The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Report on the Sixth Privacy Roundtable Meeting, New Delhi
http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi
<b>In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.
</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p></p>
<p> </p>
<h2>Introduction<b> </b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">CIS was a member of the Justice A.P. Shah Committee which drafted the "<a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of Groups of Experts on Privacy</a>". CIS also drafted a <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft" class="external-link">Privacy (Protection) Bill 2013</a> (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol>
<li>New Delhi Roundtable: April 13, 2013</li>
<li>Bangalore Roundtable: April 20, 2013</li>
<li>Chennai Roundtable: May 18, 2013</li>
<li>Mumbai Roundtable: June 15, 2013</li>
<li>Kolkata Roundtable: July 13, 2013</li>
<li>New Delhi Roundtable: August 24, 2013</li>
<li>New Delhi Final Roundtable and National Meeting: October 19, 2013</li>
</ol>
<p style="text-align: justify; ">This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="internal-link" title="The Personal Data (Protection) Bill, 2013">The Personal Data (Protection) Bill, 2013 </a>was discussed at the Roundtable.</p>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill</a> from the more expansive – Privacy (Protection) Bill.</p>
<h2>Chapter I – Preliminary</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Religion and Caste</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –</p>
<ul>
<li>Whether religion and caste should be categorized as sensitive personal data or personal data?</li>
<li>Whether it is impracticable to include it in either category?</li>
<li>If included as sensitive personal data, how should it be implemented?</li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Political Affiliation<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conviction Data<b> <br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Financial and Credit Information<b><br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:</p>
<ul>
<li style="text-align: justify; ">The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.</li>
<li style="text-align: justify; ">Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.</li>
<li style="text-align: justify; ">While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.</li>
<li style="text-align: justify; ">Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law. </li>
</ul>
<h2>Chapter II – Regulation of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The main issues under consideration with regard to this part were –</p>
<ul>
<li>The scope of the protection provided</li>
<li>Whether the exemptions should be expanded or diminished. </li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in <i>Kharak Singh v. The State of U.P.</i> (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The overall conclusion of the discussion on this Chapter was –</p>
<ul>
<li>All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.</li>
<li>Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Chapter III – Protection of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Personal Data</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data with Prior Informed Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3<sup>rd</sup> party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3<sup>rd</sup> party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3<sup>rd</sup> party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3<sup>rd</sup> party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data without Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -</p>
<p style="text-align: justify; "><i>“(a) necessary for the provision of an emergency medical service to the data subject;<br /></i><i>(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;<br />(c) necessary to prevent a reasonable threat to national security, defence or public order; or<br />(d) necessary to prevent, investigate or prosecute a cognisable offence”</i></p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as <i>Maneka Gandhi v. Union of India</i> (1978) and<i> PUCL v. Union of India</i> (1997).</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Storage and Processing of Personal Data<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.</p>
<h3 class="MsoNormalCxSpLast" style="text-align: justify; ">Conclusion</h3>
<ul>
<li>Mediated collection of data should be qualified on the basis of purpose and intent of collection.</li>
<li>The issue of cost to company (C2C) was not given adequate consideration in the Bill.</li>
<li>The need to lay down Procedures at all stages of handling personal data.</li>
<li>Special exemptions need to be provided for journalistic sources. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Meeting Conclusion<b><br /></b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill, 2013</a>. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi'>http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T15:04:51ZBlog EntryInterview with Big Brother Watch on Privacy and Surveillance
http://editors.cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance
<b>Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/about">Big Brother Watch</a> was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/who-we-are/emma-frances-carr-deputy-director">Emma Carr</a> joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol><ol> </ol>
<p align="JUSTIFY"> </p>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/KhmwPYgLfjo" width="250"></iframe></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance'>http://editors.cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-15T14:24:27ZBlog EntryInterview with the Tactical Technology Collective on Privacy and Surveillance
http://editors.cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective
<b>The Centre for Internet and Society recently interviewed Anne Roth from the Tactical Technology Collective in Berlin. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of the <a class="external-link" href="https://tacticaltech.org/about">Tactical Technology Collective</a>, it's a Berlin and Bangalore-based non-profit organisation which aims to advance the skills, tools and techniques of rights advocates, empowering them to use information and communications to help marginalised communities understand and effect progressive social, environmental and political change.</p>
<p style="text-align: justify; ">Tactical Tech's <a class="external-link" href="https://tacticaltech.org/what-we-do">Privacy & Expression programme</a> builds the digital security awareness and capacity of human rights defenders, independent journalists, anti-corruption advocates and activists. The programme's activities range from awareness-raising comic films aimed at audiences new to digital security issues, to direct training and materials for high-risk defenders working in some of the world's most repressive environments.</p>
<p style="text-align: justify; "><a class="external-link" href="https://tacticaltech.org/team">Anne Roth</a> works with Tactical Tech on the Privacy & Expression programme as a researcher and editor. <span> <span>Anne holds a degree in political science from the Free University of Berlin. She cofounded one of the first interactive media activist websites, Indymedia, in Germany in 2001 and has been involved with media activism and various forms of activist online media ever since. She has worked as a web editor and translator in the past. Since 2007 she has written a blog that covers privacy, surveillance, media, net politics and feminist issues.</span></span></p>
<p style="text-align: justify; "><span><span>The Centre for Internet and Society interviewed Anne Roth on the following questions:</span></span></p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally”. Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/QZsFf_Qyqyo" width="250"></iframe></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective'>http://editors.cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-18T09:56:16ZBlog EntryReport on the 2nd Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table
<b>This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013. </b>
<hr />
<p>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Following the first Privacy Round Table in Delhi, this <a href="http://editors.cis-india.org/internet-governance/blog/report-on-bangalore-privacy-meeting" class="internal-link">report</a> entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20<sup>th</sup> April 2013.</p>
<h2 style="text-align: justify; ">Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13<sup>th</sup> April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.</p>
<p style="text-align: justify; ">DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.</p>
<p style="text-align: justify; ">The discussion points brought forward by DSCI were:</p>
<ul style="text-align: justify; ">
<li>What role should government and industry respectively play in developing and enforcing a regulatory framework? </li>
<li>How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?</li>
<li>How can an organization be incentivized to follow the codes of practice under the SRO?</li>
<li>What should be the role of SROs in redressal of complaints?</li>
<li>What should be the business model for SROs?</li>
</ul>
<p style="text-align: justify; ">DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.</p>
<p style="text-align: justify; "> </p>
<h2 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h2>
<h3 style="text-align: justify; ">Discussion of definitions and preamble: Chapter I & II</h3>
<p style="text-align: justify; ">The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.</p>
<h3 style="text-align: justify; ">Sensitive Personal Data</h3>
<p style="text-align: justify; ">The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.</p>
<h3 style="text-align: justify; ">Information vs. Data</h3>
<p style="text-align: justify; ">During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.</p>
<h3 style="text-align: justify; ">Exemptions</h3>
<p style="text-align: justify; ">Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.</p>
<h2 style="text-align: justify; ">Discussion of “Protection of Personal Data”: Chapter III</h2>
<p style="text-align: justify; ">Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.</p>
<h3 style="text-align: justify; ">Data Collection</h3>
<p style="text-align: justify; ">In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.</p>
<h3 style="text-align: justify; ">Consent</h3>
<p style="text-align: justify; ">On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they <i>choose </i>to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.</p>
<p style="text-align: justify; ">Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.</p>
<h3 style="text-align: justify; ">Data Disclosure</h3>
<p style="text-align: justify; ">In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.</p>
<p style="text-align: justify; ">A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.</p>
<h3 style="text-align: justify; ">Data Destruction</h3>
<p style="text-align: justify; ">In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.</p>
<h3 style="text-align: justify; ">Data Processing</h3>
<p style="text-align: justify; ">In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.</p>
<p style="text-align: justify; ">However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.</p>
<p style="text-align: justify; ">In brief, the following questions with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>Should consent be required prior to the collection of data?</li>
<li>Should consent be acquired prior and after the disclosure of data? </li>
<li>Should the purpose of data collection be the same as the purpose for the disclosure of data?</li>
<li>Should an executive order or a court order be required to disclose data?</li>
<li>At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?</li>
<li>An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?</li>
</ul>
<ul style="text-align: justify; ">
<li>Should companies notify individuals when they share their (individuals´) data with international third parties?</li>
</ul>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>The data subject has to be informed, unless there is a model contract. </li>
<li>The request for consent should depend on the type of data that is to be disclosed.</li>
<li>Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).</li>
<li>The shared data may be considered private data (need of a relevant regulatory framework).</li>
<li>An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.</li>
<li>If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country. </li>
<li>India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.</li>
<li>The problem with disclosure is when there is an exception for certain circumstances </li>
<li>Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability. </li>
<li>Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).</li>
<li>´Data ownership´ should be included in the definitions of the Bill. </li>
<li>What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.</li>
</ul>
<p> </p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.</p>
<p style="text-align: justify; ">Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.</p>
<h2 style="text-align: justify; ">Discussion on self-regulation and co-regulation</h2>
<p> </p>
<p style="text-align: justify; ">The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.</p>
<p style="text-align: justify; ">The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.</p>
<p style="text-align: justify; ">Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p> </p>
<p style="text-align: justify; ">The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table'>http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:54:28ZBlog EntryOpen Letter to Prevent the Installation of RFID tags in Vehicles
http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles
<b>The Centre for Internet and Society (CIS) has sent this open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to intall RFID tags in vehicles in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p class="western" style="text-align: justify; ">This letter is with regards to the installation of Radio Frequency Identification Tags (RFID) in vehicles in India.</p>
<p class="western" style="text-align: justify; ">On behalf of the Centre for Internet and Society, we urge you to prevent the installation of RFID tags in vehicles in India, as the legality, necessity and utility of RFID tags have not been adequately proven. Such technologies raise major ethical concerns, since India lacks privacy legislation which could safeguard individuals' data.</p>
<p class="western" style="text-align: justify; ">The proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India. However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.</p>
<p class="western" style="text-align: justify; ">The installation of RFID tags in vehicles is not only currently illegal, but it also raises majors privacy concerns. RFID tags yield locational information, and thus reveal information as to an individual’s whereabouts. This could lead to a serious invasion of the right to privacy, which is at the core of personal liberty, and constitutionally protected in India. Moreover, the installation of RFID tags in vehicles is not in compliance with the privacy principles of the Report of the Group of Experts on Privacy, as, among other things, the architecture of RFID tags does not allow for consent to be taken from individuals for the collection, use, disclosure, and storage of information generated by the technology.<a href="#fn1" name="fr1">[1]</a></p>
<p class="western" style="text-align: justify; ">The Centre for Internet and Society recently drafted the Privacy (Protection) Bill 2013 – a citizen's version of a possible privacy legislation for India.<a href="#fn2" name="fr2">[2]</a><sup> </sup>The Bill defines and establishes the right to privacy and regulates the interception of communications and surveillance, and would include the regulation of technologies like RFID tags. As this Bill has not been enacted into law and India lacks a privacy legislation which could safeguard individuals' data, we strongly urge you to not require the mandatory installation of RFID tags in vehicles, as this could potentially violate individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">As the proposed rule 138A, which mandates the installation of RFID tags in vehicles, is currently illegal and India lacks privacy legislation which would regulate the collection, use, sharing of, disclosure and retention of data, we strongly urge you to ensure that RFID tags are not installed in vehicles in India and to play a decisive role in protecting individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">Thank you for your time and for considering our request.</p>
<p class="western" style="text-align: justify; ">Sincerely,</p>
<p class="western" style="text-align: justify; ">Centre for Internet and Society (CIS)</p>
<p> </p>
<p id="sdfootnote1"> </p>
<p>[<a href="#fr1" name="fn1">1</a>]. Report of the Group of Experts on Privacy: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p>[<a href="#fr2" name="fn2">2</a>].Draft Privacy (Protection) Bill 2013: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles'>http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:59:31ZBlog EntryIndia's Central Monitoring System (CMS): Something to Worry About?
http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
<b>In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!</b>
<p style="text-align: justify; ">The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as <span class="internal-link">a project run by the Centre for Communication Security Research and Monitoring (CCSRM)</span>, along with the Telecom Testing and Security Certification (TTSC) project.</p>
<p align="JUSTIFY">The Central Monitoring System (CMS), which was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">largely covered by the media in 2013</a>, was actually <span class="internal-link">approved by the Cabinet Committee on Security (CCS) on 16th June 2011</span> and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, <span class="internal-link">government funding of the CMS has reached at least Rs. 450 crore</span> (around $72 million).</p>
<p align="JUSTIFY">In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">clause 41.10 of the Unified Access Services (UAS) License Agreement was amended</a> in June 2013. In particular, the amended clause includes the following:</p>
<blockquote class="italized">“<i>But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”</i></blockquote>
<p align="JUSTIFY">Furthermore, <span class="internal-link">draft Rule 419B</span> under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. <a class="external-link" href="http://books.google.gr/books?id=dO2wCCB7w9sC&pg=PA111&dq=%22Call+detail+record%22&hl=en&sa=X&ei=s-iUUO6gHseX0QGXzoGADw&redir_esc=y#v=onepage&q=%22Call%20detail%20record%22&f=false">Call Data Records</a>, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to <span class="internal-link">draft Rule 419B</span>, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.</p>
<p align="JUSTIFY">Other than this draft Rule and the <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amendment to clause 41.10 of the UAS License Agreement</a>, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:</p>
<ul>
<li>
<p align="JUSTIFY">the interests of the sovereignty and integrity of India</p>
</li>
<li>
<p align="JUSTIFY">the security of the State</p>
</li>
<li>
<p align="JUSTIFY">friendly relations with foreign states</p>
</li>
<li>
<p align="JUSTIFY">public order</p>
</li>
<li>
<p align="JUSTIFY">for preventing incitement to the commission of an offense</p>
</li>
</ul>
<p align="JUSTIFY">However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.</p>
<h2><b>So how does the Central Monitoring System (CMS) actually work?</b></h2>
<p align="JUSTIFY">We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized <a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system" class="external-link">access to the country's telecommunications network</a>. The question, though, is how.</p>
<p align="JUSTIFY">Well, prior to the CMS, all service providers in India were required to have <a class="external-link" href="http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece">Lawful Interception Systems</a> installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are <span class="internal-link">required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems</span>. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.</p>
<p align="JUSTIFY">In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the authority can also bypass service providers in gaining such access</a>. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.</p>
<p align="JUSTIFY">The above is illustrated in the following chart:</p>
<p align="JUSTIFY"><img src="http://editors.cis-india.org/chart_11.png" title="CMS chart" height="372" width="689" alt="CMS chart" class="image-inline" /></p>
<p align="JUSTIFY">The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, <span class="internal-link">70 ISF servers have been purchased for six License Service Areas</span> and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.</p>
<p align="JUSTIFY">The Centre for Development of Telematics plans to <span class="internal-link">integrate ISF servers which connect with the CMS in the premises of service providers </span>in the following regions:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Maharashtra</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (West)</p>
</li>
<li>
<p align="JUSTIFY">Andhra Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (East)</p>
</li>
<li>
<p align="JUSTIFY">Kerala</p>
</li>
<li>
<p align="JUSTIFY">Gujarat</p>
</li>
<li>
<p align="JUSTIFY">Madhya Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
</ul>
<p align="JUSTIFY">With regards to the UAS License Agreement that TSPs are required to comply with, <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amended clause 41.10</a> specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a <span class="internal-link">Memorandum of Understanding (MoU) for MPLS connectivity</span> has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, <span class="internal-link">Rs. 4.8 crore have been given to BSNL</span> for interconnecting 81 CMS locations of the following License Service Areas:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Mumbai</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
<li>
<p align="JUSTIFY">Rajasthan</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Karnataka</p>
</li>
<li>
<p align="JUSTIFY">Chennai</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
</ul>
<p align="JUSTIFY"><a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">Clause 41.10 of the UAS License Agreement</a> also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor <i>at least 30 simultaneous calls</i> for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:</p>
<ul>
<li>
<p align="JUSTIFY">Called/calling party mobile/PSTN numbers</p>
</li>
<li>
<p align="JUSTIFY">Time/date and duration of interception</p>
</li>
<li>
<p align="JUSTIFY">Location of target subscribers (Cell ID & GPS)</p>
</li>
<li>
<p align="JUSTIFY">Data records for failed call attempts</p>
</li>
<li>
<p align="JUSTIFY">CDR (Call Data Records) of Roaming Subscriber</p>
</li>
<li>
<p align="JUSTIFY">Forwarded telephone numbers by target subscriber</p>
</li>
</ul>
<p align="JUSTIFY">Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, <span class="internal-link">80% of the CMS Physical Data Centre has been built so far</span>.</p>
<p align="JUSTIFY">In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. <span class="internal-link">Training has been imparted to the following law enforcement agencies</span>:</p>
<ul>
<li>
<p align="JUSTIFY">Intelligence Bureau (IB)</p>
</li>
<li>
<p align="JUSTIFY">Central Bureau of Investigation (CBI)</p>
</li>
<li>
<p align="JUSTIFY">Directorate of Revenue Intelligence (DRI)</p>
</li>
<li>
<p align="JUSTIFY">Research & Analysis Wing (RAW)</p>
</li>
<li>
<p align="JUSTIFY">National Investigation Agency (NIA)</p>
</li>
<li>
<p align="JUSTIFY">Delhi Police</p>
</li>
</ul>
<h2><b>And should we even be worried about the Central Monitoring System?</b></h2>
<p align="JUSTIFY">Well, according to the <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">brief material for the Honourable MOC and IT Press Briefing</a> on 16th July 2013, we should <i>not</i> be worried about the Central Monitoring System. Over the last year, <a class="external-link" href="http://www.livemint.com/Politics/pR5zc8hCD1sn3NWQwa7cQJ/The-new-surveillance-state.html">media reports</a> have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However,<a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link"> Indian authorities have argued that the Central Monitoring System will <i>better protect</i> the privacy of individuals </a>and maintain their security due to the following reasons:</p>
<ol>
<li>
<p align="JUSTIFY">The CMS will <i>just automate</i> the existing process of interception and monitoring, and all the existing safeguards will continue to exist</p>
</li>
<li>
<p align="JUSTIFY">The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A</p>
</li>
<li>
<p align="JUSTIFY">The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted</p>
</li>
<li>
<p align="JUSTIFY">The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data</p>
</li>
<li>
<p align="JUSTIFY">A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard</p>
</li>
</ol>
<p align="JUSTIFY">While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.</p>
<p align="JUSTIFY">The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will <i>“just” </i>be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information Technology (Amendment) Act, 2008</a>, and the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, potentially <a class="external-link" href="http://www.outlookindia.com/article.aspx?283149">infringe upon individual's right to privacy</a> and other human rights.</p>
<p align="JUSTIFY">May I remind you of <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 69 of the Information Technology (Amendment) Act, 2008</a>, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_php=true&_type=blogs&_r=0">ambiguous matter</a>. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”</p>
<p align="JUSTIFY">The second argument appears inadequate too. <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Section 5(2) of the Indian Telegraph Act, 1885</a>, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates <i>targeted</i> surveillance, while the Central Monitoring System could potentially undertake <i>mass</i> surveillance. Since the process of interception is automated and, under clause 41.16 of the <a class="external-link" href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf">Unified License (Access Services) Agreement</a>, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.</p>
<p align="JUSTIFY">As for the third argument, it is not clear how <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">bypassing the nodal officers of TSPs</a> will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?</p>
<p align="JUSTIFY">While the fourth argument makes a point about <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">differentiating the provisioning and requesting entities</a> with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.</p>
<p align="JUSTIFY">Furthermore, this argument states that the <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">CMS authority will not have access to content data</a>, but does not specify if it will have access to metadata. What's concerning is that <a href="http://editors.cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata" class="external-link">metadata can potentially be more useful for tracking individuals than content data</a>, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.</p>
<p align="JUSTIFY">The final argument appears to provide some promise, since <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the maintenance of a command log of all provisioning activities</a> could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.</p>
<p align="JUSTIFY">In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it <a class="external-link" href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects individuals from abuse by those in power</a> and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.</p>
<p align="JUSTIFY">If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.</p>
<p align="JUSTIFY">After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.</p>
<p align="JUSTIFY"><i>How can we not be worried about the Central Monitoring System?</i></p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.</p>
<ul>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about'>http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-02-22T13:50:37ZBlog EntryMoving Towards a Surveillance State
http://editors.cis-india.org/internet-governance/blog/moving-towards-surveillance-state
<b>The cyberspace is a modern construct of communication and today, a large part of human activity takes place in cyberspace. It has become the universal platform where business is executed, discourse is conducted and personal information is exchanged. However, the underbelly of the internet is also seen to host activities and persons who are motivated by nefarious intent. </b>
<hr />
<p>Note: The original tender document of the Assam Police dated 28.02.2013 along with other several other tender documents for procurement of Internet and Voice Monitoring Systems <a href="http://editors.cis-india.org/internet-governance/blog/tenders-eoi-press-release.zip" class="internal-link">is attached as a zip folder</a>.</p>
<hr />
<p style="text-align: justify; ">As highlighted in the <a href="http://necessaryandproportionate.net/#_edn2"><i>International Principles on the Application of Human Rights to Communications Surveillance</i></a><i>, </i>logistical barriers to surveillance have decreased in recent decades and the application of legal principles in new technological contexts has become unclear. It is often feared that in light of the explosion of digital communications content and information about communications, or "communications metadata," coupled with the decreasing costs of storing and mining large sets of data and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Communications surveillance in the modern environment encompasses the monitoring, interception, collection, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person's communications in the past, present or future.<a href="#fn*" name="fr*">[*]</a> These fears are now turning into a reality with the introduction of mass surveillance systems which penetrate into the lives of every person who uses any form of communications. There is ample evidence in the form of tenders for Internet Monitoring Systems (IMS) and Telecom Interception Systems (TCIS) put out by the Central government and various state governments that the Indian state is steadily turning into an extensive surveillance state.</p>
<p style="text-align: justify; ">While surveillance and intelligence gathering is essential for the maintenance of national security, the creation and working of a mass surveillance system as it is envisioned today may not necessarily be in absolute conformity with the existing law. A mass surveillance system like the <a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a> (CMS) not only threatens to completely eradicate any vestige of the right to privacy but in the absence of a concrete set of procedural guidelines creates a tremendous risk of abuse.</p>
<p style="text-align: justify; ">Although information regarding the Central Monitoring System is quite limited on the public forum at the moment it can be gathered that a centralized system for monitoring of all communication was first proposed by the Government of India in 2009 as indicated by the <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679">press release</a> of the Ministry of Communications & Information. Implementation of the system started subsequently as indicated by another government <a href="http://pib.nic.in/newsite/erelease.aspx?relid=70747">press release</a> and the Center for Development of Telematics (C-DOT) was entrusted with the responsibility of implementing the system. As per the C-DOT <a href="http://www.cdot.in/media/publications.htm">annual report</a> 2011-12, research, development, trials and progressive scaling up of a Central Monitoring System were conducted by the organization in the past 4 years and the requisite hardware and CMS solutions which support voice and data interception have been installed and commissioned at various Telecom Service Providers (TSP) in Delhi and Haryana as part of the pilot project. <a href="http://articles.economictimes.indiatimes.com/2013-05-07/news/39091148_1_single-window-pranesh-prakash-internet">Media reports</a> indicate that the project will be fully functional by 2014. While an extensive surveillance system is being stealthily introduced by the state, several concerns with regard to its extent of use, functioning, and real world impact have been raised owing to ambiguities and <a href="http://editors.cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy">wide gaps in procedure and law</a>. Moreover, the lack of a concrete privacy legislation coupled with the absence of public discourse indicates the lack of interest of the state over the rights of an ordinary citizen. It is under these circumstances that awareness must first be brought regarding <a href="https://www.eff.org/deeplinks/state-surveillance-%26-human-rights">the risks of the mass surveillance</a> on civil liberties which in the absence of established procedures protecting the rights of the citizens of the state can result in the abuse of powers by the state or its agencies and lead to the demise of civil freedoms even in democratic states.</p>
<p style="text-align: justify; ">The architecture and working of a <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">proposed Internet Monitoring System</a> must be examined in an attempt to better understand the functioning, capabilities and possible impact of a Central Monitoring System on our society and lives. This can perhaps allow more open discourse and a committed effort to preserve the rights of the citizens especially the right to privacy can be made while allowing for the creation of strong procedural guidelines which will help maintain legitimate intelligence gathering and surveillance.</p>
<p style="text-align: justify; "><b>Internet Monitoring System: Setup and Working</b><br />Very broadly, The Internet Monitoring System enables an agency of the state to intercept and monitor all content which passes through the Internet Service Provider’s (ISP) server which includes all electronic correspondence (emails, chats or IM’s, transcribed call logs), web forms, video and audio files, and other forms of internet content. The electronic data is stored and also subject to various types of analysis. While Internet Monitoring Systems are installed locally and their function is limited to specific geographic region, the Central Monitoring System will consolidate the data acquired from the different voice and data interception systems located across the country and create a centralized architecture for interception, monitoring and analysis of communications. Although the exact specifications and functions of the central monitoring system still remain unclear and ambiguous, some parallels regarding the functioning of the CMS can be drawn from the the specifications revealed in the Assam Police <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">tender document</a> for the procurement of an Internet Monitoring System.</p>
<p style="text-align: justify; "><b>Setup</b><br />The deployment architecture of an Internet Monitoring System (IMS) contains probe servers which are installed at the Internet Service Provider’s (ISP) premises and the probes are installed at various tapping points within the entire ISP network. A collection server is also installed and hosted at the site of the ISP. The collection server is used to either collect, analyze, filter or simple aggregate the data from the ISP servers and the data is transferred to a master aggregation server located a central data center. The central data center may also contain more servers specifically for analysis and storage. This type of architecture is being referred to as a ‘high availability clustered setup’ which is supposed to provide security in case of a failure or outage.</p>
<p style="text-align: justify; ">The Assam Police Internet Monitoring System tender document specifically indicates that the deployment in the state of Assam shall require 8 taps or probes to be installed at different ISPs, out of which 6 taps/probes shall be of 10 GBPS and 2 taps are of 1 GBPS. The document however mentions that the specifications are preliminary and subject to change.<i> </i></p>
<p style="text-align: justify; "><b>Types of data</b><br />The proposed internet monitoring system of the Assam state can provide network traffic interception and a variety of internet protocols including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) can be intercepted and monitored. The system can also support monitoring of Internet Relay Chat and various other messaging applications (such as Google Talk, Yahoo Chat, MSN Messenger, ICQ, etc.). The system can be equipped to capture and display multiple file types like text (.doc, .pdf), zipped (.zip) and executable applications (.exe). Further, information regarding login details, login pattern, login location, DNS address, routing address can be acquired along with the IP address and other details of the user.</p>
<p style="text-align: justify; ">Web crawling capabilities can be installed on the system which can provide data from various data sources like social networking sites, web based communities, wikis, blogs and other forms of web content. Social media websites (such as Twitter, Facebook, Orkut, MySpace etc.), web pages and data on hosted applications can also be intercepted, monitored and analyzed. The system also allows capture of additional pages if updated; log periodical updates and other changes. This allows the monitoring agencies the capability of gathering internet traffic based on several parameters like Protocols, Keywords, Filters and Watch lists. Keyword matching is achieved by including phonetically similar words in various languages including local languages.</p>
<p style="text-align: justify; ">More specific functions of the IMS can include complete email extraction which will disclose the address book, inbox, sent mail folder, drafts folder, personal folders, delete folders, custom folders etc. and can also provide identification of dead drop mails. The system can also be equipped to allow country wise tracking of instant messages, chats and mails.</p>
<p>Regarding retention and storage of data, the tender document specifies that the system shall be technically capable of retaining the metadata of Internet traffic for at least one year and the defined traffic/payload/content is to be retained in the storage server at least for a week. However, the data may be retained for a longer period if required. The metadata and qualified data after analysis are integrated to a designated main intelligence repository for storage.</p>
<p style="text-align: justify; "><b>Types of Analysis</b><br />The Internet Monitoring System apart from intercepting all the data generated through the Internet Service Providers is essentially equipped for various types of data analysis. The solutions that are installed in the internet monitoring system provide the capability for real time as well as historical analysis of network traffic, network perimeter devices and internal sniffers. The kinds of analysis based on ‘slicing and dicing of data’ range from text mining, sentiment analysis, link analysis, geo-spatial analysis, statistical analysis, social network analysis, transaction analysis, locational analysis and fusion based analysis, CDR analysis, timeline analysis and histogram based analysis from various sources.</p>
<p style="text-align: justify; ">The solutions installed in the IMS can enable monitoring of specific words or phrases (in various languages) in blogs, websites, forums, media reports, social media websites, media reports, chat rooms and messaging applications, collaboration applications and deep web applications. Phone numbers, addresses, names, locations, age, gender and other such information from content including comments and such can also be monitored. Specifically with regard to social media, the user’s profile and information related to it can be extracted and a detailed ontology of all the social media profiles of the user can be created.<br /><br />Based on the information, the analysis supposed to provide the capability to identify suspicious behavior based on existing and new patterns as they emerge and are continuously applied to combine incoming and existing information on people, profiles, transactions, social network, type of websites visited, time spent on websites, type of content download or view and any other type of gatherable information. The solutions on the system are also supposed to create single or multiple or parallel scenario build-ups that may occur in blogs, social media forums, chat rooms, specific web hosting server locations or URL, packet route that may be defined from time to time and such scenario build-ups can be based on parameters like sentiments, language or expressions purporting hatred or anti-national expressions, and even emotions like expression of joy, compassion and anger, which as may be defined by the agency depending on operational and intelligence requirement. Based on these parameters, automated alerts can be generated relating to structured or unstructured data (including metadata of contents), events, pattern discovery, phonetically similar words or phrases or actions from users. <br /><br />Based on the data analysis, reports or dossiers can be generated and visual analysis allowing a wide variety of views can be created. Further, real time visualization showing results from real-time data can be generated which allows alerts, alert categories or discoveries to be ranked (high, medium, and low priority, high value asset, low value asset, moderate value asset, verified information, unverified information, primary evidence, secondary evidence, circumstantial evidence, etc.) based on criteria developed by the agency. The IMS solutions can also be capable of offering web-intelligence and open source intelligence and allow capabilities like simultaneous search capabilities which can be automated providing a powerful tool for exploration of the intercepted data.<br /><br />Another important requirement mentioned in the tender document is the systems capability to integrate with other interception and monitoring systems for 2G, 3G/UMTS and other evolving mobile carrier technologies including fixed line and Blackberry services and encrypted IP services like Skype services.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />It is clear that a system like IMS with its extensive interception and analysis capabilities gives complete access to an agency or authority of all information that is accessed or transmitted by a person on the internet including information which is private and confidential such as email and instant messages. Although the state has the power to issue directions for interception or monitoring of information under the Information Technology Act, 2000 and certain rules are prescribed under section 69B, they are wholly inadequate compared to the scope and extent of the Internet Monitoring System and its scale of operations. The interception and monitoring systems that are either proposed or already in place effectively bypass the existing procedures prescribed under the Information Technology Act. <br /><br />The issues, concerns and risks are only compounded when it comes to the Central Monitoring System. The solutions installed in present day interception and monitoring systems give the state unprecedented powers to intercept, monitor and analyze all the data of any person who access the internet. Tools like deep packet inspection and extensive data mining solutions in the absence of concrete safeguards and when deployed through a centralized system can be misused to censor any content including legitimate discourse. Also, the perception that access to a larger amount of data or all data can help improve intelligence can also be sometimes misleading and it must be asked whether the fundamental rights of the citizens of the state can be traded away under the pretext of national security. Furthermore, it is essential for the state to weigh the costs of such a project both economically and morally and balance it with sufficient internal measures as well as adequate laws so that the democratic values are persevered and not endangered by any act of reckless force.<br /><br />Reiterating what has been said earlier, while it is important for the state to improve its intelligence gathering tools and mechanisms, it must not be done at the cost of a citizen’s fundamental right. It is the duty of the democratic state to endure and maintain a fine balance between national interest and fundamental rights through timely creation of equitable laws.</p>
<hr />
<p>[<a href="#fr*" name="fn*">*</a>]. <a class="external-link" href="http://necessaryandproportionate.net/#_edn2">http://necessaryandproportionate.net/#_edn2</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/moving-towards-surveillance-state'>http://editors.cis-india.org/internet-governance/blog/moving-towards-surveillance-state</a>
</p>
No publisheratreyaSAFEGUARDSInternet GovernancePrivacy2013-07-15T05:57:15ZBlog EntryHow Surveillance Works in India
http://editors.cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india
<b>When the Indian government announced it would start a Centralized Monitoring System in 2009 to monitor telecommunications in the country, the public seemed unconcerned. When the government announced that the system, also known as C.M.S., commenced in April, the news didn’t receive much attention. </b>
<hr />
<p style="text-align: justify; ">This article by Pranesh Prakash was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">published in the New York Times</a> on July 10, 2013.</p>
<hr />
<p style="text-align: justify; ">After a colleague at the Centre for Internet and Society wrote about the program and it was <a href="http://www.hrw.org/news/2013/06/07/india-new-monitoring-system-threatens-rights">lambasted</a> by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own government’s surveillance programs.</p>
<p style="text-align: justify; ">In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament.</p>
<p style="text-align: justify; ">This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies.<span id="more-66746"> </span> No intelligence agency in India has been created under an act of Parliament with <a href="http://articles.timesofindia.indiatimes.com/2013-02-02/india/36703357_1_intelligence-agencies-ntro-intelligence-bureau">clearly established roles and limitations on powers</a>, and hence <a href="http://articles.timesofindia.indiatimes.com/2012-03-26/chennai/31239894_1_ib-intelligence-bureau-officer-r-n-kulkarni">there is no public accountability whatsoever</a>.</p>
<p style="text-align: justify; ">The absence of accountability has meant that the government has <a href="http://articles.economictimes.indiatimes.com/2006-02-04/news/27434344_1_illegal-phone-indian-telegraph-act-security-agencies">since 2006</a> <a href="http://articles.timesofindia.indiatimes.com/2011-05-12/india/29535755_1_security-agencies-cms-intercept">been working on the C.M.S.</a>, which will integrate with the <a href="http://mha.nic.in/writereaddata/13040930061_Tr-ITJ-290411.pdf">Telephone</a> <a href="http://www.coraltele.com/support/GetPresentations.ashx?id=33">Call</a> <a href="http://indiatoday.intoday.in/story/government-plans-to-tighten-phone-tapping-norms/1/137251.html">Interception System</a> that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion — and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the government direct access to all communications passing through them. However, this currently happens in a decentralized fashion, and the government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the government. Apart from this, the government uses equipment to gain access to <a href="http://www.outlookindia.com/article.aspx?265192">vast quantities of raw data traversing the Internet across multiple cities</a>, including the data going through the undersea cables that land in Mumbai.</p>
<p style="text-align: justify; ">With the C.M.S., the government will get <a href="http://www.thehindu.com/news/national/indias-surveillance-project-may-be-as-lethal-as-prism/article4834619.ece">centralized access to all communications metadata and content</a> traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.</p>
<table class="listing">
<tbody>
<tr>
<th>
<p style="text-align: center; "><img src="http://editors.cis-india.org/home-images/Surveillance.png" alt="Internet Surfing" class="image-inline" title="Internet Surfing" /></p>
</th>
</tr>
<tr>
<td><span class="caption">A man surfing a Facebook page at an internet cafe in Guwahati, Assam, on Dec. 6, 2011. <br />Image Credit: </span><span class="credit">Anupam Nath/Associated Press</span></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">You might ask: Why is this a problem when the government already had the same access, albeit in a decentralized fashion? To answer that question, one has to first examine the law.</p>
<p style="text-align: justify; ">There are no laws that allow for <i>mass</i> surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.</p>
<p style="text-align: justify; ">Interestingly, the colonial government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety. If either of those two preconditions is satisfied, then the government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping.</p>
<p style="text-align: justify; ">Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such.</p>
<p style="text-align: justify; ">Unauthorized access to communications data is not punishable per se, which is why a private detective who gained access to <a href="http://articles.timesofindia.indiatimes.com/2013-04-17/india/38615115_1_anurag-singh-arvind-dabas-naushad-ahmad-khan">the cellphone records of Arun Jaitley</a>, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).</p>
<p style="text-align: justify; ">To put the ridiculousness of the penalty in <a href="http://editors.cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009/">Sections 69</a> and <a href="http://editors.cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">69</a><a href="http://editors.cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">B</a> of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secrets <a href="http://www.vakilno1.com/bareacts/laws/the-intelligence-organisations-restriction-of-rights-act-1985.html">may be imprisoned up to three years. </a>And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be <a href="http://indiankanoon.org/doc/54229/">up to one month’s imprisonment</a>. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her <a href="http://lawcommissionofindia.nic.in/reports/180rpt.pdf">constitutional right against self-incrimination</a>. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.</p>
<p style="text-align: justify; ">As bad as the IT Act is, legally the government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the government — can use off-the-air interception techniques to listen to your calls.)</p>
<p style="text-align: justify; ">Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.”</p>
<p style="text-align: justify; ">Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)</p>
<p style="text-align: justify; ">In a landmark 1996 judgment, the Indian Supreme Court held that <a href="http://indiankanoon.org/doc/87862/">telephone tapping is a serious invasion of an individual’s privacy</a> and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the government has surreptitiously granted itself powers — powers that Parliament hasn’t authorized it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india'>http://editors.cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india</a>
</p>
No publisherpraneshSAFEGUARDSInternet GovernancePrivacy2013-07-15T10:20:45ZBlog EntryCan India Trust Its Government on Privacy?
http://editors.cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy
<b>In response to criticisms of the Centralized Monitoring System, India’s new surveillance program, the government could contend that merely having the capability to engage in mass surveillance won’t mean that it will. Officials will argue that they will still abide by the law and will ensure that each instance of interception will be authorized.</b>
<hr />
<p style="text-align: justify; ">Pranesh Prakash's article was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/11/can-india-trust-its-government-on-privacy/">published in the New York Times</a> on July 11, 2013.</p>
<hr />
<p style="text-align: justify; ">In fact, they will argue that the program, known as C.M.S., will better safeguard citizens’ privacy: it will cut out the telecommunications companies, which can be sources of privacy leaks; it will ensure that each interception request is tracked and the recorded content duly destroyed within six months as is required under the law; and it will enable quicker interception, which will save more lives. But there are a host of reasons why the citizens of India should be skeptical of those official claims.</p>
<p style="text-align: justify; ">Cutting out telecoms will not help protect citizens from electronic snooping since these companies still have the requisite infrastructure to conduct surveillance. As long as the infrastructure exists, telecom employees will misuse it. In a 2010 report, the journalist M.A. Arun <a href="http://www.deccanherald.com/content/94085/big-brother-smaller-siblings-watching.html">noted</a> that “alarmingly, this correspondent also came across several instances of service providers’ employees accessing personal communication of subscribers without authorization.” Some years back, K.K. Paul, a top Delhi Police officer and now the Governor of Meghalaya, drafted a memo in which he noted mobile operators’ complaints that private individuals were misusing police contacts to tap phone calls of “opponents in trade or estranged spouses.” <span id="more-66976"> </span></p>
<p style="text-align: justify; ">India does not need to have centralized interception facilities to have centralized tracking of interception requests. To prevent unauthorized access to communications content that has been intercepted, at all points of time, the files should be encrypted using public key infrastructure. Mechanisms also exist to securely allow a chain of custody to be tracked, and to ensure the timely destruction of intercepted material after six months, as required by the law. Such technological means need to be made mandatory to prevent unauthorized access, rather than centralizing all interception capabilities.</p>
<p style="text-align: justify; ">At the moment, interception orders are given by the federal Home Secretary of India and by state home secretaries without adequate consideration. Every month at the federal level 7,000 to 9,000 phone taps are authorized or re-authorized. Even if it took just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests. The numbers in Indian states could be worse, but one can’t be certain as statistics on surveillance across India are not available. It indicates bureaucratic callousness and indifference toward following the procedure laid down in the Telegraph Act.</p>
<p style="text-align: justify; ">In a 1975 case, the Supreme Court held that an “economic emergency” may not amount to a “public emergency.” Yet we find that of the nine central government agencies empowered to conduct interception in India, according to press reports — Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency — three are exclusively dedicated to economic offenses.</p>
<p style="text-align: justify; ">Suspicion of tax evasion cannot legally justify a wiretap, which is why the government said it had believed that Nira Radia, a corporate lobbyist, was a <a href="http://www.hindustantimes.com/India-news/NewDelhi/2G-scam-Spy-link-sparked-Niira-Radia-phone-tap/Article1-636886.aspx">spy</a> when it defended putting a wiretap on her phone in 2008 and 2009. A 2011 report by the cabinet secretary pointed out that economic offenses might not be counted as “public emergencies,” and that the Central Board of Direct Taxes should not be empowered to intercept communications. Yet the tax department continues to be on the list of agencies empowered to conduct interceptions.</p>
<p style="text-align: justify; ">India has arrived at a scary juncture, where the multiple departments of the Indian government don’t even trust each other. India’s Department of Information Technology recently <a href="http://www.indianexpress.com/news/ntro-hacking-email-ids-of-officials-says-govts-it-dept/1105875/">complained</a> to the National Security Advisor that the National Technical Research Organization had hacked into National Informatics Center infrastructure and extracted sensitive data connected to various ministries. The National Technical Research Organization denied it had hacked into the servers but said hundreds of e-mail accounts of top government officials were compromised in 2012, including those of “the home secretary, the naval attaché to Tehran, several Indian missions abroad, top investigators of the Central Bureau of Investigation and the armed forces,” The Mint newspaper reported. Such incidents aggravate the fear that the Indian government might not be willing and able to protect the enormous amounts of information it is about to collect through the C.M.S.</p>
<p style="text-align: justify; ">Simply put, government entities have engaged in unofficial and illegal surveillance, and the C.M.S. is not likely to change this. In a 2010 <a href="http://www.outlookindia.com/article.aspx?265192">article</a> in Outlook, the journalist Saikat Datta described how various central and state intelligence organizations across India are illegally using off-the-air interception devices. “These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad,” Mr. Datta wrote. “The systems, mounted inside cars, are sent on ‘fishing expeditions,’ randomly tuning into conversations of citizens in a bid to track down terrorists.”</p>
<p style="text-align: justify; ">The National Technical Research Organization, which is not even on the list of entities authorized to conduct interception, is one of the largest surveillance organizations in India. The Mint <a href="http://www.livemint.com/Politics/xxpcezb6Yhsr69qZ5AklgM/Intelligence-committee-to-meet-on-govt-email-hacking.html">reported</a> last year that the organization’s surveillance devices, “contrary to norms, were deployed more often in the national capital than in border areas” and that under new standard operating procedures issued in early 2012, the organization can only intercept signals at the international borders. The organization runs multiple facilities in Mumbai, Bangalore, Delhi, Hyderabad, Lucknow and Kolkata, in which monumental amounts of Internet traffic are captured. In Mumbai, all the traffic passing through the undersea cables there is captured, Mr. Datta found.</p>
<p style="text-align: justify; ">In the western state of Gujarat, a recent investigation by Amitabh Pathak, the director general of police, revealed that in a period of less than six months, more than 90,000 requests were made for call detail records, including for the phones of senior police and civil service officers. This high a number could not possibly have been generated from criminal investigations alone. Again, these do not seem to have led to any criminal charges against any of the people whose records were obtained. The information seems to have been collected for purposes other than national security.</p>
<p style="text-align: justify; ">India is struggling to keep track of the location of its proliferating interception devices. More than 73,000 devices to intercept mobile phone calls have been imported into India since 2005. In 2011, the federal government <a href="http://www.indianexpress.com/news/ib-to-crack-down-on-illegal-use-of-offair-interception-equipment/800672/">asked</a> various state governments, private corporations, the army and intelligence agencies to surrender these to the government, noting that usage of any such equipment for surveillance was illegal. We don’t know how many devices were actually <a href="http://articles.timesofindia.indiatimes.com/2012-10-11/india/34386576_1_security-agencies-privacy-concerns-surrender">turned in</a>.</p>
<p style="text-align: justify; ">These kinds of violations of privacy can have very dangerous consequences. According to the former Intelligence Bureau head in the western state of Gujarat, R.B. Sreekumar, the call records of a mobile number used by Haren Pandya, the former Gujarat home minister, were used to confirm that it was he who had provided secret testimony to the Citizens’ Tribunal, which was conducting an independent investigation of the 2002 sectarian riots in the state. Mr. Pandya was murdered in 2003.</p>
<p style="text-align: justify; ">The limited efforts to make India’s intelligence agencies more accountable have gone nowhere. In 2012, the Planning Commission of India formed a group of experts under Justice A.P. Shah, a retired Chief Justice of the Delhi High Court, to look into existing projects of the government and to suggest principles to guide a privacy law in light of international experience. (Centre for Internet and Society, where I work was part of the group). However, the government has yet to introduce a bill to protect citizens’ privacy, even though the governmental and private sector violations of Indian citizens’ privacy is growing at an alarming rate.</p>
<p style="text-align: justify; ">In February, after frequent calls by privacy activists and lawyers for greater accountability and parliamentary oversight of intelligence agencies, the Centre for Public Interest Litigation filed a case in the Supreme Court. This would, one hopes, lead to reform.</p>
<p style="text-align: justify; ">Citizens must also demand that a strong Privacy Act be enacted. In 1991, the leak of a Central Bureau of Investigation report titled “Tapping of Politicians’ Phones” prompted the rights groups, People’s Union of Civil Liberties to file a writ petition, which eventually led to a Supreme Court of India ruling that recognized the right to privacy of communications for all citizens as part of the fundamental rights of freedom of speech and of life and personal liberty. However, through the 2008 amendments to the Information Technology Act, the IT Rules framed in 2011 and the telecom licenses, the government has greatly weakened the right to privacy as recognized by the Supreme Court. The damage must be undone through a strong privacy law that safeguards the privacy of Indian citizens against both the state and corporations. The law should not only provide legal procedures, but also ensure that the government should not employ technologies that erode legal procedures.</p>
<p style="text-align: justify; ">A strong privacy law should provide strong grounds on which to hold the National Security Advisor’s mass surveillance of Indians (over 12.1 billion pieces of intelligence in one month) as unlawful. The law should ensure that Parliament, and Indian citizens, are regularly provided information on the scale of surveillance across India, and the convictions resulting from that surveillance. Individuals whose communications metadata or content is monitored or intercepted should be told about it after the passage of a reasonable amount of time. After all, the data should only be gathered if it is to charge a person of committing a crime. If such charges are not being brought, the person should be told of the incursion into his or her privacy.</p>
<p style="text-align: justify; ">The privacy law should ensure that all surveillance follows the following principles: legitimacy (is the surveillance for a legitimate, democratic purpose?), necessity (is this necessary to further that purpose? does a less invasive means exist?), proportionality and harm minimization (is this the minimum level of intrusion into privacy?), specificity (is this surveillance order limited to a specific case?) transparency (is this intrusion into privacy recorded and also eventually revealed to the data subject?), purpose limitation (is the data collected only used for the stated purpose?), and independent oversight (is the surveillance reported to a legislative committee or a privacy commissioner, and are statistics kept on surveillance conducted and criminal prosecution filings?). Constitutional courts such as the Supreme Court of India or the High Courts in the Indian states should make such determinations. Citizens should have a right to civil and criminal remedies for violations of surveillance laws.</p>
<p style="text-align: justify; ">Indian citizens should also take greater care of their own privacy and safeguard the security of their communications. The solution is to minimize usage of mobile phones and to use anonymizing technologies and end-to-end encryption while communicating on the Internet. Free and open-source software like OpenPGP can make e-mails secure. Technologies like off-the-record messaging used in apps like ChatSecure and Pidgin chat conversations, TextSecure for text messages, HTTPS Everywhere and Virtual Private Networks can prevent Internet service providers from being able to snoop, and make Internet communications anonymous.</p>
<p style="text-align: justify; ">Indian government, and especially our intelligence agencies, violate Indian citizens’ privacy without legal authority on a routine basis. It is time India stops itself from sleepwalking into a surveillance state.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy'>http://editors.cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionSAFEGUARDSInternet GovernancePrivacy2013-07-15T10:35:33ZBlog EntryThe National Privacy Roundtable Meetings
http://editors.cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings
<b>The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<h3>Background: The Roundtable Meetings and Organisers</h3>
<p style="text-align: justify; "><a href="http://editors.cis-india.org/">CIS</a> is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. <a href="http://www.ficci.com/">FICCI</a> is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. <a href="http://www.dsci.in/">DSCI</a> is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. <a href="https://www.privacyinternational.org/">Privacy International</a> is a London-based non-profit organisation that defends and promotes the right to privacy across the world.</p>
<h3 style="text-align: justify; ">Privacy in the Common Law and in India</h3>
<p style="text-align: justify; ">Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.<a href="#fn1" name="fr1">[1] </a></p>
<p style="text-align: justify; ">The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons <i>inter se</i> demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.</p>
<p style="text-align: justify; ">Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.<a href="#fn2" name="fr2">[2]</a> In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of <i>Kharak Singh</i> (1964)<a href="#fn4" name="fr4">[4]</a> and <i>Gobind</i> (1975)<a href="#fn5" name="fr5">[5]</a> considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the <i>Rajagopal</i> case (1994),<a href="#fn6" name="fr6">[6]</a> the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, <i>Rajagopal</i> dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the <i>PUCL</i> case (1996)<a href="#fn7" name="fr7">[7]</a> and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.<a href="#fn8" name="fr8">[8] </a>A more robust statement of the right to privacy was made recently by the Delhi High Court in the <i>Naz </i><i>Foundation</i> case (2011)<a href="#fn9" name="fr9">[9] </a>that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.</p>
<h3 style="text-align: justify; ">Attempts to Create a Statutory Regime</h3>
<p style="text-align: justify; ">The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.<a href="#fn10" name="fr10">[10]</a></p>
<p>Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.</p>
<p style="text-align: justify; ">Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")<a href="#fn11" name="fr11">[11]</a> — were subsequently reviewed by the Committee on Subordinate Legislation of the 15<sup>th</sup> Lok Sabha.<a href="#fn12" name="fr12">[12]</a> The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.<a href="#fn13" name="fr13">[13]</a></p>
<p style="text-align: justify; ">In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.</p>
<p style="text-align: justify; ">Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the <i>Naz Foundation</i> case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.<a href="#fn14" name="fr14">[14]</a> These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.</p>
<h3 style="text-align: justify; ">Criminal Procedure and Special Laws Relating to Privacy</h3>
<p style="text-align: justify; ">While the <i>Kharak Singh</i> and <i>Gobind</i> cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.</p>
<p style="text-align: justify; ">The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007<a href="#fn15" name="fr15">[15]</a> to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the <i>PUCL</i> case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.<a href="#fn16" name="fr16">[16]</a> Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.</p>
<p style="text-align: justify; ">In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.<a href="#fn17" name="fr17">[17]</a></p>
<h3 style="text-align: justify; ">The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings</h3>
<p style="text-align: justify; ">In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.</p>
<p style="text-align: justify; ">Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:</p>
<ul>
<li style="text-align: justify; ">New Delhi: April 13, 2013 (<a class="external-link" href="http://bit.ly/17REl0W">http://bit.ly/17REl0W</a>) with 45 participants;</li>
<li style="text-align: justify; ">Bangalore: April 20, 2013 (<a class="external-link" href="http://bit.ly/162t8rU">http://bit.ly/162t8rU</a>) with 45 participants;</li>
<li style="text-align: justify; ">Chennai: May 18, 2013 (<a class="external-link" href="http://bit.ly/12ICGYD">http://bit.ly/12ICGYD</a>) with 25 participants.</li>
<li style="text-align: justify; ">Mumbai, June 15, 2013 (<a class="external-link" href="http://bit.ly/12fJSvZ">http://bit.ly/12fJSvZ</a>) with 20 participants;</li>
<li style="text-align: justify; ">Kolkata: July 13, 2013 (<a class="external-link" href="http://bit.ly/11dgINZ">http://bit.ly/11dgINZ</a>) with 25 participants; and</li>
<li style="text-align: justify; ">New Delhi: August 24, 2013 (<a class="external-link" href="http://bit.ly/195cWIf">http://bit.ly/195cWIf</a>) with 40 participants.</li>
</ul>
<p style="text-align: justify; ">The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.</p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. See generally, Dan Solove, “A Taxonomy of Privacy” <i>University of Pennsylvania Law Review</i> (Vol. 154, No. 3, January 2006).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. <i>Wainwright</i> v. <i>Home Office</i> [2003] UKHL 53.</p>
<p>[<a href="#fr3" name="fn3">3</a>]. See <i>A</i> v. <i>B plc</i> [2003] QB 195; <i>Wainwright</i> v. <i>Home Office </i>[2001] EWCA Civ 2081; <i>R (Ellis)</i> v. <i>Chief Constable of Essex Police</i> [2003] EWHC 1321 (Admin).</p>
<p>[<a href="#fr4" name="fn4">4</a>]. <i>Kharak Singh</i> v. <i>State of Uttar Pradesh</i> AIR 1963 SC 1295.</p>
<p>[<a href="#fr5" name="fn5">5</a>]. <i>Gobind</i> v. <i>State of Madhya Pradesh</i> AIR 1975 SC 1378.</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <i>R. Rajagopal</i> v. <i>State of Tamil Nadu</i> AIR 1995 SC 264.</p>
<p>[<a href="#fr7" name="fn7">7</a>]. <i>People’s Union for Civil Liberties</i> v. <i>Union of India</i> (1997) 1 SCC 30.</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in <i>Maneka Gandhi</i> v. <i>Union of India</i> AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.</p>
<p>[<a href="#fr9" name="fn9">9</a>]. <i>Naz Foundation</i> v. <i>Government of NCT Delhi</i> (2009) 160 DLT 277.</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law"<i> International Data Privacy Law</i> (47-69, Vol. 1, No. 1, March 2011).</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – <a href="http://editors.cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011">http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011</a>.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14<sup>th</sup> edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.</p>
<p>[<a href="#fr13" name="fn13">13</a>]. See the 31<sup>st</sup> Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect <i>vide</i> Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. See, <i>inter alia</i>, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings'>http://editors.cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2014-03-21T10:03:44ZBlog EntryReport on the 1st Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li style="text-align: justify; ">New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p> </p>
<p>This <a href="http://editors.cis-india.org/internet-governance/blog/report-on-delhi-privacy-round-table.pdf" class="internal-link">report </a>entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</p>
<p> </p>
<h2><b>Overview of Justice A P Shah Report: Purpose, Principles and Framework</b></h2>
<p style="text-align: justify; ">The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.</p>
<p style="text-align: justify; ">During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.</p>
<p style="text-align: justify; ">Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:</p>
<ul style="text-align: justify; ">
<li>The purpose of the collection of data</li>
<li>The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case</li>
<li>Data is shared with third parties and it is hard to control how long they retain the data for</li>
<li>Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data</li>
</ul>
<p style="text-align: justify; ">Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.</p>
<p style="text-align: justify; ">While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.</p>
<p style="text-align: justify; ">The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.</p>
<p style="text-align: justify; ">The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.</p>
<h3 style="text-align: justify; ">Discussion Highlights:</h3>
<ul style="text-align: justify; ">
<li>The pros and cons of self-regulation and co-regulation</li>
<li>The national privacy principles – and how to build in insurance for technology</li>
<li>The role of the Privacy Commissioner</li>
<li>The definition of terms used in the draft Privacy (Protection) Bill 2013 </li>
</ul>
<p style="text-align: justify; "> </p>
<h2><b>Overview, explanation and discussion on the Privacy (Protection) Bill 2013</b></h2>
<p style="text-align: justify; ">The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.</p>
<p style="text-align: justify; ">During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.</p>
<p style="text-align: justify; ">Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.</p>
<p style="text-align: justify; ">As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.</p>
<p style="text-align: justify; ">Many participants agreed that India´s proposed Privacy Law should meet <i>global standards </i>in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.</p>
<p style="text-align: justify; ">The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.</p>
<p style="text-align: justify; ">The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.</p>
<p style="text-align: justify; ">The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.</p>
<p style="text-align: justify; ">Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.</p>
<p style="text-align: justify; ">During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on <i>where </i>it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.</p>
<p style="text-align: justify; ">The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.</p>
<p style="text-align: justify; ">The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.<span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills</li>
<li><span>Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)</span></li>
<li>If personal data should be distinguished in the private and public sector</li>
<li>If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards</li>
<li>The nuances of consumer consent</li>
<li>Various ways to define ´public figures´</li>
<li>Freedom of expression in the context of the draft Privacy (Protection) Bill 2013 </li>
<li>The distinction between exemptions and exceptions</li>
</ul>
<p> </p>
<h2><b>In depth explanation and discussions regarding the Privacy (Protection)</b></h2>
<h2><b> Bill 2013</b></h2>
<p style="text-align: justify; ">The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.</p>
<p style="text-align: justify; ">The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals <i>choose</i> to disclose a large amount of information.</p>
<p style="text-align: justify; ">The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.</p>
<p style="text-align: justify; ">Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.</p>
<p style="text-align: justify; ">A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.</p>
<p style="text-align: justify; ">In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.</p>
<p style="text-align: justify; ">In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.</p>
<p style="text-align: justify; ">Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.</p>
<p style="text-align: justify; ">The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.</p>
<p style="text-align: justify; ">The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should <i>not </i>be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.</p>
<p style="text-align: justify; ">The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies. <span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>The different instances of data collection and consumer consent</li>
<li>The nuances of data sharing </li>
<li>The issue of consumer consent and security assurances offered by companies</li>
<li>The pros and cons of having a data retention regulatory framework</li>
<li>How transparency is incorporated into the draft Privacy Protection Bill 2013 </li>
<li>What is needed in provisions that speak to data destruction</li>
</ul>
<h2>Meeting conclusion</h2>
<p style="text-align: justify; ">The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.</p>
<p style="text-align: justify; ">Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback" class="internal-link">Privacy Protection Bill, 2013</a> based on participants´ feedback, concerns, comments and ideas.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting'>http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-30T11:11:11ZBlog EntryOpen Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation
http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation
<b>India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, <a href="http://editors.cis-india.org/accessibility/blog/#fn1" name="fr1">[1]</a> and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.<a href="http://editors.cis-india.org/accessibility/blog/#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<p style="text-align: justify; ">The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.<a href="http://editors.cis-india.org/accessibility/blog/#fn3" name="fr3">[3]</a> In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. <a href="http://editors.cis-india.org/accessibility/blog/#fn4" name="fr4">[4]</a> In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.<a href="#fn5" name="fr5">[5]</a> The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.<a href="#fn6" name="fr6">[6]</a> Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.<a href="#fn7" name="fr7">[7]</a> The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; ">We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. CII asks EU to accept India as 'Data Secure' nation: <a class="external-link" href="http://bit.ly/15Z77dH">http://bit.ly/15Z77dH</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. India threatens to stall trade talks with EU: <a class="external-link" href="http://bit.ly/1716aF1">http://bit.ly/1716aF1</a><a class="moz-txt-link-freetext" href="http://www.business-standard.com/article/economy-policy/india-threatens-to-stall-trade-talks-with-eu-113050900020_1.html"></a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. New privacy Bill: Data Protection Authority, jail term for offence: <a class="external-link" href="http://bit.ly/emqkkH">http://bit.ly/emqkkH</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. The Report of the Group of Experts on Privacy <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Law Minister Seeks stand along privacy legislation, writes PM: <a class="external-link" href="http://bit.ly/16hewWs">http://bit.ly/16hewWs</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Privacy Protection Bill 2013 drafted by CIS: <a class="external-link" href="http://bit.ly/10eum5d">http://bit.ly/10eum5d</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Privacy Roundtable: <a class="external-link" href="http://bit.ly/12HYoj5">http://bit.ly/12HYoj5</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: <a class="external-link" href="http://bit.ly/Z2FjX6">http://bit.ly/Z2FjX6</a></p>
<div id="_mcePaste"><b>Note: CIS sent the letters to Data Protection Commissioners across Europe.</b></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation'>http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:07:58ZBlog EntryIndia Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed
http://editors.cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance
<b>As of last week, it is officially confirmed that the metadata of everyone´s communications is under the NSA´s microscope. In fact, the leaked data shows that India is one of the countries which is under NSA surveillance the most! </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was <a class="external-link" href="http://www.medianama.com/2013/06/223-what-does-nsa-prism-program-mean-to-india-cis-india/">cross-posted in Medianama</a> on 24th June 2013. <br /></i></p>
<hr />
<p><span id="docs-internal-guid-5905db2c-6115-80fb-3332-1eaa5155c762"> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>¨Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, the democratic senator, </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining">Ron Wyden, asked James Clapper</a><span>, the director of national intelligence a few months ago. “No sir”, replied Clapper.</span></blockquote>
<p dir="ltr" style="text-align: justify; "> </p>
<p dir="ltr" style="text-align: justify; "><span>True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Americans, Indians, Egyptians, Iranians, Pakistanis and others</span></a><span> all around the world.</span></p>
<p><span> </span></p>
<h2>Leaked NSA surveillance</h2>
<p><span> </span></p>
<h3><span>Verizon Court Order</span></h3>
<p style="text-align: justify; ">Recently, the <a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order">Guardian released</a> a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://yahoo.usatoday.com/news/washington/2006-05-10-nsa_x.htm"><span>USA Today reported in 2006</span></a><span> that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the </span><a href="http://www.guardian.co.uk/world/interactive/2013/jun/06/verizon-telephone-data-court-order"><span>April 25 top secret order</span></a><span> is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes </span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span>metadata </span></a><span>such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. </span><a href="https://www.privacyinternational.org/blog/top-secret-nsa-program-spying-on-millions-of-us-citizens"><span>Privacy and human rights concerns</span></a><span> rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives.</span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span> Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically</span></a><span>, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.</span></p>
<p><span> </span></p>
<h3><span>PRISM</span></h3>
<p align="JUSTIFY">Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by <a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html">The Washington Post</a>. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to <a href="http://www.bbc.co.uk/news/business-22867185">disclose the security requests</a> they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Yet it appears that the </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>PRISM online surveillance programme</span></a><span> enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The </span><a href="http://www.guardian.co.uk/world/2013/jun/09/prism-gchq-william-hague-statement"><span>Guardian reported</span></a><span> that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>James R. Clapper, the US Director of National Intelligence, </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>stated</span></a><span>:</span></p>
<p><span> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>“</span><span>Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”</span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world. </span></p>
<h3><span>Boundless Informant</span></h3>
<p dir="ltr" style="text-align: justify; "><span>And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data? </span></p>
<p dir="ltr" style="text-align: justify; "><span>The Guardian released top secret documents about the NSA data mining tool, called </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span>; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide. </span></p>
<p dir="ltr" style="text-align: justify; "><span>The following </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>“global heat map”</span></a><span> reveals how much data is being collected by the NSA from around the world:</span></p>
<p dir="ltr" style="text-align: justify; "><span><img src="http://editors.cis-india.org/BoundlessInformantmap.jpg" alt="Boundless Informant: "Global Heat Map"" class="image-inline" title="Boundless Informant: "Global Heat Map"" /></span></p>
<p><span style="text-align: justify; ">The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.</span></p>
<p dir="ltr" style="text-align: justify; "><span>During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with </span><a href="http://epaper.timesofindia.com/Default/Scripting/ArticleWin.asp?From=Archive&Source=Page&Skin=ETNEW&BaseHref=ETBG/2013/06/12&PageLabel=20&ForceGif=true&EntityId=Ar02002&ViewMode=HTML"><span>15% of all information</span></a><span> being tapped by the NSA coming from India during February-March 2013. </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance"><span>Edward Snowden</span></a><span> is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.</span></p>
<p dir="ltr" style="text-align: justify; "><span>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="350" width="425">
<param name="src" value="http://www.youtube.com/v/5yB3n9fu-rM"><embed height="350" width="425" src="http://www.youtube.com/v/5yB3n9fu-rM" type="application/x-shockwave-flash"> </embed>
</object>
</span></p>
<p><br /><span> </span></p>
<h2><span>So what does this all mean for India?</span></h2>
<p dir="ltr" style="text-align: justify; "><span>In his </span><a href="http://www.youtube.com/watch?v=Wl5OQz0Ko8c"><span>keynote speech at the 29th Chaos Communications Congress</span></a><span>, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have </span><a href="http://space.jpl.nasa.gov/msl/Programs/corona.html"><span>a history in spying on civilians</span></a><span>, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?</span></p>
<p dir="ltr" style="text-align: justify; "><span>By </span><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=1&"><span>tapping into the servers of some of the biggest Internet companies in the world,</span></a><span> such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span> data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?</span></p>
<p dir="ltr" style="text-align: justify; "><span>India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, </span><a href="http://www.wired.com/politics/security/commentary/securitymatters/2008/05/securitymatters_0515"><span>Bruce Schneier</span></a><span>:</span></p>
<blockquote class="italized"><span> “Our data reflects our lives...and those who control our data, control our lives”. </span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in </span><a href="http://www.bbc.co.uk/news/business-22867185"><span>corporations seeking data request transparency</span></a><span>, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since </span><a href="http://www.statsoft.com/textbook/data-mining-techniques/"><span>the larger the database, the larger the probability for error</span></a><span>. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since </span><a href="http://dspace.flinders.edu.au/xmlui/bitstream/handle/2328/26269/wahlstrom%20on%20the%20impact.pdf;jsessionid=D948EDED21805D871C18E6E4B07DAE14?sequence=1"><span>technology is not infallible </span></a><span>and data trails are not always accurate.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even </span><a href="http://www.time.com/time/world/article/0,8599,2097899,00.html"><span>murdered - remember the drones</span></a><span>?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?</span></p>
<p><span> </span></p>
<h2><span>What can we do now?</span></h2>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>What type of data is collected from India and which parties have access to it?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>How long is such data retained for? Can the retention period be renewed and if so, for how long?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?</span></p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>On an individual level, Indians can protect their data by using encryption, such as </span><a href="http://www.gnupg.org/"><span>GPG encryption</span></a><span> for their emails and </span><a href="https://www.encrypteverything.ca/index.php/Setting_up_OTR_and_Pidgin"><span>OTR encryption</span></a><span> for instant messaging. </span><a href="https://www.torproject.org/"><span>Tor</span></a><span> is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>To avoid surveillance, the use of </span><a href="https://www.eff.org/https-everywhere"><span>HTTPS-Everywhere</span></a><span> in the </span><a href="https://www.torproject.org/download/download-easy.html"><span>Tor Browser</span></a><span> is recommended, as well as the use of combinations of additional software, such as </span><a href="https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/"><span>TorBirdy</span></a><span> and </span><a href="http://www.enigmail.net/home/index.php"><span>Enigmail</span></a><span>, OTR and </span><a href="https://joindiaspora.com/"><span>Diaspora</span></a><span>. </span><a href="https://blog.torproject.org/blog/prism-vs-tor"><span>Tor hidden services are communication endpoints </span></a><span>that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>The </span><a href="http://necessaryandproportionate.net/"><span>principles</span></a><span> formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these </span><a href="http://editors.cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights"><span>principles</span></a><span> are:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legality</b>: Limitations to the right to privacy must be prescribed by law</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legitimate purpose</b>: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Necessity</b>: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Adequacy</b>: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Competent authority</b>: Authorities must be competent when making determinations relating to communications or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Due process</b>: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>User notification</b>: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Integrity of communications and systems</b>: Service providers are responsible for the secure transmission and retention of communications data or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards for international cooperation</b>: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation</p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for </span><span>everyone </span><span>to fight for their right to be free.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span><i>Is a world without freedom worth living in?</i></span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance'>http://editors.cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T10:20:46ZBlog EntryThe Difficult Balance of Transparent Surveillance
http://editors.cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance
<b>Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.</p>
<p style="text-align: justify; ">So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">So we must unpack the idea of transparency.</p>
<p style="text-align: justify; ">First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?</p>
<p style="text-align: justify; ">Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.</p>
<p style="text-align: justify; ">Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, <i>so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds</i>.” <a href="#fna" name="fra">[a]</a> Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook <a href="#fna" name="fra">[a]</a>, Apple <a href="#fnb" name="frb">[b]</a>, Microsoft<a href="#fnc" name="frc">[c]</a>, and Google <a href="#fnd" name="frd">[d]</a>) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14<sup>th</sup>, “We have not received any national security orders <i>of the type that Verizon was reported to have received</i>.” <a href="#fnc" name="frc">[c]</a> Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.</p>
<p style="text-align: justify; ">Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.</p>
<p style="text-align: justify; ">But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS<a href="#fn4" name="fr4">[4]</a> but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the <a href="http://editors.cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">petition</a> as an Indian agency is not involved.”<a href="#fn5" name="fr5">[5]</a><a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.</p>
<p style="text-align: justify; ">For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.<a href="#fn7" name="fr7">[7] </a>India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.<a href="#fn8" name="fr8">[8]</a> It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.</p>
<p style="text-align: justify; ">The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.<a href="#fn5" name="fr5">[5]</a> If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.</p>
<p style="text-align: justify; ">Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of <i>who</i> citizens prefer spying over them.</p>
<p style="text-align: justify; ">Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.<a href="#fn9" name="fr9">[9]</a> Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”<a href="#fnc" name="frc">[c]</a></p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. <a href="http://digitaldueprocess.org/">http://digitaldueprocess.org/</a></p>
<p>[<a href="#fr2" name="fn2">2</a>]. <a class="external-link" href="http://bit.ly/151Ue1H">http://bit.ly/151Ue1H</a></p>
<p>[<a href="#fr3" name="fn3">3</a>]. <a class="external-link" href="http://bit.ly/12XDb1Z">http://bit.ly/12XDb1Z</a></p>
<p>[<a href="#fr4" name="fn4">4</a>]. <a class="external-link" href="http://ti.me/11Xh08V">http://ti.me/11Xh08V</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. <a href="http://editors.cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh</a> [attached]</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <a class="external-link" href="http://bit.ly/1aXWdbU">http://bit.ly/1aXWdbU</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. <a class="external-link" href="http://1.usa.gov/qafcXe">http://1.usa.gov/qafcXe</a></p>
<p>[<a href="#fr8" name="fn8">8</a>]. <a class="external-link" href="http://bit.ly/114hcCX">http://bit.ly/114hcCX</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. <a class="external-link" href="http://bit.ly/156wspI">http://bit.ly/156wspI</a></p>
<hr />
<p>[<a href="#fra" name="fna">a</a>]. <b>Facebook Statement</b>: <a class="external-link" href="http://bit.ly/ZQDcn6">http://bit.ly/ZQDcn6</a></p>
<p>[<a href="#frb" name="fnb">b</a>]. <b>Apple Statement</b>: <a class="external-link" href="http://bit.ly/1akaBuN">http://bit.ly/1akaBuN</a></p>
<p>[<a href="#frc" name="fnc">c</a>]. <b>Microsoft Statement</b>:<a class="external-link" href="http://bit.ly/1bFIt31">http://bit.ly/1bFIt31</a></p>
<p>[<a href="#frd" name="fnd">d</a>]. <b>Google Statement</b>: <a class="external-link" href="http://bit.ly/16QlaqB">http://bit.ly/16QlaqB</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance'>http://editors.cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-15T04:23:35ZBlog EntryInterview with Bruce Schneier - Internationally Renowned Security Technologist
http://editors.cis-india.org/internet-governance/blog/interview-with-bruce-schneier
<b>Maria Xynou recently interviewed Bruce Schneier on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; "><a class="external-link" href="https://www.schneier.com/about.html">Bruce Schneier</a> is an internationally renowned security technologist, called a "security guru" by <cite>The Economist</cite>.</p>
<p style="text-align: justify; ">He is the author of 12 <a href="https://www.schneier.com/books.html">books</a> -- including <a href="https://www.schneier.com/book-lo.html"><cite>Liars and Outliers: Enabling the Trust Society Needs to Survive</cite></a> -- as well as hundreds of articles, <a href="https://www.schneier.com/essays.html">essays</a>, and <a href="https://www.schneier.com/cryptography.html">academic papers</a>. His influential newsletter "<a href="https://www.schneier.com/crypto-gram.html">Crypto-Gram</a>" and his blog "<a href="https://www.schneier.com/about.html">Schneier on Security</a>" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly <a href="https://www.schneier.com/news.html">quoted</a> in the press.</p>
<p style="text-align: justify; ">Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for <a href="http://www.bt.com/">BT</a> -- formerly British Telecom.</p>
<p style="text-align: justify; ">The Centre for Internet and Society (CIS) interviewed Bruce Schneier on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">Do you think India needs privacy legislation? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">The majoity of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Can free speech and privacy co-exist? What is the balance between privacy and freedom of expression?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">Should surveillance technologies be treated as traditional arms/weapons? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">How can individuals protect their data (and themselves) from spyware, such as FinFisher?</p>
</li>
<li>
<p align="JUSTIFY">How would you advise young people working in the surveillance industry?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/mpKaXW_hwcE" width="250"></iframe></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/interview-with-bruce-schneier'>http://editors.cis-india.org/internet-governance/blog/interview-with-bruce-schneier</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-17T08:54:32ZBlog Entry