<p>No special procedure is prescribed for the trial of cyber offences and hence the general provisions of criminal procedure would apply with respect to investigation, charge sheet, trial, decision, sentencing and appeal.</p>
<h2>Can offences be compounded?</h2>
<p><span class="Apple-style-span">Offences punishable with imprisonment of upto three years are compoundable by a competent court. However, repeat offenders cannot have their subsequent offences compounded. Additionally, offences which “affect the socio-economic conditions of the country” or those committed against a child under 18 years of age or against women cannot be compounded [<a href="#70">70</a>]. </span></p>
<h3><span class="Apple-style-span">Bibliography</span></h3>
<div><span class="Apple-style-span"><br /></span></div>
<p><a name="1">[1].<span class="Apple-tab-span"></span>The IT Act is only one of the various laws which safeguard citizens from violations of online privacy. In addition, in the domain of finance, for instance, various RBI regulations mandate strong security protocols with respect to data held by financial institutions. Since this is the subject of a different dispatch on banking and privacy which we have brought out, these regulations are omitted from this discussion.</a></p>
<p><a name="2">[2].Section 2(k) of the IT Act defines ‘computer’ as any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.</a></p>
<p><a name="3">[3].Section 43 defines "computer contaminant" as any set of computer instructions that are designed— (a) to modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network;</a></p>
<p><a name="4">[4].Similarly, "computer virus" has been defined in section 43 as “any computer instruction, information, data or program that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a program, data or instruction is executed or some other event takes place in that computer resource;</a></p>
<p><a name="6">[6].Section 66 of the IT Act. </a><a name="5">Anon, 2009. Bangalore techie convicted for hacking govt site. Deccan Herald. Available at: http://goo.gl/jCvAh. [Accessed March 29, 2011];</a></p>
<p><a name="7">[7].The Information Technology (Due Diligence observed by Intermediaries Guidelines) Rules, 2011;</a></p>
<p><a name="8">[8].‘Intermediary’ has been defined very expansively under section 2(w) of the Act to mean, with respect to any electronic record, “any person who on behalf of another person receives, stores or transmits that record, or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes</a></p>
<p><a name="9">[9].‘Private area’ has been defined in section 66E as “the naked or undergarment clad genitals, pubic area, buttocks or female breast”.</a></p>
<p><a name="10">[10].Defined as “circumstances in which a person can have a reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of his or her private area was being captured or (ii) any part of his or her private area would not be visible to the public regardless of whether that person is in a public or private place”. See explanation to Section 66E</a></p>
<p><a name="11">[11]."Cheating by personation" is a crime defined under section 416 the Indian Penal Code. According to that section, “a person is said to "cheat by personation" if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is." The explanation to the section adds that "the offence is committed whether the individual personated is a real or imaginary person". Two illustrations to the section further elaborate its meaning: (a) A cheats by pretending to be a certain rich banker of the same name. A cheats by personation (b) A cheats by pretending to be B, a person who is deceased. A cheats by personation.</a></p>
<p><a name="12">[12].Communication device" has been defined to mean "cell phones, personal digital assistance (sic) or combination of both or any other device used to communicate send or transmit any text, video, audio or image".</a></p>
<p><a name="12"></a><a name="12"> </a></p>
<p><a name="13">[13].2005. Cyber Crime Cell, Mumbai: Case of Phishing. Mumbai Police. Available at: http://www.cybercellmumbai.com/case-studies/case-of-fishing [Accessed March 23, 2011].</a></p>
<p><a name="12"> </a></p>
<p><a name="14">[14]. Although no maximum limit is prescribed for the fine under this section, Section 63 of the Indian Penal Code declares that “Where no sum is expressed to which a fine may extend, the amount of fine to which the offender is liable is unlimited, but shall not be excessive”.</a></p>
<p><a name="12"> </a></p>
<p><a name="12"></a><a name="15">[15].Hafeez, M., 2009. Crime Line: Curiosity was his main motive, say city police. Crime Line. Available at: http://mateenhafeez.blogspot.com/2009/05/curiosity-was-his-main-motive-say-city.html [Accessed March 23, 2011].</a></p>
<p><a name="16">[16]. Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].</a></p>
<p><a name="17">[17].See also Nanjappa, V., 2008. 'I have lost everything'. Rediff.com News. Available at: http://www.rediff.com/news/2008/jan/21inter.htm [Accessed March 23, 2011].</a></p>
<p><a name="18">[18]. By contrast, rules framed under Section 69B designates only the Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and IT as the “competent authority” to issue orders of interception.</a></p>
<p><a name="19">[19].It is unclear what these “operational reasons” could mean. The text of the rules provide no useful guidance.</a></p>
<p><a name="20">[20].“Cyber security breach” is defined as meaning “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly acceptable security policy resulting in unauthorized access, denial of service, disruption, unauthorized use of a computer resource for processing or storage of information or changes to date, information without authorization”. Rule 2(f) of the Monitoring and Collecting of Traffic Data Rules 2009. </a></p>
<p><a name="20"> </a></p>
<p><a name="20"></a><a name="21">[21].Rule 7 of the Interception Rules 2009; Rule 3(3) of the Monitoring and Collecting of Traffic Data Rules 2009</a></p>
<p><a name="22">[22].Rule 8 of the Interception Rules 2009</a></p>
<p><a name="23">[23]. Rule 9 of the Interception Rules 2009</a></p>
<p><a name="24">[24].Rule 10 of the Interception Rules 2009; </a></p>
<p><a name="25">[25].Rule 11 of the Interception Rules 2009</a></p>
<p><a name="26">[26].Rule 7 of the Interception Rules 2009</a></p>
<p><a name="27">[27].Rule 22 of the Interception Rules 2009</a></p>
<p><a name="28">[28]. Ibid</a></p>
<p><a name="29">[29].Section 69 of the IT Act.</a></p>
<p><a name="30">[30].The intermediary is required to assist in the decryption only to the extent that the intermediary has control over the decryption key. See Sub-Rule 13(3) of the Interception Rules 2009. Rule 17 enjoins the holder of a decryption key to provide decryption assistance when directed to by the competent authority. </a></p>
<p><a name="31">[31].Rule 16 of the Interception Rules 2009</a></p>
<p><a name="32">[32].Rule 18 of the Interception Rules 2009</a></p>
<p><a name="33">[33]. Rule 20 of the Interception Rules 2009; Rules 10 & 11 of the Monitoring and Collecting of Traffic Data Rules 2009. Failure to maintain secrecy of data may attract punishment under Section 72 of the Information Technology Act.</a></p>
<p><a name="34">[34].Supra n. 6 for definition</a></p>
<p><a name="35">[35].Section 43A defines "'body corporate" as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</a></p>
<p><a name="36">[36].This does not necessarily mean that these entitles are exempt from taking reasonable care to safeguard information that they collect, maintain or control – only that remedies against the government must be sought under general common law, rather than under the IT Act. </a></p>
<p><a name="37">[37].Anon, 2005. The MphasiS Scandal – And How it Concerns U.S. Companies Considering Offshore BPO. Carretek. Available at: http://www.carretek.com/main/news/articles/MphasiS_scandal.htm [Accessed March 29, 2011]. See also Anon, 2005. MphasiS case: BPOs feel need to tighten security. Indian Express. Available at: http://www.expressindia.com/news/fullstory.php?newsid=44856 [Accessed March 29, 2011].</a></p>
<p><a name="38">[38]. The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011. Available at http://www.mit.gov.in/sites/upload_files/dit/files/senstivepersonainfo07_02_11.pdf, last accessed February 15th, 2011.</a></p>
<p><a name="39">[39].Rule 5 of the Draft Rules.</a></p>
<p><a name="39"> </a></p>
<p><a name="39"></a><a name="40">[40]. This is perhaps a bit vague, since the potential ‘lawful uses’ are numerous and could be inexhaustible. It is unclear whether “lawful usage” is coterminous with “the uses which are disclosed to the individual at the time of collection”. In addition, this rule is framed rather weakly since it does not impose a positive obligation (although this is implied) to destroy information that is no longer required or in use.</a></p>
<p><a name="41">[41].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.</a></p>
<p><a name="42">[42]. This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6. </a></p>
<p><a name="43">[43].One wonders about the convoluted language used here when a simpler phrase like “take reasonable steps” alone might have sufficed - reasonableness has generally been interpreted by courts contextually. As the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.</a></p>
<p><a name="44">[44].Sub-Rule 5(7).</a></p>
<p><a name="45">[45].Sub-Rule 5(6). It is unclear what would count as a ‘necessary’ circumstance and who would be the authority to determine such necessity. </a></p>
<p><a name="46">[46].Sub-Rule 5(8).</a></p>
<p><a name="47">[47].Sub-Rule 5(5).</a></p>
<p><a name="48">[48].Sub-Rule 5(9).</a></p>
<p><a name="49">[49]. Sub-Rule 6(1) There are two problems with this rule. First, it requires prior permission only from the provider of information, and not the individual to whom the data pertains. In effect this whittles down the agency of the individual in being able to control the manner in which information pertaining to her is used. Second, it is not clear whether this information includes “sensitive personal information”. The proviso to this rule includes the phrase “sensitive information”, which would suggest that such information would be included. This makes it even more important that the rule require that prior permission be obtained from the individual to whom the data pertains and not merely from the provider of information. </a></p>
<p><a name="50">[50].Sub-Rule 6(3).</a></p>
<p><a name="51">[51].Sub-Rule 6(4).</a></p>
<p><a name="52">[52].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?</a></p>
<p><a name="53">[53].This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.</a></p>
<p><a name="54">[54]. “Wrongful loss” and “wrongful gain” have been defined by Section 23 of the Indian Penal Code. Accordingly, "Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled. "Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled.” The section also includes this interesting explanation “Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property”. Following this, it could be possible to argue that the retention of data beyond the period of its use would amount to a “wrongful gain”.</a></p>
<p><a name="55">[55]. Section 3(39) of the General Clauses Act defines a person to include “any company or association or body of individuals whether incorporated or not”. An interesting question here would be whether the State can be considered “a person” so that it can be held liable for unauthorized disclosure of personal information. In an early case of Shiv Prasad v. Punjab State AIR 1957 Punj 150, the Punjab High Court had excluded this possibility. However, the case law on this point has not been consistent. In Ramanlal Maheshwari v.Municipal Committee, the MP High Court held that the Municipal Council could be treated as a ‘person’ for the purpose of levying a fine attached to a criminal offence. Statutory corporate bodies (such as the proposed UID Authority of India) have been held to be ‘persons’ for purposes of law . See Commissioners, Port of Calcutta v. General Trading Corporation, AIR 1964 Cal 290. Here under the Calcutta Port Act, Port Commissioners were declared to be a “body corporate”, and hence were held to be a ‘person’.</a></p>
<p><a name="56">[56].See supra n. 44.</a></p>
<p><a name="57">[57]. See G.S.R.240(E) New Delhi, the 25th March, 2003 available at < http://www.mit.gov.in/content/it-act-notification-no-240> .</a></p>
<p><a name="58">[58].See Section 46(1A).</a></p>
<p><a name="59">[59].Schedule I, Part X of the Limitation Act “Suits for which there is no prescribed period.”</a></p>
<p><a name="60">[60].The powers of the Cyber Appellate Tribunal under Section 58 include the powers of (a) summoning and enforcing the attendance of any person and examining him on oath; (b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits; (d) issuing commissions for the examination of witnesses or documents; (e) reviewing its decisions; (f) dismissing an application for default or deciding it ex parte.</a></p>
<p><a name="61">[61].Information Technology (Qualification and Experience of Adjudicating Officers and Manner of holding Enquiry) Rules, 2003 [GSR 220(E)] Available at <http://cca.gov.in/rw/resource/notification-gsr220e.pdf?download=true>.</a></p>
<p><a name="62">[62]. Ibid Rule 4(b).</a></p>
<p><a name="63">[63]. Section 75.</a></p>
<p><a name="64">[64]. Ibid, Rule 4(k).</a></p>
<p><a name="65">[65]. Section 63 of the Act.</a></p>
<p><a name="66">[66].Prior to amendment in 2008, contraventions listed in Section 43 were only liable to be compensated by damages through civil proceedings. Thus in 2007, the Madras High Court annulled an FIR lodged in a police station which listed an activity mentioned in 43(g). See S. Sekar vs The Principal General Manager < http://indiankanoon.org/doc/182565/> This position has however been changed with the new Section 66 which makes all actions listed in Section 43 an offence when committed with dishonest or fraudulent intent. Thus an FIR can be lodged with respect to these activities as well.</a></p>
<p><a name="67">[67].An incomplete list of cyber crime cells of police in different states can be viewed at <http://infosecawareness.in/cyber-crime-cells-in-india>.</a></p>
<p><a name="68">[68]. Home and Transport3 Secretariat, Notification no. HD 173 POP 99 Bangalore, Dated 13th September 2001 Available at < http://cyberpolicebangalore.nic.in/pdf/notification_1.pdf>.</a></p>
<p><a name="69">[69]. Sections 468 and 469 of the Code of Criminal Procedure, 1973.</a></p>
<p><a name="70">[70]. Section 77A of the Information Technology Act.</a></p>
<p class="callout"><span class="Apple-style-span">Click below to download files of your choice:</span></p>
<ul>
<li><span class="Apple-style-span"><a href="http://editors.cis-india.org/internet-governance/blog/privacy-it-act.pdf" class="internal-link" title="Privacy IT Act">PDF </a> [347 kb]</span></li>
<li><a href="http://editors.cis-india.org/internet-governance/blog/privacy-it-act.odt" class="internal-link" title="Privacy and IT Act (ODT)">Open Office</a> [51 kb]</li>
<li><a href="http://editors.cis-india.org/internet-governance/blog/privacy-it-act.docx" class="internal-link" title="Privacy Act and IT">Word File</a> [55 kb]</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy'>http://editors.cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy</a>
</p>
No publisherPrashant IyengarInternet GovernancePrivacy2012-12-14T10:29:12ZBlog EntryIs Data Protection Enough?
http://editors.cis-india.org/internet-governance/blog/privacy/is-data-protection-enough
<b>The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.</b>
<p>In a recent article, Rahul Matthan explained how many threats to personal privacy come from a lack of data protection laws – particularly in the context of the UID – and he thus urges India to pass a law that is focused on data protection. He said, “We don’t question this lack of personal space. It is part of the compromise we make when we choose to live in India.” Though his argument has a surface appeal, there are also many cases emerging in the news today that suggest that India is concerned with a much broader scope of privacy than just data protection. In the DNA, a news article covered a recent court decision that concluded that watching pornography at home is not an obscenity and does not qualify as a public exhibition, even when there are visitors to the home. In that case, police arrested persons who hosted a party under section 292 (obscenity) of the Indian Penal Code for watching pornography and housing strippers. The judge ruled that the activities that were taking place were done in private and thus did not amount to an offense under section 292. This is an important decision about the protections of spatial privacy being afforded to individuals. The bungalow was considered a private space, and the computer a private possession. In other words, India does have a greater understanding of privacy and the need for its protection, and it extends beyond data protection. In another news item, the Hindu reported that 5,000 to 6,000 phones are tapped on average daily. The article speculated that this number could increase in response to the 2G scam and other scams that are coming out. The type of privacy violation that wiretapping poses is likewise not a question of data protection, but of how a nation guards against an unwanted invasion of personal space and when security takes precedence over privacy. Are Indian citizens willing to subject themselves to phone taps to try to eliminate – or at least minimize – the number of scams that are occurring? In yet another news item, it was reported that in the North, councils are attempting to ban the sale of cell phones to unmarried women to help prevent unsolicited affairs with members from different castes. This again raises questions not of data protection or informational privacy, but of personal privacy. How will phone companies know that a woman is married? Will parents suddenly begin regulating their daughters’ phones? Does an existing legislation afford protection to women in this situation? Though data protection is a component of privacy, it is only one component. There are many definitions of privacy, and privacy in itself is somewhat of a difficult word to define, but India should recognize that there are privacy protections and privacy debates that extend beyond data protection. It is too easy to characterize India as large and communal and overlook these important questions.</p>
<p>Returning to Rahul Matthan’s article, Matthan says, “The vast majority of our country that remains under-served by the government will gladly exchange personal privacy for better public service.” I was particularly intrigued by this statement, because it suggests that privacy is an expendable right, and that government service cannot improve without privacy compromises. The logical extension of this concept is that privacy is not a fundamental right but only a consumer issue, and that policymakers can always trade off privacy in exchange for better public benefits, for better security, and for cheaper products. A legal system needs to address the case at hand, but it needs to be mindful of the larger consequences as well. There is no doubt that the UID project demands a data protection law, but India is facing questions of privacy that extend beyond data protection, and the steps that are being taken to answer those questions need to be applauded and brought into the current debate. If we legislate away rights, we must do so by weighing the cost and finding it acceptable.</p>
<p><strong>Sources</strong></p>
<ul><li><a class="external-link" href="http://www.thehindu.com/news/national/article905944.ece">http://www.thehindu.com/news/national/article905944.ece</a></li></ul>
<ul><li><a class="external-link" href="http://is.gd/hJWD8 http://is.gd/hJWSX">http://is.gd/hJWD8 http://is.gd/hJWSX</a></li></ul>
<ul><li><a class="external-link" href="http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage">http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage</a></li></ul>
<ul><li>Matthan, Rahul. The Mint:Technology. Nov. 24 2010</li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/is-data-protection-enough'>http://editors.cis-india.org/internet-governance/blog/privacy/is-data-protection-enough</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:28:51ZBlog EntrySurveillance Technologies
http://editors.cis-india.org/internet-governance/blog/privacy/surveillance-technologies
<b>The following post briefly looks at different surveillance technologies, and the growing use of the them in India. </b>
<h3>Surveillance...</h3>
<p>New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.</p>
<h3>...In a Car? On the Street? In an Airport?</h3>
<p>Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.</p>
<h3>...In the Movie Theater????..for Marketing Purposes????</h3>
<p>Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.</p>
<h3>Is this technology in India?</h3>
<p>Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?</p>
<h3>Sources</h3>
<ul><li>http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms</li><li>http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article</li><li>http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs</li><li> http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2</li></ul>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/surveillance-technologies'>http://editors.cis-india.org/internet-governance/blog/privacy/surveillance-technologies</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:40:24ZBlog Entry'Privacy Matters', Ahmedabad: Conference Report
http://editors.cis-india.org/internet-governance/blog/privacy/privacy-matters-report-from-ahmedabad
<b>On 26 March 2011, civil society, lawyers, judges, students and NGO’s, gathered together at the Ahmedabad Management Association to take part in 'Privacy Matters' – a public conference organised by Privacy India in partnership with IDRC and Research Foundation for Governance in India (RFGI) — to discuss the challenges of privacy in India, with an emphasis on national security and privacy. The conference was opened by Prashant Iyengar, head researcher at Privacy India and Kanan Drhu, director of RFGI. Mr. Iyengar explained Privacy India’s mandate to raise awareness of privacy, spark civil action, and promote democratic dialogue around privacy challenges and violations in India. RFGI is a think tank established in 2009 which aims to research, promote, and implement various reforms to improve the legal and political process in Gujarat and across India. ‘Privacy Matters – Ahmedabad’ is the third conference out of the eight that Privacy India will be hosting across India. The next conference will take place in Hyderabad on 9 April 2011. It will focus on human rights and privacy.</b>
<h2>The keynote speech, delivered by Usha Ramanathan, focused on links not often made between privacy and social phenomenon.<br /></h2>
<p></p>
<p align="left"><img class="image-left" src="../it-act/usha.jpg/image_preview" alt="Usha Ramanathan " />Ms. Usha Ramanathan opened the conference by examining the links not often made between privacy and personal security, between databases and national security, and the centrality of dislodging privacy in projects of social control. In her presentation she spoke about the inverse relationship between national and personal security, making the point that an important part of privacy is the ability of an individual to secure their own person. Today, because national security follows a policy of ubiquitous surveillance, it is almost impossible for an individual to secure their person from the state. Ms. Ramanathan also traced the beginnings of ubiquitous surveillance to the increasing global fear of terrorism, and the national break down of the criminal justice system in India. Instead of looking to the roots of terrorism and the roots of failure in the criminal justice system, the Indian State has responded to both these factors by superimposing a system of surveillance on top of the existing rule. Consequently, the state has become pan-optical — closely following the movement of its entire population. The state has been able to achieve this level of surveillance through technology, which it has used to create identifiers for its population. The use of technology by the state mediates a link between corporate interest and state interest. Thus, by facilitating the easy and ubiquitous creation of identifiers and surveillance, technology is changing the idea and the nature of privacy. For example, it is now important that a privacy law allows for individuals to protect and secure their identity, something that every individual has and every individual controls, while regulating the creation and external use of identifiers — something that is used by another (not you) to distinguish a person from the rest of the population. </p>
<h3>Questions to Consider</h3>
<ul><li>How can privacy legislation work to positively regulate the use of technology by the government, so that invasion of privacy does not consequently become state policy? </li></ul>
<ul><li>How can privacy legislation distinguish between and work to protect an identity while regulating the creation and use of personal information as identifiers?</li></ul>
<h2>Session I of the Conference featured a Judicial Perspective of Privacy and a Presentation on the Connections between Privacy and the Federal Income Tax Regime in India.</h2>
<h3>Privacy and the Constitution</h3>
<img class="image-right" src="../it-act/judge.jpg/image_preview" alt="Justice Bhatt" />
<p><strong> J N Bhatt</strong>, the former Chief Justice of Gujarat and Bihar, and currently the head of the Gujarat State Law Commission, spoke about privacy as a fundamental right that has been written into articles 19 and 21 of the Constitution of India. Important points from his presentation include:</p>
<ul><li>
<p> As privacy is already a recognized fundamental right, the question at hand is not if there is a right to privacy, but instead how can the right to privacy be best proliferated. </p>
</li></ul>
<ul><li>
<p>Within the question of how a privacy can best be proliferated, is a question about rights and duties. Wherever there is a right to privacy there is also a corresponding duty to privacy — as rights and duties are interdependent.</p>
</li></ul>
<ul><li>
<p>Though privacy has been recognized as a fundamental right in India, when looking at the actual assertion of the right, it is important to be aware of the cultural realities of India. India is a country with 39 per cent of her population living below the poverty line, with an even lower literacy rate, and there is a direct connection between the assertion of civil liberties, an individual’s civic sense, and education.</p>
</li></ul>
<ul><li>
<p>When looking at how to best proliferate the right to privacy, governance and common law, a methodology to reach the poorest of the poor should be laid out first.</p>
</li></ul>
<h3>Questions to Consider</h3>
<ul><li>
<p>What is the best way to proliferate the right to privacy ?</p>
</li></ul>
<ul><li>
<p>What legal structures need to be in place to ensure that the poor can assert their right to privacy?</p>
</li><li>
<p>What social structures need to be in place to ensure that the poor can assert their right to privacy?</p>
</li></ul>
<h3><img class="image-left" src="../it-act/profdrhu.jpg/image_preview" alt="Prof. Drhu" /> Privacy and the Indian Tax Regime<br /></h3>
<p><strong>Professor Amal Dhru</strong>, visiting professor from the Indian Institute of Management, Ahmedabad and a practicing Chartered Accountant spoke on the connections between privacy and the federal income tax regime in India. In his presentation he explained how the information collected by the federal income tax regime in India can be both useful in holding a citizen accountable, and invasive of one’s personal privacy if mis-used. Important points from his presentation include:</p>
<ul><li>The Indian tax regime highlights the tension between public interest as tax evasion is considered an exception to the right to privacy as it is a matter of public interest.</li></ul>
<ul><li> There is a lack of confidence in the existing banking and tax system in India. For example in the business sector, Indian investors have deposited over 700 billion dollars abroad as they are given complete privacy and security over their money. </li></ul>
<ul><li>Though there is a lack of confidence in the current banking and tax system, a tighter law is not necessarily the solution. For example, studies have found that tighter tax regimes lead to greater evasion, while looser tax regimes have higher compliance rates.</li></ul>
<ul><li>On April 1, 2011 the new tax codes for India will be implemented. The reform will give enormous power to tax offices, and as the tax authorities will become equipped to do taxes smarter – this will come at a cost to citizen’s privacy. </li></ul>
<h3>Questions to Consider</h3>
<ul><li> Just as a tighter tax law leads to a higher percentage of tax evasion, will a tight privacy law simply lead to greater numbers of privacy violations?</li></ul>
<ul><li>What creates public confidence in a law?</li></ul>
<ul><li>Should a privacy legislation be responsible for defining the public good?</li></ul>
<ul><li>Should privacy protection of tax-related information be incorporated into a privacy legislation or contained only in tax law?</li></ul>
<ul><li>To what extent should tax authorities be allowed to investigate potential tax evasion i.e., one’s computer, house or e-mail? </li></ul>
<ul><li>How does one balance the private vs. the public good? </li></ul>
<h2> Session II of the Conference focused on National Security and Privacy, and Cultural Conceptions of Privacy <br /></h2>
<h3>National Security and Privacy<img class="image-right" src="../it-act/mathew.jpg/image_preview" alt="Mr. Thomas " /></h3>
<p style="text-align: left;">In the second session on Privacy and National Security, Colonel Mathew Thomas spoke on privacy and national security. Colonel Thomas is a management consultant and activity leader for development centers and has held top positions in the Indian Army, and the Defence Research and Development Organisation, where he headed the missile manufacturing facility. Sharing his personal experiences in the army he explained the connection between privacy and national security. Important points from his presentation include: </p>
<ul><li> National Security is often not an internal threat, but instead an external threat. </li></ul>
<ul><li>There is a connection between the increase in surveillance and liberalization of Government. </li></ul>
<ul><li>More surveillance does not bring more security. </li></ul>
<ul><li>Foreign software poses as a threat to national security.</li></ul>
<ul><li>Greater security is gained through intelligent use and analysis of data. </li></ul>
<ul><li>A strong national security plan should not rely solely on surveillance of its citizens. Instead national security should be brought about through strong economic policies, non-reliance on foreign software, neutrality in foreign policy, fair trade policies, rural development and prevention of migration to cities, and having a politically honest and accountable governance.</li></ul>
<h3>Questions to Consider</h3>
<ul><li>Is it effective for privacy to be compromised in the name of anti- terror laws?</li><li> Can the development and distribution of indigenous software protect national privacy?</li><li> How can strong economic policies indirectly protect an individual's privacy?</li><li> How can a strong foreign policy protect an Indian citizen's privacy when it is stored or sent abroad?</li></ul>
<h3> <img class="image-left" src="../it-act/gagan.jpg/image_preview" alt="Gagan Sethi" />Privacy as a Cultural Construct<br /></h3>
<p>Gagan Sethi from the Centre for Social Justice, Ahmedabad shared his opinion on privacy. Important points from his presentation include:</p>
<ul><li>
<p>Privacy is a cultural construct that changes with context, perspective, and time.</p>
</li><li>
<p>When considering a privacy policy it is important to create a policy that does not strictly define what privacy is and what it is not, but instead create a policy that defines and promotes a common respect for human dignity.</p>
</li></ul>
<h3>Questions to Consider</h3>
<ul><li> If a privacy policy is developed to promote a common respect for human dignity – will it be effective?</li></ul>
<ul><li>
<p>Can you develop a policy that has a loose definition and mandate, but has strong legal teeth?</p>
</li></ul>
<h2>Session III of the Conference focused on Minority Identities and Privacy, Prisoner Rights, and Cyber Security.</h2>
<h3>Privacy and Minority Identities<img class="image-right" src="../it-act/copy_of_bobby.jpg/image_preview" alt="Bobby Kuhnu " /><br /></h3>
<p><strong>Bobby Kuhnu</strong>, a lawyer and activist, presented in the third session on Privacy, Minority Identities, and Security. In his talk Mr. Kuhnu through the use of three examples examined the ideological underpinnings of the discourse on privacy and its bearings on socially marginalized identities in the context of the Indian State and the constitutional right to privacy. Important points from his presentation include:</p>
<ul><li>
<p>In India, names can be sensitive and personal information like one’s religion, family, caste, and background can all be known through a name.</p>
</li><li>
<p>Because of the sensitivity of a person’s name, many people do not feel safe or comfortable in their own identity.</p>
</li><li>
<p>Reservation lists and public postings of information, can and have been used to discriminate and violate another’s privacy.</p>
</li></ul>
<h3>Questions to Consider</h3>
<ul><li>
<p>Should a privacy legislation requirement throughout institutions and government bodies that names should not be publicly displayed to the point of identification?</p>
</li><li>
<p>What is the most effective way of legally protecting an individual from discrimination based on their name?</p>
</li></ul>
<h3>Perspectives of Privacy <br /></h3>
<p><img class="image-left" src="../it-act/interns.jpg/image_preview" alt="Interns " />In the last portion of the day, Yash Sampat and Aditya Yagnik spoke on the origins of privacy and privacy in the cyber world. Vimmi Surti spoke on prisoner's rights and privacy and Ramswaroop Chaudhary presented on minority identities in South Asia and privacy. Important points from their presentation include:</p>
<ul><li>
<p> Internet has led to an increase in privacy violations.</p>
</li><li>
<p>The result of privacy infringements is often the deprivation of individuals from safe access to services availed to them.</p>
</li><li>
<p>When looking at privacy as the protection of human dignity, prisoner’s rights are violated through overcrowding in prisons, poor health, and poor sanitation.</p>
</li></ul>
<h3>Questions to Consider</h3>
<ul><li>
<p> Are there legal mechanisms that can be put in place to ensure the least amount of deprivation to services when an individual’s privacy is invaded?</p>
</li></ul>
<ul><li>
<p> To what extent should prisoners be availed the right to privacy?</p>
</li></ul>
<h2>The concluding session was a time for discussion and opinion sharing<img class="image-right" src="../it-act/kananandjudge.jpg/image_preview" alt="Kanan and the Judge " /></h2>
<p>From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:</p>
<ul><li>Regulation of ubiquitous surveillance in the name of national security</li><li>Regulation over public display of names and personal information</li><li>The need to distinguish between identity and identifier. </li><li>The need to protect an individual's identity while regulating the production and use of identifiers.</li><li>Privacy rights and prisoners: what does the right to privacy mean to a prisoner, i.e., clean facilities and health care. </li><li>Can the right to privacy be a platform for individuals to claim sanitary/safe working and living conditions. </li><li>Recognize the changing nature of privacy rights in a technological society.</li><li>Privacy implications of biometric usage.</li><li>Creation of a definition of when privacy rights will supersede identification needs.</li><li>How can government institutions, like the tax department, incorporate and protect the right to privacy with the collection of large amounts of data for more efficient services. </li><li>Privacy and the family</li></ul>
<strong>
<div><strong><br /></strong></div>
</strong>
<div class="pullquote"><strong>
Download the report and agenda <a href="http://editors.cis-india.org/internet-governance/blog/privacy-conference-ahmedabad.pdf" class="internal-link" title="Privacy Conference in Ahmedabad PDF">here</a> [pdf - 452kb]</strong></div>
<p class="callout"><strong>Also see Matthew's <a href="http://editors.cis-india.org/internet-governance/blog/privacy-ahmedabad-conference-presentation.pptx" class="internal-link" title="Privacy Conference in Ahmedabad Powerpoint Presentation">presentation</a> [powerpoint file 116kb]</strong></p>
<div><span class="Apple-style-span"><br /></span></div>
<div><span class="Apple-style-span"><br /></span></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/privacy-matters-report-from-ahmedabad'>http://editors.cis-india.org/internet-governance/blog/privacy/privacy-matters-report-from-ahmedabad</a>
</p>
No publisherpraskrishnaFeaturedPrivacy2011-04-04T04:45:49ZBlog EntryPrivacy and Governmental Databases
http://editors.cis-india.org/internet-governance/blog/privacy/privacy-govt-databases
<b>In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases. </b>
<h2>Government Databases and recommendations for privacy practices</h2>
<ol><li>
<p> <strong>Citizen-State relationships and privacy standards</strong><br />Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.</p>
</li><li>
<p><strong>Specific privacy policy </strong></p>
<p>Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:</p>
<ul><li>data collection</li><li>digitization</li><li>usage</li><li>storage</li><li>security</li><li>disclosure</li><li>retrieval</li><li>access (inter departmental and public)</li><li>anonymization, obfuscation and deletion.</li></ul>
</li><li>
<p><strong>Personal vs. personal sensitive and public vs. non-public data categories </strong></p>
<p>Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct</p>
<p>categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.</p>
</li><li>
<p><strong>Standardization of Privacy Policies and Access Control </strong></p>
<p>Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.</p>
</li><li>
<p><strong>Record of breach notification </strong></p>
<p>If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.</p>
</li><li>
<p><strong>Anonymization/obfuscation and deletion policies </strong></p>
<p>Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.</p>
</li><li>
<p><strong>Accountability for accuracy of data </strong></p>
<p>Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.</p>
</li><li>
<p><strong>Appropriate uses of government databases </strong></p>
<p>Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."</p>
</li><li>
<p><strong>Access, updation and control of personal information </strong></p>
<p>Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.</p>
</li></ol>
<p><strong>Bibliography </strong></p>
<ul><li>
<p>Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.</p>
</li><li>
<p>Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.</p>
</li></ul>
<ul><li>Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada</li></ul>
<p> joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/privacy-govt-databases'>http://editors.cis-india.org/internet-governance/blog/privacy/privacy-govt-databases</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:41:38ZBlog EntryOpen Letter to the Finance Committee: UID and Transactions
http://editors.cis-india.org/internet-governance/blog/privacy/uid-and-transactions
<b>Since official documentation from the UIDAI is very limited, we assume that data pertaining to transactions would comprise of the Aadhaar number, identifier of the authenticating device, date-time stamp, and approval/rejection/error code. Recording and maintaining of data pertaining to transactions is very important because it increases transparency and accountability through an audit trail. However, storage of such sensitive data creates many privacy risks, because more often than not metadata gives you as much intelligence as raw data. </b>
<p>For example – even if you didn’t have access to the Radia recordings – just knowing who she called, when, how frequently, in what order, and for how long, will give quite a comprehensive picture. Thus, we believe that such data should not be fully stored in a central database. By way of an open letter, we suggest three alternative ways of storing and securing data relating to transactions, so that transparency and accountability is preserved without enabling surveillance or profiling of individuals. </p>
<ul><li><strong>Partial storage of data relating to transactions</strong></li></ul>
<p>Once a transaction is processed, half of the UID number is stored in the central database, while the other half of the number is stored with the service provider. Thus, for an agency to reconstruct the audit trail they must seek consent from the service provider and the UIDAI for information regarding a specific transaction. The process would follow steps like these:</p>
<ol><li>Send part of the Aadhaar number to the CIDR </li><li>Service provider stores part of the Aadhaar number locally.</li><li>Law enforcement and intelligence agencies seeking transaction data securing required approvals from the Home Ministry and then request data from the UIDAI and service provider</li><li>Data is provided by UIDAI and the service provider and combined to reconstruct the audit trail. </li></ol>
<div>
<ul><li>Storage of the public keys with a custodian </li></ul>
</div>
<p>Similar to the model followed in the new wiretapping regulations<a href="#1">1</a>, the transaction details in the central database is secured using several custodians. Thus, no single entity has complete knowledge of access to the database. And if the transaction details are leaked to the public, the custodian can be held responsible for negligence. Thus, for an agency to reconstruct the audit trail they must seek approvals and request encrypted data. The process would follow steps like these:</p>
<div>
<div>
<ol><li>Encrypt transaction data with the public key of the ‘custodian’ </li><li>Store encrypted data in CIDR </li><li>Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from the UIDAI. </li><li>The custodian on receipt of the necessary approvals decrypts the data using his/her private key, and then the audit trail becomes available. </li></ol>
</div>
</div>
<div>
<ul><li>Complete storage of transaction details at the service provider level</li></ul>
</div>
<div>After a transaction is processed, the information is encrypted and stored in a de-centralized manner with the service provider, thus agencies or individuals can only access information regarding a specific transaction at a specific organization. The process would follow steps like these: </div>
<div>
<div>
<ul><li>Encrypt transaction data </li><li>Store encrypted data at service provider level</li><li>Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from each service provider. Audit trail is reconstructed by merging data sets from different service providers. </li><li>The CIDR will only hold Aadhaar number, date-time stamp, and approval/rejection/error code.</li></ul>
</div>
</div>
<div> </div>
<h3>Note</h3>
<p class="discreet"><a name="1">1 http://timesofindia.indiatimes.com/india/Tapping-norms-Govt-will-erase-private-talk/articleshow/7407633.cms</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/uid-and-transactions'>http://editors.cis-india.org/internet-governance/blog/privacy/uid-and-transactions</a>
</p>
No publisherpraskrishnaPrivacy2011-02-24T13:35:11ZBlog EntryOpen Letter to the Finance Committee: Operational Design
http://editors.cis-india.org/internet-governance/blog/privacy/operational-design
<b>The objective of the UID project is to provide identity infrastructure that is not susceptible to fraud or error. This note highlights parts of the operational design of the project, which are flawed. We plead that each point be taken into consideration and that the design be suitably revised.</b>
<h3>Flawed aspects of the operational design</h3>
<ul><li>During enrolment: false identities</li></ul>
<p>Initial proof of one’s identity is best proved through multiple, standardized documents. The UID lists seventeen acceptable documents.<a href="#1">1</a> <span class="Apple-style-span">Acceptance and verification of only one of these identities is necessary for enrolment. This is a lower standard than existing forms of identity such as the Passport or the PAN card.<a href="#2">2</a></span></p>
<ul><li><strong>During transactions: technology will not solve corruption</strong></li></ul>
<p>In every transaction that requires the use of the <em>Aadhaar</em> number, there are four points where corruption is possible and delivery of services will not take place:</p>
<ol><li>The technology fails, and does not perform authentication;</li><li>The authority fails and delivers a false positive or false negative;</li><li>The local administrator fails to deliver the service after authentication;</li><li>The biometric fails due to biological changes, and thus the individual is denied benefits; and</li><li>Fraudulent use of face biometrics at the transaction level.</li></ol>
<ul><li><strong>During transactions: high cost of centralization with limited benefits</strong></li></ul>
<p>Verifying unique identity for every transaction will introduce an unnecessary authentication overhead. In the UID Bill, there is provision for standardized authentication fees.<a href="#3">3</a></p>
At some point service providers will pass on the authentication cost through a required authentication fee to the residents. This will take place with no entitlement of any service or guarantee against fraud.
<ul><li><strong>During redressal: no guarantee of quick and adequate remedies</strong></li></ul>
<p>The delivery of services is guaranteed only when there is an optional way for transactions to be completed. If an <em>Aadhaar</em> number holder attempts to complete a transaction, and the UIDAI rejects it, the individual can make a request for re-verification with the registrar.<a href="#4">4</a></p>
<p>
If the UIDAI still rejects the request, the individual must file a complaint to the UIDAI contact centre and wait for appropriate remedial action,<a href="#5">5</a> yet the UIDAI is not liable for the loss of service.</p>
<ul><li><strong>During upgrades of the system: patchwork approach to data protection</strong></li></ul>
<p>It is more secure to have pro-active data protection than re-active data protection. The data protection legislation that is meant to secure data processed in the UID project will be established only after the UID bill becomes law. One can only assume that the UID will respond to every new policy development in a patchwork fashion.</p>
<p class="discreet"><a name="1">1http://uidai.gov.in/index.php?option=com_fsf&view=faq&Itemid=206&catid=24</a></p>
<p class="discreet"><a name="2">2 http://passport.nic.in/, http://nrisharejunction.com/pan.aspx</a></p>
<p class="discreet"><a name="3">3 Chapter 3, Section 23 (2) (o): The National Identification Authority of India Bill 2010</a></p>
<p class="discreet"><a name="4">4 http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf</a></p>
<p class="discreet"><a name="5">5 http://uidai.gov.in/images/FrontPageUpdates/aadhaarhandbookver1.2.pdf pg.18</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/operational-design'>http://editors.cis-india.org/internet-governance/blog/privacy/operational-design</a>
</p>
No publisherpraskrishnaPrivacy2011-02-17T10:02:46ZBlog EntryOpen Letter to the Finance Committee: UID Budget
http://editors.cis-india.org/internet-governance/blog/privacy/uid-budget
<b>This note presents the aspects of the UID project, which have not been considered or incorporated into the UID’s budget. The costs include re-enrollment, loss in human time, and the cost of the audit function. </b>
<ol><li><strong>Cost of re-enrollment </strong><br />In the report 'Biometrics Design Standards for UID Applications' <a href="#1">1</a> a pilot study in India concluded that about two to five per cent of the people did not have viable biometric data. These data have not been taken into account when setting the program budget. Over time biometrics modify, thus re-enrollment will be required. The UIDAI states that given the changing nature of biometric data – biometrics would be collected every five years for children and every ten years for adults. The current project does not give us a clear picture as to what extent the re-enrollment will be required, and how the additional costs will be accounted for. </li><li><strong> Cost of loss in human time </strong><br />A time motion study is a tool used to enhance business efficiency and ensure cost effectiveness by reducing the number of motions in performing a task. In their budget, the UIDAI has accounted for the salaries of individuals associated directly with the UIDAI. The UIDAI has not accounted for the loss in human time that will take place by individuals whose daily routine will be impacted by the UID. If a time motion study were to be done only on the UID project, one would find that individuals not paid by the UIDAI, lose potential wages due to the unpaid time they must dedicate towards the scheme – or that businesses will be forced to compensate for the extra time required for each transaction by providing additional personnel. For example: On a train the number of train masters present is calculated according to how many individuals each ticket master can check and process. With the UID, in order to prevent fraud around subsidized train tickets , individuals on the train will have their biometrics checked and authenticated. The below diagram demonstrates how authenticating an individual by their UID and biometric incurs a loss in human time, and thus, the process of collecting train tickets will require more train masters to complete. <br /><em>Current Process:</em><br />
<ul><li>Present ticket to train master</li><li>Train master checks identity card and identity on ticket </li><li>Train master ticks ticket, and ticks his list to indicate verification <br /></li></ul>
<em>Process with biometrics</em>: <br />
<ul><li>Present <em>Aadhaar</em> number, fingerprint , and ticket to train master</li><li>Train master takes a reading of your fingerprint and sends it to the central database </li><li>Train master waits for approval from the CIDR </li><li>The CIDR gives a yes or no response </li><li>If the answer is no – the train master swipes your finger five times, and then finds alternate forms of identification </li><li>Train master provides proof of verification </li></ul>
</li><li><strong>Cost of audit function </strong><br />The bulk of the UID enabled transactions will have financial implications. Every financial transaction involves three or four parties: the person who collects the payment, the person who prepares the documentation, the person who approves the documentation, and finally the person who audits the documentation. In such a context the technology can play the role of the person who: collects, prepares, and approves each transaction. The role of auditing the transaction cannot be played by technology. The audit function is human, and the audit function needs to be worked into the project budget. </li></ol>
<p> <span class="Apple-style-span"><a name="1">1 “Biometrics Design Standards for UID Applications" pg.22</a></span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/uid-budget'>http://editors.cis-india.org/internet-governance/blog/privacy/uid-budget</a>
</p>
No publisherpraskrishnaPrivacy2011-02-17T11:18:16ZBlog EntryOpen Letter to the Finance Committe: Biometrics
http://editors.cis-india.org/internet-governance/blog/privacy/biometrics
<b>This note points out the weaknesses inherent in biometrics and the pitfalls in using them. It recommends procedural safeguards that should be adopted by the UID in order to make the use of biometrics more secure and inclusive.</b>
<ol><li>
<p> <strong>Biometrics are not centrally stored and are used only for identification </strong></p>
<p>Biometrics, as our first letter notes <a href="#1">1</a> are better suited for identification, and are inappropriate for authentication. Therefore, the central server need not store biometric information, and need only store the public key of each citizen's digital signature.<a href="#2">2</a> Biometrics on a smart card for authentication will allow service providers to determine if the card is being carried by the right person. This configuration of biometrics has many positives. It is : </p>
<ul><li> Cost effective</li><li> More secure</li><li> Places the control of biometric information in the hands of the data subject </li></ul>
</li><li>
<p><strong>Use encrypted data, rather than live data </strong></p>
<p>The UID scheme has stated that biometrics will be encrypted, but has not provided further details. <a href="#3">3</a></p>
It is recommended that biometrics are:
<ul><li>Encrypted whenever it is used, stored and transferred;</li><li>A biometric should be encrypted to such a degree that it is not possible to reconstruct the biometric data; and</li></ul>
<ul><li>After an encrypted version of the biometric is made, the original biometric should be deleted. </li></ul>
<p>In order to perform an identification check – the biometrics presented should be encrypted and then compared to the encrypted version stored on the card. If the card is stolen – the thief would not be able to harvest biometrics.</p>
</li><li>
<p><strong>Security clearance for all associated entities and personnel </strong></p>
<p>UID registrations and transactions will be handled by 'registrars' or in other words personnel who work at organizations not directly under the control of the UIDAI. A clear process associated with who can perform transactions and a proper audit system is needed to prevent 'insider' attacks.</p>
</li><li>
<p><strong>Clearly defined alternate identification factors </strong></p>
<p>There are many situations in which a biometric cannot be accepted in a transaction. For example, when the biometric changes, is misread, or is unreadable. The UID has recognized this possibility and has stated: <em>“In case of authentication, the operator needs to find an alternate method of authentication if fingerprint verification fails. The operator/application would not know the cause of verification failure. A timeout will be implemented in service after five attempts.”</em><a href="#4">4</a></p>
The alternative identity factors that will be accepted need to be clearly defined and articulate.
</li><li><strong>Standards for acceptance of biometric as authentication factor</strong><br />
<p>The UIDAI has proposed a whole range of authentication factors – pin, password, partial biometrics, full biometrics, mobile phone and combination's thereof. <a href="#5">5</a> Some of these authentication factors may also be presented by the data subject over the Internet. As our previous letters have stated – some authentication factors are more secure than others. Therefore, the UIDAI should publish standards for acceptance of different authentication factors based on the security requirements of different types of transactions. Even if biometrics are used as an authentication standard – in our opinion it should only be used for trivial transactions without major financial or citizenship implications.</p>
</li></ol>
<p><span class="Apple-style-span"><strong>Footnotes:</strong></span></p>
<p class="discreet"><a name="1">1http://www.cis-india.org/advocacy/igov/privacy-india/letter-to-finance-committee</a></p>
<p class="discreet"><a name="2">2 Distinguish and separate the authentication process from the identification process: </a><span class="Apple-style-span"><a name="2">Identification is a comparison of one set of biometric data against all sets of collected biometrics in one central database to verify the identity of the owner of the biometric data. Authentication is a comparison of a biometric against a stored template to validate the existence of that specific biometric</a></span></p>
<p class="discreet"><a name="3">3 http://uidai.gov.in/index.php?option=com_fsf&view=faq&Itemid=206&catid=7 </a></p>
<p class="discreet"><a name="3"></a><a name="4">4 Biometric Design Standards for UID Applications: pg 37</a></p>
<p class="discreet"><a name="4"></a><a name="5">5 UIDAI Strategy Overview. Creating a Unique Identity Number for Every Resident in India. Pg. 28</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/biometrics'>http://editors.cis-india.org/internet-governance/blog/privacy/biometrics</a>
</p>
No publisherpraskrishnaPrivacy2011-02-17T13:12:22ZBlog EntryOpen Letter to the Finance Committee: Finance and Security
http://editors.cis-india.org/internet-governance/blog/privacy/finance-and-security
<b>This note explores the three connections between finance and security and demonstrates the cost implications of operating a centrally designed identity management system as proposed by the UID. In doing so, it shows how the monitoring, storing, and securing of transactional data in a centralized database fall short of meeting the project's objectives of authentication, and thus is an additional cost. Further, it is argued that the blanket monitoring of the transaction database is not an effective method of detecting fraud, and is an expensive component of the project. </b>
<ul><li>Operating a centralized identity management system that requires the use of a remote database for every transaction is always more expensive than a decentralized identity management system that could optionally use a local database. </li></ul>
<h3>Centralized database costs</h3>
<ol><li>Both public and private keys must be centrally stored</li><li>All transactions require connectivity for the sending and receiving of authentication of data, and have an associated connectivity cost</li><li>Securing all data at a central database has augmented costs </li></ol>
<h3>Decentralized database costs </h3>
<ol><li>Only the public key must be centrally stored</li><li>Some transactions require connectivity for the sending and receiving of authentication data</li></ol>
<ul><li>The cost of building an identity management system that includes recording, monitoring, and securing each transaction is more than the cost of building only an identity authentication system. The goal of the project is to identify a person. Recording each transaction will add unnecessary cost. </li></ul>
<table style="text-align: center;" class="plain">
<tbody>
<tr>
<td style="text-align: left;">Cost of identity authentication system</td>
<td style="text-align: left;"> </td>
</tr>
<tr>
<td style="text-align: left;">Cost of monitoring transactions </td>
<td style="text-align: left;">> Cost of identity authentication system</td>
</tr>
<tr>
<td style="text-align: left;"> Cost of securing transaction data</td>
<td style="text-align: left;"> </td>
</tr>
</tbody>
</table>
<ul><li>Increasing security or fighting fraud can be done in two ways - having a targeted approach or through blanket monitoring. The UID scheme, through the monitoring of the transaction database featuring trillions of transaction by 1.2 billion people is a blanket approach, and will provide lower return on investment than a targeted approach. </li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/finance-and-security'>http://editors.cis-india.org/internet-governance/blog/privacy/finance-and-security</a>
</p>
No publisherpraskrishnaPrivacy2011-02-17T11:57:42ZBlog EntryPrivacy Matters — Conference Report
http://editors.cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary
<b>A one-day conference on Privacy Matters was held on Sunday, 23 January 2011 at the National University of Juridical Sciences (NUJS) Law School in Kolkata. This was the first of a series of eleven conferences on ‘privacy’ that Privacy India is scheduled to host in different Indian cities from January to June this year. Members of Parliament, Sri Manoj Bhattacharya from the Revolutionary Socialist Party (RSP) and Sri Nilotpal Basu from the Communist Party of India (Marxist) CPI (M) spoke in the conference. Students, the civil society and lawyers also participated in it.</b>
<h3>Introduction<br /></h3>
<p>The conference was held to discuss elements of the privacy legislation that has been proposed to the Parliament of India, and the UID Bill and project. The conference focused on the tensions between privacy and society that exist in India today, and acted as a space for opinion sharing and discussion. Privacy India which was formed under the auspices of Privacy International, a UK based organization that works to protect the right of privacy around the world, the Centre for Internet and Society (CIS), an NGO based in Bangalore, and Society in Action Group (SAG), an NGO based in Delhi joined hands to host this event.</p>
<p>Rajan Gandhi, founder of SAG opened the conference with an explanation of the mandate of Privacy India, the objective of which is of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of Privacy India's goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.</p>
<h3>Keynote</h3>
<p>The keynote speech was delivered by Dr. Sudhir Krishnaswamy professor of law and governance. Dr. Krishnaswamy began by outlining the present situation of privacy in India. The right to privacy has been read into Sections 19 and 21 of the Constitution of India through case law, which has defined privacy — among other things — as the right to personal autonomy, the right against unreasonable search and seizure, and as a fundamental right that is critical to the person, but does not supersede public or national interest. Dr. Krishnaswamy also raised many intriguing questions including: what does privacy mean to India — is it linked to a person’s dignity and their honour? Or is it purely concerned with misappropriation of information, and further is privacy in India an issue of the individual or an issue of the family and the community? He also described the philosophical groundings of privacy as being in the right to dignity, the right to autonomy, and the misappropriation of information. </p>
<h3>Privacy Challenges</h3>
<p>The conference was spread into three sessions. In the first session Prashant Iyengar, head researcher of the project at Privacy India, spoke about the challenges that India specifically is facing in shaping a privacy legislation including: the need to balance the right to information/transparency and privacy, the need to create a definition of privacy that does not exclude lower classes and is not a negative right, but instead a positive right, and the problem of ubiquitous surveillance that is happening in society today. Elonnai Hickok, policy analyst at Privacy India, spoke specifically on wire tapping, and the Nira Radia tapes. In her presentation she first outlined other countries definitions of privacy which include: the right to be left alone, the protection from unauthorized searches, and the right to control information about oneself through consent. Using the case study of Nira Radia and Ratan Tata she spoke about the rising concern of wire tapping in the country as being indicative of a social change and relationship of the state and government. Elonnai also raised questions concerning whether privacy should be made inversely proportional to public figures, and if public interest will always supersede the private right of individuals.</p>
<h3>UID and Privacy</h3>
<p>The second session of the conference focused on the UID Bill and privacy. Presentations from NUJS student Amba Kak and Sai Vinod raised concerns about the UID project and privacy. Their presentation also compared and contrasted identity schemes of other countries with the UID. A few similarities that they found amongst all scheme were: the collection of data, the processing of data, and the storing of data. Deva Prasad from the National Law School of Bangalore presented on constitutional elements of the UID scheme ranging from loopholes in the Bill to connections that can be made when the UID Bill is placed in the larger picture. Sri Manoj Bhattacharya (MP) from RSP voiced his concerns of the UID, and emphasized that by giving an individual a number which acts as their fundamental identity which they use to function in society, the government in fact is eroding an individual’s actual identity, and that is an invasion of privacy. Sri Nilotpal Basu (MP) from CPI (M) spoke out strongly against the UID, voicing that his greatest concern with the UID is that it will be a way for corporate bodies to target individuals as consumers, and that privacy legislation could be used as a way for corporate bodies to hide from the public eye.</p>
<h3>Conclusion</h3>
<p>In the concluding session the floor was opened up to the public for questions and opinion sharing. Many participants shared what they believed needed to be included in privacy legislation, and what issues a privacy legislation needs to address. A few of these include: privacy rights and the media, privacy and the right to information, the privacy rights of minorities, and the privacy rights of the government. Also types of regulatory models for privacy were discussed. For instance, should privacy in India be represented and protected through a data protection law, or should privacy be seen as a fundamental right to privacy? Should privacy be represented through a broad framework, or through sector specific statutes? What should the redressal and enforcement mechanisms look like? </p>
<p>As seen from the presentations and the comments at the conference one thing which is clear is that privacy is an issue that concerns every person in India. Over the next six months Privacy India will be conducting ten more conferences in different Indian cities to engage the public in dialogues of privacy and raise awareness around the issues of privacy. The next workshop will be held on 5 February 2011 in Bangalore.</p>
<p>Download the conference summary <a href="http://editors.cis-india.org/internet-governance/blog/privacy-kolkata-report" class="internal-link" title="Privacy India Calcutta Conference">here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary'>http://editors.cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary</a>
</p>
No publisherpraskrishnaFeaturedPrivacy2011-01-27T10:22:55ZBlog Entry4 Popular Myths about UID
http://editors.cis-india.org/internet-governance/popular-myths-about-uid
<b>By now, there is already a lot of material in the public domain that is critical about the UID/Aadhar project, writes Prashant Iyengar in this blog entry published in Privacy India on January 22, 2011.</b>
<p>(See <a class="external-link" href="http://aadhararticles.blogspot.com/">aadhararticles.blogspot.com</a> for an exhaustive catalogue). Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme. Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme.</p>
<p>I do not intend to rehearse these arguments in this post. Instead, I pick four somewhat obscure, but troublesome assertions made about the UID and test their veracity against documents available on the UIDIA site itself. The purpose is to cut through all the equivocation behind the claims that UID officials have been making, and arrive at some minimal clarity on what the UID is (and isn’t).</p>
<h3>Registration is voluntary!</h3>
<p>How does one make sense of Nandan Nilenkani’s cryptic remark, “I wouldn’t call it compulsory. I would rather say that it will become ubiquitous”?<br /><br />In a sense, this is true enough. Nowhere in the entire bulk of UID documentation will you encounter the express words “mandatory” or “compulsory”. Hence, proved! But that isn’t to say, however, that there is any way you will be able to avoid getting registered.<br /><br />Very rapidly, accessing basic services and your very status as a citizen will be conditional on your possessing an Aadhar number. This is owing to the complex operational structure that the UID Scheme adopts which leaves the task of enrollment entirely in the hands of third party ‘Registrars’ who include a host of Central and State social security and welfare departments (including the Ministry of Rural Development which administers the Rural employment guarantee scheme), banks and insurance companies. There is nothing in the Aadhar Scheme that forbids these Registrars from making access to their services conditional on one’s consent to UID registration. In practice, many of them have and will continue to make UID registration a preliminary formality before access is granted to their services. So your ‘freedom’ to resist UID registration will depend on your ability to forego your minimum guarantee of the right to employment, cooking gas, banking and insurance services, food rations etc.<br /><br />And if miraculously you are able to subsist without these services, there is still one minor detail that is seldom mentioned in conversations about UID: without a UID number, you will not be counted as a citizen of India. This is owing to the fact that the Registrar General of India, the authority responsible for compiling the National Population Register of India under the Citizenship Act, also happens to be a ‘Registrar’ for the purposes of the UID. Which means that one’s registration in the NPR will entail automatic enrollment in the UID. The Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules, 2003 makes it mandatory for everyone to be enrolled in the National Population Register. So, paradoxically, although the Aadhar number does not confer citizenship, one cannot be a citizen anymore without owning an Aadhar number.</p>
<p>In other words, the UID scheme avoids the charge of being compulsory, by outsourcing its compulsion entirely.</p>
<h3>The UID Scheme will only collect a minimal set of information</h3>
<p>A frequently made assertion about the UID scheme is that the data collected will be limited to a standard set of information like one’s name, residence, date of birth, photo, all 10 finger prints and iris image. Once again, this is only a half truth. As mentioned previously, the entire process of enrollment is carried out through Registrars who have absolute freedom to expand the categories of information collected to include data that is entirely orthogonal to the purposes of the UID. This freedom is typically guaranteed by a clause in the MOUs which the UIDAI has signed with Registrars enabling them to collect additional data that “is required for their business or service”. Thus, for instance, in Himachal Pradesh, citizens are asked to provide additional details such as information about their ration cards, PAN cards, LPG connection and bank accounts[i]<br /><br />To employ a telling epithet found in one of the UID documents, the ‘Registrars own the process of enrollment’.</p>
<h3>Privacy is guaranteed</h3>
<p>Although the UIDAI makes repeated assertions regarding its intent to respect privacy and ensure data protection, the precise mechanism through which these objectives will be secured is extremely unclear.</p>
<ol><li> To begin with, the entire responsibility for devising schemes for safeguarding information during the collection phase rests entirely on the Registrars. The UIDAI’s own responsibility for privacy begins only from the moment the information is transmitted to it by the Registrars – by which time the information has already passed through many hands including the Enrolling Agency, and the Intermediary who passes on information from the Registrar to the UIDAI.</li><li>Rather than setting out an explicit redressal mechanism and a liability regime for privacy violations, the UID’s documents stop at loosely describing the responsibility of the Registrars as a ‘fiduciary duty’ towards the resident/citizen’s information. The Registrars are tasked with maintaining records of the data collected for a minimum period of six months. No maximum period is specified and Registrars are free to make what use of the data they see fit.</li><li>In addition, the Registrars are mandated to keep copies of all documents collected from the Resident either in physical or scanned copies “till the UIDAI finalizes its document storage agency.”[ii]</li><li>The ‘Data Protection and Security Guidelines’ which the UIDAI requires all Registrars to observe merely contains pious injunctions calling on them to observe care at all stages of data collection and to develop appropriate internal policies. There is mention of the desirability of external audits and periodic reporting mechanisms, but the details of these schemes are left to the individual Registrar to draw up.</li><li>Although the Draft National Identification Authority of India Bill penalizes the intentional disclosure or dissemination of identity information collected in the course of enrollment or authentication, this does not guard against accidental leaks and does not mandate the service providers to positively employ heightened security procedures. Prosecution of offences under the Act can only proceed with the sanction of the UID Authority, which further burdens the task of criminal enforcement in these cases and would make it difficult for individuals to obtain redress quickly. The total absence of a provision for civil remedies against Registrars makes it unlikely that they will take the task of protecting privacy seriously.</li><li>In other words, the individual’s right to privacy is only as strong as the weakest link in the elaborate chain of information collection, processing and storage.</li></ol>
<h3>The UIDAI will not disclose any information and will only authenticate information with Yes/No answers<br /></h3>
<p>This is another of the frequently misleading claims made by the UID Authority. Thus, for instance, in April, 2010, in response to a question in the course of an interview, Nandan Nilekani said “UID itself has very limited fields, it has only four or five fields — name, address, date of birth, sex and all that. But it also does not supply this data to anybody. .. the only authentication you can get from our system is a yes or no. So, you can’t query and say what’s this guys name or what’s his date of birth, you can’t get all that.”[iii]<br /><br />This statement is, however belied by many of the UIDAI’s own documents.</p>
<ol><li>The draft NIA Bill, for instance, permits the Authority to issue regulations on the sharing of “the information of aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct”. In practice, prior “written consent” for sharing is obtained from the resident as a matter of course at the time of enrollment itself, and it is impossible to obtain an Aadhar number without consenting to sharing by the UID Authority.[iv] In practice, in India, a large number of forms will be filled in by assistants and the written consent box will be ticked as a matter of course without the resident understanding the full implications of her “consent”.</li><li>The draft NIA Bill permits the authority to “make any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge”. There is nothing in the Act that requires that this information be made available on an individual basis – in other words, it is possible for the data to be shared en-masse with any agency “in the interests of national security”.</li><li>There is nothing preventing “Registrars” who carry out the actual data collection functions from sharing this information with anyone they choose. Thus, for instance, the Aadhar information collected during the exercise of compiling the National Population Register will can be shared in whichever manner the Registrar General of India chooses – irrespective of what the UIDAI does with that information.</li></ol>
<p>So, while ordinarily, the UIDAI would not authenticate information other than giving Yes/No responses, there are mechanisms already in place that presume that all this information will be made available, on demand, to whichever agency that happens to be interested.</p>
<p>[i] 2011. UID project picks up pace. Indian Express. Available at: <a class="external-link" href="http://www.indianexpress.com/story-print/735790">http://www.indianexpress.com/story-print/735790</a> [Accessed January 22, 2011].<br />[ii] UIDAI – Document Storage Guidelines for Registrars Ver. 1.2, August 2010.<br />[iii] 2010. To issue first set of UIDs by Feb 2011: Nilekani – CNBC-TV18 -. Money Control. Available at: <a class="external-link" href="http://www.moneycontrol.com/news/business/to-issue-first-setuids-by-feb-2011-nilekani_449820-4.html">http://www.moneycontrol.com/news/business/to-issue-first-setuids-by-feb-2011-nilekani_449820-4.html</a> [Accessed January 22, 2011].<br />[iv] For instance, a flowchart of the Resident Enrollment Process issued by the UID stipulates “Record Resident’s consent for Information Sharing” as the tenth step in the enrollment process. Unless this step is followed, the enrollment process cannot proceed!</p>
<p><a class="external-link" href="http://privacy-india.org/2011/01/22/4-popular-myths-about-the-uid/">Click</a> to read the original here</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/popular-myths-about-uid'>http://editors.cis-india.org/internet-governance/popular-myths-about-uid</a>
</p>
No publisherPrashant IyengarInternet GovernancePrivacy2012-06-20T04:37:08ZBlog EntryAn Open Letter to the Finance Committee: SCOSTA Standards
http://editors.cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee
<b>The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.</b>
<h3>Introduction</h3>
<p>This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that <span class="Apple-style-span">Aadhaar</span> biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.</p>
<h3>A background of the two standards</h3>
<p>The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:</p>
<p>1. Compliant with the international standard ISO-7816 for smart cards.</p>
<p>2. Based on a public/private key and pin authentication factor</p>
<p>3. Authentication factor refers to an individuals keys, pass-phrases, and pin.</p>
<p>The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:</p>
<p>1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.</p>
<p>2. Based on a symmetric authentication factor</p>
<h3>A comparison of the two standards</h3>
<table class="plain">
<tbody>
<tr>
<td><b>Standard </b><br /></td>
<td><b>SCOSTA - MNIC smart card</b><br /></td>
<td><b>Aadhaar Biometric - UID number </b><br /></td>
</tr>
<tr>
<td><b>Architecture </b><br /></td>
<td><b>Decentralized </b><br />SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner <br /></td>
<td><b>Centralized</b><br />Aadhaar biometric standards require symmetric <br />authentication factors, and thus must be structured in a centralized manner <br /></td>
</tr>
<tr>
<td><b>Standards for Technology </b><br /></td>
<td><b>Open standard<br /></b>Creates security through transparency <br /></td>
<td><b>Closed standard </b><br />Creates security though obscurity <br /></td>
</tr>
<tr>
<td><b>Points of failure </b><br /></td>
<td><b>Multiple points of failure</b><br />The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.<br /></td>
<td><b>Single point of failure </b><br />The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost<br /></td>
</tr>
<tr>
<td><b>Impact on local industry </b><br /></td>
<td><b>Encourages</b><br />Open standards allow local industry to compete in manufacturing technology<br /></td>
<td><b>Discourages</b><br />Closed standards allow foreign players to monopolize the manufacturing of technology <br /></td>
</tr>
<tr>
<td><b>Cost analysis </b><br /></td>
<td><b>Cost effective </b><br />Increased competition keeps prices low <br /></td>
<td><b>Cost ineffective </b><br />Decreased competition keeps prices high<br /></td>
</tr>
<tr>
<td><b>Revocation</b></td>
<td><b>Revocable</b><br /> If the key pair and pin are stolen, a new set of passwords can be issued<br /></td>
<td><b>Permanent</b> <br />If the biometrics of an individual are stolen, they cannot be re-issued <br /></td>
</tr>
<tr>
<td><b>Possibility of fraudulent authentication </b><br /></td>
<td><b>Lower</b><br />A thief must steal your smart card and your secret pin to commit fraud <br /></td>
<td><b>Higher</b><br />A thief only needs to collect your fingerprints using a glass tumbler to commit fraud <br /></td>
</tr>
<tr>
<td><b>Viability of Technology</b></td>
<td><b>Proven effective for large populations </b><br /></td>
<td><b>Not proven effective for large populations</b><br /></td>
</tr>
</tbody>
</table>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee'>http://editors.cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee</a>
</p>
No publisherelonnaiPrivacy2013-12-20T03:58:09ZBlog EntryThe Privacy Rights of Whistleblowers
http://editors.cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers
<b>The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy. </b>
<h3>Introduction<br /></h3>
<p>In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"</p>
<h3>What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks? <br /></h3>
<p>Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.</p>
<h3>Privacy and Whistleblowing</h3>
<p>As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.</p>
<hr />
<h3>Sources:</h3>
<ul><li> http://www.ctv.ca/generic/generated/static/business/article1833688.html</li></ul>
<ul><li> Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act. </li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers'>http://editors.cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:47:16ZBlog Entry