The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 11 to 25.
State Surveillance and Human Rights Camp: Summary
http://editors.cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>http://editors.cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntrySpy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry
http://editors.cis-india.org/internet-governance/blog/spy-files-three
<b>In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights. </b>
<p align="JUSTIFY">Last month, WikiLeaks released <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html">“</a><a href="http://wikileaks.org/spyfiles3.html">Spy</a><a href="http://wikileaks.org/spyfiles3.html"> </a><a href="http://wikileaks.org/spyfiles3.html">Files</a><a href="http://wikileaks.org/spyfiles3.html"> 3”</a></span>, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.</p>
<h2><b>So what do the latest Spy Files reveal about India?</b></h2>
<p align="JUSTIFY">When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">India</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">is</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">once</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">again</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">on</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">the</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">list</a></span> with some of the most controversial spyware.</p>
<h3><b>ISS World Surveillance Trade Shows</b></h3>
<p align="JUSTIFY">The latest Spy Files include a <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">the</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013</a></span> -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_ap/">This</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">years</a><a href="http://www.issworldtraining.com/iss_ap/">’ </a><a href="http://www.issworldtraining.com/iss_ap/">ISS</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">World</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">Asia</a></span> will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The<span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span> entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.</p>
<p align="JUSTIFY">The following table lists the <a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"><i><span style="text-decoration: underline;">Indian</span></i></a><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">attendees</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">at</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a></span>:</p>
<table class="plain">
<tbody>
<tr>
<th>
<p align="JUSTIFY"><span><span><b>Law Enforcement, Defense and Interior Security Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>Telecom Operators and Private Enterprises Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>ISS Vendors and Technology Integrators Attendees</b></span></span></p>
</th>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Andhra Pradesh India Police</span></span></span></p>
</td>
<td>
<p align="JUSTIFY">BT</p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>AGC Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>CBI Academy</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Cogence Investment Bank</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Aqsacom India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Government of India, Telecom Department</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>India Reliance Communications</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>ClearTrail Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Cabinet Secretariat</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Span Telecom Pvt. Ldt. </span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Foundation Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Centre for Development of Telematics (C-DOT)</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY">Kommlabs</p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Chandigarh Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Paladion Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Defence Agency</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polaris Wireless</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India General Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polixel Security Systems</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Intelligence Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Pyramid Cyber Security</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India National Institute of Criminology</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Schleicher Group</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India office LOKAYUKTA NCT DELHI</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Span Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Police Department, A.P.</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>TATA India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Tamil Nadu Police Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Tata Consultancy Services</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Police Service, Vigilance</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Telecommunications India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Telecommunications Authority</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Vehere Interactive</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>NTRO India</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>SAIC Indian Tamil Nadu Police</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<table class="plain">
<tbody>
<tr>
<th> 17 4 15<br /></th>
</tr>
</tbody>
</table>
<p align="JUSTIFY">According to the above table - which is based on data from the <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">WikiLeaks</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span>- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.</p>
<p align="JUSTIFY">In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.</p>
<h3><b>ClearTrail Technologies</b></h3>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.clear-trail.com/">ClearTrail</a><a href="http://www.clear-trail.com/"> </a><a href="http://www.clear-trail.com/">Technologies</a></span> is an Indian company based in Indore. The document titled <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Internet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Suite</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:</p>
<p align="JUSTIFY"><b>1. ComTrail: Mass Monitoring of IP and Voice Networks</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.</p>
<p align="JUSTIFY">ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.</p>
<p align="JUSTIFY">Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.</p>
<p align="JUSTIFY">In short, ComTrail’s key features include the following:</p>
<p align="JUSTIFY">- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links</p>
<p align="JUSTIFY">- Doubles up as Targeted Monitoring System</p>
<p align="JUSTIFY">- On demand data retention, capacity exceeding several years</p>
<p align="JUSTIFY">- Instant Analysis across thousands of Terabytes</p>
<p align="JUSTIFY">- Correlates Identities across multiple networks</p>
<p align="JUSTIFY">- Speaker Recognition and Target Location</p>
<p align="JUSTIFY"><b>2. xTrail: Targeted IP Monitoring</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">xTrail</span></a> is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.</p>
<p align="JUSTIFY">Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.</p>
<p align="JUSTIFY">In short, xTrail’s key features include the following:</p>
<p align="JUSTIFY">- Pure passive probe</p>
<p align="JUSTIFY">- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways</p>
<p align="JUSTIFY">- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic</p>
<p align="JUSTIFY">- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location</p>
<p align="JUSTIFY">- Huge data retention, rich analysis interface and tamper proof court evidence</p>
<p align="JUSTIFY">- Easily integrates with any existing centralized monitoring system for extended coverage</p>
<p align="JUSTIFY"><b>3. QuickTrail: Tactical Wi-Fi Monitoring</b></p>
<p align="JUSTIFY">Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.</p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.</p>
<p align="JUSTIFY">According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.</p>
<p align="JUSTIFY">In short, QuickTrail’s key features include the following:</p>
<p align="JUSTIFY">- Conveniently housed in a laptop computer</p>
<p align="JUSTIFY">- Intercepts Wi-Fi and wired LANs in five different ways</p>
<p align="JUSTIFY">- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks</p>
<p align="JUSTIFY">- Deploys spyware into a target’s machine</p>
<p align="JUSTIFY">- Monitor’s Gmail, Yahoo and all other HTTPS-based communications</p>
<p align="JUSTIFY">- Reconstructs webmails, chats, VoIP calls, news groups and social networks</p>
<p align="JUSTIFY"><b>4. mTrail: Off-The-Air Interception</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.</p>
<p align="JUSTIFY">The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.</p>
<p align="JUSTIFY">Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.</p>
<p align="JUSTIFY">In short, mTrail’s key features include the following:</p>
<p align="JUSTIFY">- Designed for passive interception of GSM communications</p>
<p align="JUSTIFY">- Intercepts Voice and SMS “off-the-air”</p>
<p align="JUSTIFY">- Detects the location of the target</p>
<p align="JUSTIFY">- Can be deployed as a fixed unit or mounted in a surveillance van</p>
<p align="JUSTIFY">- No support required from GSM operator</p>
<p align="JUSTIFY"><b>5. Astra: Remote Monitoring and Infection framework</b></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.</p>
<p align="JUSTIFY">The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment <i>without</i> requiring any physical access to the target device.</p>
<p align="JUSTIFY">In particular, Astra can push bot to <i>any</i> targeted machine sharing the <i>same</i> LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.</p>
<p align="JUSTIFY">Astra’s key features include the following:</p>
<p align="JUSTIFY">- Proactive intelligence gathering</p>
<p align="JUSTIFY">- End-to-end remote infection and monitoring framework</p>
<p align="JUSTIFY">- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots</p>
<p align="JUSTIFY">- Designed for centralized management of thousands of targets</p>
<p align="JUSTIFY">- A wide range of deployment mechanisms to optimize success ration</p>
<p align="JUSTIFY">- Non-traceable, non-detectable delivery mechanism</p>
<p align="JUSTIFY">- Intrusive yet stealthy</p>
<p align="JUSTIFY">- Easy interface for handling most complex tasks</p>
<p align="JUSTIFY">- Successfully tested over the current top 10 anti-virus available in the market</p>
<p align="JUSTIFY">- No third party dependencies</p>
<p align="JUSTIFY">- Free from any back-door intervention</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Technologies</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">argue</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">that</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">they</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">meet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">lawful</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">interception</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">regulatory</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">requirements</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>across the globe. In particular, they claim that their products are compliant with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span> and that they are efficient to cater to region specific requirements as well.</p>
<p align="JUSTIFY">The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Telesoft</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Technologies</a></span>, <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">AGT</a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">International</a></span> and <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Verint</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Systems</a></span>. In particular, <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:</p>
<p align="JUSTIFY">- Impact 360 Speech Analytics</p>
<p align="JUSTIFY">- Impact 360 Text Analytics</p>
<p align="JUSTIFY">- Nextiva Video Management Software (VMS)</p>
<p align="JUSTIFY">- Nextiva Physical Security Information Management (PSIM)</p>
<p align="JUSTIFY">- Nextiva Network Video Recorders (NVRs)</p>
<p align="JUSTIFY">- Nextiva Video Business Intelligence (VBI)</p>
<p align="JUSTIFY">- Nextiva Surveillance Analytics</p>
<p align="JUSTIFY">- Nextiva IP cameras</p>
<p align="JUSTIFY">- CYBERVISION Network Security</p>
<p align="JUSTIFY">- ENGAGE suite</p>
<p align="JUSTIFY">- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)</p>
<p align="JUSTIFY">- RELIANT</p>
<p align="JUSTIFY">- STAR-GATE</p>
<p>- VANTAGE</p>
<p align="JUSTIFY">While <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_europe/">Verint</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Systems</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">has</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">participated</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">in</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">ISS</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">World</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Trade</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">shows</a></span> which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.</p>
<h2><b>And what do the latest Spy Files mean for India?</b></h2>
<p align="JUSTIFY">Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:</p>
<p align="JUSTIFY">1. The Central Monitoring System (CMS)</p>
<p align="JUSTIFY">2. Is any of this surveillance even legal in India?</p>
<p align="JUSTIFY">3. Can such surveillance result in the violation of human rights?</p>
<h3><b>Spy Files 3...and the Central Monitoring System (CMS)</b></h3>
<p align="JUSTIFY">Following the <a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">Mumbai</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> 2008 </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">terrorist</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">attacks</a>, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the <a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> (</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">)</a>. As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to<b> </b><span>install the gear which enables law enforcement agencies to carry</span> out the Central Monitoring System under the <a href="http://www.dot.gov.in/licensing/access-services">Unified</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Access</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Services</a><a href="http://www.dot.gov.in/licensing/access-services"> (</a><a href="http://www.dot.gov.in/licensing/access-services">UAS</a><a href="http://www.dot.gov.in/licensing/access-services">) </a><a href="http://www.dot.gov.in/licensing/access-services">License</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Agreement</a>.</p>
<p align="JUSTIFY">The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is <span style="text-decoration: underline;"><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">Rs</a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">. 4 </a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">billion</a></span>. In addition to <span style="text-decoration: underline;"><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">equipping</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">government</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a></span>with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements<span style="text-decoration: underline;"><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">regional</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Internet</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Monitoring</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Systems</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">, </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">such</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">as</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">that</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">of</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Assam</a></span>, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.</p>
<p align="JUSTIFY">However, data monitored and collected through the CMS will be stored in a<span style="text-decoration: underline;"><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">centralised</a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">database</a></span>, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that <span style="text-decoration: underline;"><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">amount</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">data</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">, </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">probability</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">an</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">error</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">in</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">matching</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">profiles</a></span>, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">regarding</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">the</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">CMS</a></span> mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.</p>
<p align="JUSTIFY">Interestingly enough, Indian law enforcement agencies which attended <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">trade</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">shows</a></span> are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the <span style="text-decoration: underline;"><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">which</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">will</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">have</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">access</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">to</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a></span>: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.</p>
<p align="JUSTIFY">Furthermore, Spy Files 3 entail a <a href="http://wikileaks.org/spyfiles3.html#an1">list</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">of</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">last</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">years</a><a href="http://wikileaks.org/spyfiles3.html#an1">’ </a><a href="http://wikileaks.org/spyfiles3.html#an1">ISS</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">World</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">security</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">company</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">attendees</a>, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">solutions</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">for</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">targeted</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">mass</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">IP</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">voice</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">networks</a>, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.</p>
<p align="JUSTIFY">In fact, ClearTrail states in its brochure that its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ComTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> is equipped to handle millions of communications per day, while its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">” </a>is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is <i>not </i>equipping the CMS? <span>And what are the odds that such technology is </span><i><span>not</span></i><span> being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?</span></p>
<h3><b>Spy Files 3...and the legality of India’s surveillance technologies</b></h3>
<p align="JUSTIFY">ClearTrail Technologies’ <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">brochure</span></a> -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span>. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply <i>within</i> India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.</p>
<p align="JUSTIFY">India has five laws which regulate surveillance:</p>
<p align="JUSTIFY">1. The <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span>, 1885</p>
<p align="JUSTIFY">2. The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Office</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span>, 1898</p>
<p align="JUSTIFY">3. The <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a></span>, 1933</p>
<p align="JUSTIFY">4. The <span style="text-decoration: underline;"><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Code</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">of</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Criminal</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Procedure</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> (</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">CrPc</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">)</a></span>, 1973: Section 91</p>
<p align="JUSTIFY">5. The <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span>, 2008</p>
<p align="JUSTIFY">The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Offices</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span> does not cover electronic communications and the <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a></span>lacks procedures which would determine if surveillance should be targeted or not. Neither the <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span> nor the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span> cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.</p>
<p align="JUSTIFY">The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">emergency</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">or</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">for</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">safety</a>. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.</p>
<p align="JUSTIFY">The interception of Internet communications is mainly covered by the <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">2009 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Rules</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">under</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">the</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Information</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Technology</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Act</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 2008 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Sections</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">B</a> are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.</p>
<p align="JUSTIFY">While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the <i>mass</i> surveillance of communications. In other words, ClearTrail’s products, such as <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a>, which enable the mass interception of IP networks, lack legal backing. However, the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Unified</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Access</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Services</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> (</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">) </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a></span> regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.</p>
<p align="JUSTIFY">Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">even</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">without</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">warrant</a>, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> product.</p>
<p align="JUSTIFY"><span>More importantly, following <a class="external-link" href="http://www.financialexpress.com/news/states-begin-to-surrender-offair-phone-snooping-equipment/957859">allegations</a> that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a <a class="external-link" href="http://m.indianexpress.com/news/state-govts-hand-over-few-offair-phonetapping-sets-to-centre/1185166/">compete ban on use of such equipment</a> and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it. </span></p>
<p align="JUSTIFY">ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a> product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such <a href="http://www.dot.gov.in/licensing/access-services"><span style="text-decoration: underline;">licenses</span></a> mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is technically legal or not. The <a class="external-link" href="http://www.auspi.in/policies/UASL.pdf">UAS License agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a>mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.</p>
<p align="JUSTIFY">The issue of data retention arises from <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">brochure</a>. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.</p>
<p align="JUSTIFY"><a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 7 of the Information Technology (Amendment) Act, 2008</a>, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.</p>
<p align="JUSTIFY">Data retention requirements for service providers are included in the <a href="http://editors.cis-india.org/internet-governance/blog/data-retention-in-india" class="external-link">ISP and UASL licenses</a> and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.</p>
<p align="JUSTIFY">India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">spy</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">agreement</a></span> regarding the Central Monitoring System.</p>
<p align="JUSTIFY">In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the <a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a> mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while <a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">India</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">’</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">s</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a>, <a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a>and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.</p>
<p align="JUSTIFY">One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to <span style="text-decoration: underline;"><a href="http://www.outlookindia.com/article.aspx?265192">Saikat</a><a href="http://www.outlookindia.com/article.aspx?265192"> </a><a href="http://www.outlookindia.com/article.aspx?265192">Datta</a></span>, an investigative journalist, a senior privacy telecom official stated:</p>
<blockquote class="italized">“<i>Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?” </i></blockquote>
<p style="text-align: justify; "></p>
<h3><b>Spy Files 3...and human rights in India</b></h3>
<p align="JUSTIFY">The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.</p>
<p align="JUSTIFY">In particular, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.</p>
<p align="JUSTIFY">And indeed, carrying a mobile phone is like carrying a GPS device, especially since <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">are</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">suspicious</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">until</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">proven</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">innocent</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">. </a></span></p>
<p align="JUSTIFY">And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">Astra</span></a>. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can <i>remotely</i> push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">should</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">! </a></span></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">Privacy</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">us</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">abuse</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">those</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">in</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">power</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a></span>and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.</p>
<p align="JUSTIFY">And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, <span style="text-decoration: underline;"><a href="http://www.timeshighereducation.co.uk/402844.article">a</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">UK</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">student</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">studying</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Islamic</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">terrorism</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">his</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Masters</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">dissertation</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">was</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">detained</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">six</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">days</a><a href="http://www.timeshighereducation.co.uk/402844.article">.</a></span> The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.</p>
<p align="JUSTIFY">This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.</p>
<p align="JUSTIFY">This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">“</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">”</a></span>, as that is the only way to protect us from abuse by those in power.</p>
<p align="JUSTIFY">In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the <a class="external-link" href="https://en.necessaryandproportionate.org/text">International Principles on Communications Surveillance and Human Rights.</a></p>
<p align="JUSTIFY">Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.</p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">This article was <a class="external-link" href="http://www.medianama.com/2013/11/223-spy-files-3-wikileaks-sheds-more-light-on-the-global-surveillance-industry-cis-india/">cross-posted in Medianama </a>on 6th November 2013.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/spy-files-three'>http://editors.cis-india.org/internet-governance/blog/spy-files-three</a>
</p>
No publishermariaPrivacyInternet GovernanceSAFEGUARDSFeaturedHomepage2013-11-14T16:21:00ZBlog EntrySEBI and Communication Surveillance: New Rules, New Responsibilities?
http://editors.cis-india.org/internet-governance/blog/sebi-and-communication-surveillance
<b>In this blog post, Kovey Coles writes about the activities of the Securities Exchange Board of India (SEBI), discusses the importance of call data records (CDRs), and throws light on the significant transition in governmental leniency towards access to private records.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify; ">The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.</p>
<h3 style="text-align: justify; ">SEBI’s Authority (Until Now)</h3>
<p style="text-align: justify; ">Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."<a href="#fn1" name="fr1">[1]</a> Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."<a href="#fn2" name="fr2">[2]</a> Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”<a href="#fn3" name="fr3">[3]</a> SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.</p>
<p>But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.</p>
<h3>What is the Importance of CDR Access?</h3>
<p style="text-align: justify; ">Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."<a href="#fn4" name="fr4">[4]</a> Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.</p>
<p style="text-align: justify; ">One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.<a href="#fn5" name="fr5">[5]</a> Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.<a href="#fn6" name="fr6">[6]</a> Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.<a href="#fn7" name="fr7">[7]</a> It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."<a href="#fn7" name="fr7">[7] </a>With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.<a href="#fn8" name="fr8">[8] </a>But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.</p>
<h3 style="text-align: justify; ">Significance and Responsibility in this Decision</h3>
<p style="text-align: justify; ">Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).</p>
<p>[<a href="#fr3" name="fn3">3</a>]. “Sebi Finalising new Anti-money laundering guidelines,” <i>The Times of India, </i>June 16, 2013</p>
<p><a href="http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms">http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms</a></p>
<p style="text-align: left; ">[<a href="#fr4" name="fn4">4</a>]. International Principles on the Application of Human Rights to Communications Surveillance -<a href="http://www.necessaryandproportionate.net/#_edn1">http://www.necessaryandproportionate.net/#_edn1</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. “Sebi to soon to get Powers to Access Call Records,” <i>Business Today</i>, June 13, 2013</p>
<p><a href="http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html">http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html</a></p>
<p>[<a href="#fr6" name="fn6">6</a>]. 1973 Criminal Procedure Code, Section 92 <a href="http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf">http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf</a></p>
<p>“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013</p>
<p><a href="http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary">http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. 1992 Securities and Exchange Board of India Act, section 11C, part 8</p>
<p>[<a href="#fr8" name="fn8">8</a>]. 2002 Prevention of Money-Laundering Act, section 12</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/sebi-and-communication-surveillance'>http://editors.cis-india.org/internet-governance/blog/sebi-and-communication-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-12T10:51:46ZBlog EntryReport on the Sixth Privacy Roundtable Meeting, New Delhi
http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi
<b>In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.
</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p></p>
<p> </p>
<h2>Introduction<b> </b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">CIS was a member of the Justice A.P. Shah Committee which drafted the "<a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of Groups of Experts on Privacy</a>". CIS also drafted a <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft" class="external-link">Privacy (Protection) Bill 2013</a> (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol>
<li>New Delhi Roundtable: April 13, 2013</li>
<li>Bangalore Roundtable: April 20, 2013</li>
<li>Chennai Roundtable: May 18, 2013</li>
<li>Mumbai Roundtable: June 15, 2013</li>
<li>Kolkata Roundtable: July 13, 2013</li>
<li>New Delhi Roundtable: August 24, 2013</li>
<li>New Delhi Final Roundtable and National Meeting: October 19, 2013</li>
</ol>
<p style="text-align: justify; ">This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="internal-link" title="The Personal Data (Protection) Bill, 2013">The Personal Data (Protection) Bill, 2013 </a>was discussed at the Roundtable.</p>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill</a> from the more expansive – Privacy (Protection) Bill.</p>
<h2>Chapter I – Preliminary</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Religion and Caste</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –</p>
<ul>
<li>Whether religion and caste should be categorized as sensitive personal data or personal data?</li>
<li>Whether it is impracticable to include it in either category?</li>
<li>If included as sensitive personal data, how should it be implemented?</li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Political Affiliation<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conviction Data<b> <br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Financial and Credit Information<b><br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:</p>
<ul>
<li style="text-align: justify; ">The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.</li>
<li style="text-align: justify; ">Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.</li>
<li style="text-align: justify; ">While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.</li>
<li style="text-align: justify; ">Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law. </li>
</ul>
<h2>Chapter II – Regulation of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The main issues under consideration with regard to this part were –</p>
<ul>
<li>The scope of the protection provided</li>
<li>Whether the exemptions should be expanded or diminished. </li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in <i>Kharak Singh v. The State of U.P.</i> (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The overall conclusion of the discussion on this Chapter was –</p>
<ul>
<li>All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.</li>
<li>Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Chapter III – Protection of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Personal Data</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data with Prior Informed Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3<sup>rd</sup> party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3<sup>rd</sup> party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3<sup>rd</sup> party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3<sup>rd</sup> party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data without Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -</p>
<p style="text-align: justify; "><i>“(a) necessary for the provision of an emergency medical service to the data subject;<br /></i><i>(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;<br />(c) necessary to prevent a reasonable threat to national security, defence or public order; or<br />(d) necessary to prevent, investigate or prosecute a cognisable offence”</i></p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as <i>Maneka Gandhi v. Union of India</i> (1978) and<i> PUCL v. Union of India</i> (1997).</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Storage and Processing of Personal Data<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.</p>
<h3 class="MsoNormalCxSpLast" style="text-align: justify; ">Conclusion</h3>
<ul>
<li>Mediated collection of data should be qualified on the basis of purpose and intent of collection.</li>
<li>The issue of cost to company (C2C) was not given adequate consideration in the Bill.</li>
<li>The need to lay down Procedures at all stages of handling personal data.</li>
<li>Special exemptions need to be provided for journalistic sources. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Meeting Conclusion<b><br /></b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill, 2013</a>. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi'>http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T15:04:51ZBlog EntryReport on the 4th Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; "><span>In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</span></p>
<p style="text-align: justify; "><span>In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</span></p>
<p style="text-align: justify; "><span>At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</span></p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>
<p align="JUSTIFY"><span>New Delhi Roundtable: 13 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Bangalore Roundtable: 20 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Chennai Roundtable: 18 May 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Mumbai Roundtable: 15 June 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Kolkata Roundtable: 13 July 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>New Delhi Final Roundtable and National Meeting: 17 August 2013</span></p>
</li>
</ol>
<p style="text-align: justify; "><span>Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.</span></p>
<h2><b><span>Discussion of the Draft Privacy (Protection) Bill 2013</span></b></h2>
<h3><b><span>Discussion of definitions: Chapter 1</span></b></h3>
<p style="text-align: justify; "><span>The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised. </span></p>
<p style="text-align: justify; "><span>Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection. </span></p>
<p style="text-align: justify; "><span>The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored. </span></p>
<p style="text-align: justify; "><span>Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards. </span></p>
<p style="text-align: justify; "><span>The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over. </span></p>
<p style="text-align: justify; "><span>The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.</span></p>
<p style="text-align: justify; "><span>In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts. </span></p>
<p style="text-align: justify; "><span>Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data. </span></p>
<p style="text-align: justify; "><span>On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions. </span></p>
<h3><b><span>Right to Privacy: Chapter 2</span></b></h3>
<p style="text-align: justify; "><span>The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill. </span></p>
<p style="text-align: justify; "><span>Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts. </span></p>
<p style="text-align: justify; "><span>The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.</span></p>
<p style="text-align: justify; "><span>Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly. </span></p>
<h3><b><span>Protection of Personal Data: Chapter 3</span></b></h3>
<p style="text-align: justify; "><span>Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data. </span></p>
<p style="text-align: justify; "><b><span>Collection of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention. </span></p>
<p style="text-align: justify; "><span>It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill. </span></p>
<p style="text-align: justify; "><span>Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty. </span></p>
<p style="text-align: justify; "><span>A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes. </span></p>
<p style="text-align: justify; "><span>The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill. </span></p>
<p style="text-align: justify; "><span>In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection. </span></p>
<p style="text-align: justify; "><span>It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well. </span></p>
<p style="text-align: justify; "><b><span>Storage and destruction of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data. </span></p>
<p style="text-align: justify; "><span>In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India. </span></p>
<p style="text-align: justify; "><span>Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases. </span></p>
<p style="text-align: justify; "><b><span>Security of personal data and duty of confidentiality</span></b></p>
<p style="text-align: justify; "><span>Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”. </span></p>
<p style="text-align: justify; "><span>One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India. </span></p>
<p style="text-align: justify; "><b><span>Disclosure of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to. </span></p>
<p style="text-align: justify; "><span>It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill. </span></p>
<p style="text-align: justify; "><span>Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism. </span></p>
<p style="text-align: justify; "><span>This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided. </span></p>
<p style="text-align: justify; "><span>Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill. </span></p>
<p style="text-align: justify; "><span>A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed. </span></p>
<p style="text-align: justify; "><span>However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed. </span></p>
<p style="text-align: justify; "><span>Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security. </span></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill. </span></p>
<h2><b><span>Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner</span></b></h2>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation. </span></p>
<p style="text-align: justify; "><span>There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a </span><i><span>competitive disadvantage </span></i><span>in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security. </span></p>
<p style="text-align: justify; "><span>As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control. </span></p>
<p style="text-align: justify; "><span>On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations. <br /></span></p>
<p style="text-align: justify; "><span>When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported. </span></p>
<p style="text-align: justify; "><span>Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on </span><i><span>accountability</span></i><span>. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached. </span></p>
<p style="text-align: justify; "><span>On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights. </span></p>
<h2><b><span>Meeting conclusion</span></b></h2>
<p style="text-align: justify; "><a name="_GoBack"></a><span>The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed. </span></p>
<p align="JUSTIFY"><span> </span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting'>http://editors.cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:04:25ZBlog EntryReport on the 3rd Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18th May 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><span>Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18</span><sup>th</sup><span> May 2013.</span></p>
<h2><span><span><b>Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´</b></span></span></h2>
<h2 style="text-align: justify; "></h2>
<p style="text-align: justify; ">The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.</p>
<p style="text-align: justify; ">The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.</p>
<p style="text-align: justify; ">In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers <i>choose </i>to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.</p>
<p style="text-align: justify; ">The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.</p>
<p style="text-align: justify; ">The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.</p>
<p style="text-align: justify; ">The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.</p>
<p style="text-align: justify; ">Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.</p>
<p style="text-align: justify; ">Co-regulation was once again supported by the DSCI through the argument that customers <i>choose </i>to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of <i>incentives</i> companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.</p>
<h1 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h1>
<h2 style="text-align: justify; ">Discussion of definitions: Chapter II</h2>
<p style="text-align: justify; ">The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.</p>
<p style="text-align: justify; ">The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.</p>
<p style="text-align: justify; ">The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.</p>
<p style="text-align: justify; "><b>Discussion of “Protection of Personal Data”: Chapter III </b><b> </b></p>
<p style="text-align: justify; ">The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers. <b> </b></p>
<p style="text-align: justify; "><b>Issue of Consent</b></p>
<p style="text-align: justify; ">The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.</p>
<p style="text-align: justify; "><b>Outsourcing of Data</b></p>
<p style="text-align: justify; ">It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.</p>
<p style="text-align: justify; ">Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.</p>
<p style="text-align: justify; "><b>Data Retention</b></p>
<p style="text-align: justify; ">Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.</p>
<p style="text-align: justify; ">It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.</p>
<p style="text-align: justify; "><b>Data Processing</b></p>
<p style="text-align: justify; ">The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.</p>
<p style="text-align: justify; "><b>Data Disclosure</b></p>
<p style="text-align: justify; ">The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.</p>
<p style="text-align: justify; ">According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.</p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; ">The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p style="text-align: justify; ">The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting'>http://editors.cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:35:22ZBlog EntryReport on the 2nd Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table
<b>This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013. </b>
<hr />
<p>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Following the first Privacy Round Table in Delhi, this <a href="http://editors.cis-india.org/internet-governance/blog/report-on-bangalore-privacy-meeting" class="internal-link">report</a> entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20<sup>th</sup> April 2013.</p>
<h2 style="text-align: justify; ">Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13<sup>th</sup> April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.</p>
<p style="text-align: justify; ">DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.</p>
<p style="text-align: justify; ">The discussion points brought forward by DSCI were:</p>
<ul style="text-align: justify; ">
<li>What role should government and industry respectively play in developing and enforcing a regulatory framework? </li>
<li>How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?</li>
<li>How can an organization be incentivized to follow the codes of practice under the SRO?</li>
<li>What should be the role of SROs in redressal of complaints?</li>
<li>What should be the business model for SROs?</li>
</ul>
<p style="text-align: justify; ">DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.</p>
<p style="text-align: justify; "> </p>
<h2 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h2>
<h3 style="text-align: justify; ">Discussion of definitions and preamble: Chapter I & II</h3>
<p style="text-align: justify; ">The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.</p>
<h3 style="text-align: justify; ">Sensitive Personal Data</h3>
<p style="text-align: justify; ">The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.</p>
<h3 style="text-align: justify; ">Information vs. Data</h3>
<p style="text-align: justify; ">During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.</p>
<h3 style="text-align: justify; ">Exemptions</h3>
<p style="text-align: justify; ">Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.</p>
<h2 style="text-align: justify; ">Discussion of “Protection of Personal Data”: Chapter III</h2>
<p style="text-align: justify; ">Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.</p>
<h3 style="text-align: justify; ">Data Collection</h3>
<p style="text-align: justify; ">In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.</p>
<h3 style="text-align: justify; ">Consent</h3>
<p style="text-align: justify; ">On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they <i>choose </i>to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.</p>
<p style="text-align: justify; ">Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.</p>
<h3 style="text-align: justify; ">Data Disclosure</h3>
<p style="text-align: justify; ">In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.</p>
<p style="text-align: justify; ">A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.</p>
<h3 style="text-align: justify; ">Data Destruction</h3>
<p style="text-align: justify; ">In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.</p>
<h3 style="text-align: justify; ">Data Processing</h3>
<p style="text-align: justify; ">In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.</p>
<p style="text-align: justify; ">However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.</p>
<p style="text-align: justify; ">In brief, the following questions with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>Should consent be required prior to the collection of data?</li>
<li>Should consent be acquired prior and after the disclosure of data? </li>
<li>Should the purpose of data collection be the same as the purpose for the disclosure of data?</li>
<li>Should an executive order or a court order be required to disclose data?</li>
<li>At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?</li>
<li>An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?</li>
</ul>
<ul style="text-align: justify; ">
<li>Should companies notify individuals when they share their (individuals´) data with international third parties?</li>
</ul>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>The data subject has to be informed, unless there is a model contract. </li>
<li>The request for consent should depend on the type of data that is to be disclosed.</li>
<li>Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).</li>
<li>The shared data may be considered private data (need of a relevant regulatory framework).</li>
<li>An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.</li>
<li>If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country. </li>
<li>India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.</li>
<li>The problem with disclosure is when there is an exception for certain circumstances </li>
<li>Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability. </li>
<li>Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).</li>
<li>´Data ownership´ should be included in the definitions of the Bill. </li>
<li>What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.</li>
</ul>
<p> </p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.</p>
<p style="text-align: justify; ">Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.</p>
<h2 style="text-align: justify; ">Discussion on self-regulation and co-regulation</h2>
<p> </p>
<p style="text-align: justify; ">The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.</p>
<p style="text-align: justify; ">The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.</p>
<p style="text-align: justify; ">Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p> </p>
<p style="text-align: justify; ">The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table'>http://editors.cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:54:28ZBlog EntryReport on the 1st Privacy Round Table meeting
http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li style="text-align: justify; ">New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p> </p>
<p>This <a href="http://editors.cis-india.org/internet-governance/blog/report-on-delhi-privacy-round-table.pdf" class="internal-link">report </a>entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</p>
<p> </p>
<h2><b>Overview of Justice A P Shah Report: Purpose, Principles and Framework</b></h2>
<p style="text-align: justify; ">The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.</p>
<p style="text-align: justify; ">During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.</p>
<p style="text-align: justify; ">Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:</p>
<ul style="text-align: justify; ">
<li>The purpose of the collection of data</li>
<li>The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case</li>
<li>Data is shared with third parties and it is hard to control how long they retain the data for</li>
<li>Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data</li>
</ul>
<p style="text-align: justify; ">Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.</p>
<p style="text-align: justify; ">While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.</p>
<p style="text-align: justify; ">The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.</p>
<p style="text-align: justify; ">The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.</p>
<h3 style="text-align: justify; ">Discussion Highlights:</h3>
<ul style="text-align: justify; ">
<li>The pros and cons of self-regulation and co-regulation</li>
<li>The national privacy principles – and how to build in insurance for technology</li>
<li>The role of the Privacy Commissioner</li>
<li>The definition of terms used in the draft Privacy (Protection) Bill 2013 </li>
</ul>
<p style="text-align: justify; "> </p>
<h2><b>Overview, explanation and discussion on the Privacy (Protection) Bill 2013</b></h2>
<p style="text-align: justify; ">The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.</p>
<p style="text-align: justify; ">During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.</p>
<p style="text-align: justify; ">Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.</p>
<p style="text-align: justify; ">As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.</p>
<p style="text-align: justify; ">Many participants agreed that India´s proposed Privacy Law should meet <i>global standards </i>in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.</p>
<p style="text-align: justify; ">The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.</p>
<p style="text-align: justify; ">The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.</p>
<p style="text-align: justify; ">The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.</p>
<p style="text-align: justify; ">Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.</p>
<p style="text-align: justify; ">During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on <i>where </i>it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.</p>
<p style="text-align: justify; ">The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.</p>
<p style="text-align: justify; ">The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.<span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills</li>
<li><span>Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)</span></li>
<li>If personal data should be distinguished in the private and public sector</li>
<li>If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards</li>
<li>The nuances of consumer consent</li>
<li>Various ways to define ´public figures´</li>
<li>Freedom of expression in the context of the draft Privacy (Protection) Bill 2013 </li>
<li>The distinction between exemptions and exceptions</li>
</ul>
<p> </p>
<h2><b>In depth explanation and discussions regarding the Privacy (Protection)</b></h2>
<h2><b> Bill 2013</b></h2>
<p style="text-align: justify; ">The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.</p>
<p style="text-align: justify; ">The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals <i>choose</i> to disclose a large amount of information.</p>
<p style="text-align: justify; ">The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.</p>
<p style="text-align: justify; ">Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.</p>
<p style="text-align: justify; ">A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.</p>
<p style="text-align: justify; ">In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.</p>
<p style="text-align: justify; ">In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.</p>
<p style="text-align: justify; ">Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.</p>
<p style="text-align: justify; ">The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.</p>
<p style="text-align: justify; ">The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should <i>not </i>be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.</p>
<p style="text-align: justify; ">The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies. <span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>The different instances of data collection and consumer consent</li>
<li>The nuances of data sharing </li>
<li>The issue of consumer consent and security assurances offered by companies</li>
<li>The pros and cons of having a data retention regulatory framework</li>
<li>How transparency is incorporated into the draft Privacy Protection Bill 2013 </li>
<li>What is needed in provisions that speak to data destruction</li>
</ul>
<h2>Meeting conclusion</h2>
<p style="text-align: justify; ">The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.</p>
<p style="text-align: justify; ">Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback" class="internal-link">Privacy Protection Bill, 2013</a> based on participants´ feedback, concerns, comments and ideas.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting'>http://editors.cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-30T11:11:11ZBlog EntryPrivacy Protection Bill, 2013 (With Amendments based on Public Feedback)
http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback
<b>In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.</p>
<p style="text-align: center; "><b><a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="internal-link">Click to download the Privacy Protection Bill, 2013 with latest amendments</a></b> (PDF, 196 Kb).</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback'>http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback</a>
</p>
No publisherelonnaiFeaturedSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:50:22ZBlog EntryOpen Letter to Prevent the Installation of RFID tags in Vehicles
http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles
<b>The Centre for Internet and Society (CIS) has sent this open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to intall RFID tags in vehicles in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p class="western" style="text-align: justify; ">This letter is with regards to the installation of Radio Frequency Identification Tags (RFID) in vehicles in India.</p>
<p class="western" style="text-align: justify; ">On behalf of the Centre for Internet and Society, we urge you to prevent the installation of RFID tags in vehicles in India, as the legality, necessity and utility of RFID tags have not been adequately proven. Such technologies raise major ethical concerns, since India lacks privacy legislation which could safeguard individuals' data.</p>
<p class="western" style="text-align: justify; ">The proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India. However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.</p>
<p class="western" style="text-align: justify; ">The installation of RFID tags in vehicles is not only currently illegal, but it also raises majors privacy concerns. RFID tags yield locational information, and thus reveal information as to an individual’s whereabouts. This could lead to a serious invasion of the right to privacy, which is at the core of personal liberty, and constitutionally protected in India. Moreover, the installation of RFID tags in vehicles is not in compliance with the privacy principles of the Report of the Group of Experts on Privacy, as, among other things, the architecture of RFID tags does not allow for consent to be taken from individuals for the collection, use, disclosure, and storage of information generated by the technology.<a href="#fn1" name="fr1">[1]</a></p>
<p class="western" style="text-align: justify; ">The Centre for Internet and Society recently drafted the Privacy (Protection) Bill 2013 – a citizen's version of a possible privacy legislation for India.<a href="#fn2" name="fr2">[2]</a><sup> </sup>The Bill defines and establishes the right to privacy and regulates the interception of communications and surveillance, and would include the regulation of technologies like RFID tags. As this Bill has not been enacted into law and India lacks a privacy legislation which could safeguard individuals' data, we strongly urge you to not require the mandatory installation of RFID tags in vehicles, as this could potentially violate individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">As the proposed rule 138A, which mandates the installation of RFID tags in vehicles, is currently illegal and India lacks privacy legislation which would regulate the collection, use, sharing of, disclosure and retention of data, we strongly urge you to ensure that RFID tags are not installed in vehicles in India and to play a decisive role in protecting individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">Thank you for your time and for considering our request.</p>
<p class="western" style="text-align: justify; ">Sincerely,</p>
<p class="western" style="text-align: justify; ">Centre for Internet and Society (CIS)</p>
<p> </p>
<p id="sdfootnote1"> </p>
<p>[<a href="#fr1" name="fn1">1</a>]. Report of the Group of Experts on Privacy: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p>[<a href="#fr2" name="fn2">2</a>].Draft Privacy (Protection) Bill 2013: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles'>http://editors.cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:59:31ZBlog EntryOpen Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation
http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation
<b>India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, <a href="http://editors.cis-india.org/accessibility/blog/#fn1" name="fr1">[1]</a> and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.<a href="http://editors.cis-india.org/accessibility/blog/#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<p style="text-align: justify; ">The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.<a href="http://editors.cis-india.org/accessibility/blog/#fn3" name="fr3">[3]</a> In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. <a href="http://editors.cis-india.org/accessibility/blog/#fn4" name="fr4">[4]</a> In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.<a href="#fn5" name="fr5">[5]</a> The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.<a href="#fn6" name="fr6">[6]</a> Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.<a href="#fn7" name="fr7">[7]</a> The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; ">We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. CII asks EU to accept India as 'Data Secure' nation: <a class="external-link" href="http://bit.ly/15Z77dH">http://bit.ly/15Z77dH</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. India threatens to stall trade talks with EU: <a class="external-link" href="http://bit.ly/1716aF1">http://bit.ly/1716aF1</a><a class="moz-txt-link-freetext" href="http://www.business-standard.com/article/economy-policy/india-threatens-to-stall-trade-talks-with-eu-113050900020_1.html"></a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. New privacy Bill: Data Protection Authority, jail term for offence: <a class="external-link" href="http://bit.ly/emqkkH">http://bit.ly/emqkkH</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. The Report of the Group of Experts on Privacy <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Law Minister Seeks stand along privacy legislation, writes PM: <a class="external-link" href="http://bit.ly/16hewWs">http://bit.ly/16hewWs</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Privacy Protection Bill 2013 drafted by CIS: <a class="external-link" href="http://bit.ly/10eum5d">http://bit.ly/10eum5d</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Privacy Roundtable: <a class="external-link" href="http://bit.ly/12HYoj5">http://bit.ly/12HYoj5</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: <a class="external-link" href="http://bit.ly/Z2FjX6">http://bit.ly/Z2FjX6</a></p>
<div id="_mcePaste"><b>Note: CIS sent the letters to Data Protection Commissioners across Europe.</b></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation'>http://editors.cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:07:58ZBlog EntryNew Document on India's Central Monitoring System (CMS) - 2
http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2
<b></b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2'>http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:40:31ZFileMoving Towards a Surveillance State
http://editors.cis-india.org/internet-governance/blog/moving-towards-surveillance-state
<b>The cyberspace is a modern construct of communication and today, a large part of human activity takes place in cyberspace. It has become the universal platform where business is executed, discourse is conducted and personal information is exchanged. However, the underbelly of the internet is also seen to host activities and persons who are motivated by nefarious intent. </b>
<hr />
<p>Note: The original tender document of the Assam Police dated 28.02.2013 along with other several other tender documents for procurement of Internet and Voice Monitoring Systems <a href="http://editors.cis-india.org/internet-governance/blog/tenders-eoi-press-release.zip" class="internal-link">is attached as a zip folder</a>.</p>
<hr />
<p style="text-align: justify; ">As highlighted in the <a href="http://necessaryandproportionate.net/#_edn2"><i>International Principles on the Application of Human Rights to Communications Surveillance</i></a><i>, </i>logistical barriers to surveillance have decreased in recent decades and the application of legal principles in new technological contexts has become unclear. It is often feared that in light of the explosion of digital communications content and information about communications, or "communications metadata," coupled with the decreasing costs of storing and mining large sets of data and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Communications surveillance in the modern environment encompasses the monitoring, interception, collection, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person's communications in the past, present or future.<a href="#fn*" name="fr*">[*]</a> These fears are now turning into a reality with the introduction of mass surveillance systems which penetrate into the lives of every person who uses any form of communications. There is ample evidence in the form of tenders for Internet Monitoring Systems (IMS) and Telecom Interception Systems (TCIS) put out by the Central government and various state governments that the Indian state is steadily turning into an extensive surveillance state.</p>
<p style="text-align: justify; ">While surveillance and intelligence gathering is essential for the maintenance of national security, the creation and working of a mass surveillance system as it is envisioned today may not necessarily be in absolute conformity with the existing law. A mass surveillance system like the <a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a> (CMS) not only threatens to completely eradicate any vestige of the right to privacy but in the absence of a concrete set of procedural guidelines creates a tremendous risk of abuse.</p>
<p style="text-align: justify; ">Although information regarding the Central Monitoring System is quite limited on the public forum at the moment it can be gathered that a centralized system for monitoring of all communication was first proposed by the Government of India in 2009 as indicated by the <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679">press release</a> of the Ministry of Communications & Information. Implementation of the system started subsequently as indicated by another government <a href="http://pib.nic.in/newsite/erelease.aspx?relid=70747">press release</a> and the Center for Development of Telematics (C-DOT) was entrusted with the responsibility of implementing the system. As per the C-DOT <a href="http://www.cdot.in/media/publications.htm">annual report</a> 2011-12, research, development, trials and progressive scaling up of a Central Monitoring System were conducted by the organization in the past 4 years and the requisite hardware and CMS solutions which support voice and data interception have been installed and commissioned at various Telecom Service Providers (TSP) in Delhi and Haryana as part of the pilot project. <a href="http://articles.economictimes.indiatimes.com/2013-05-07/news/39091148_1_single-window-pranesh-prakash-internet">Media reports</a> indicate that the project will be fully functional by 2014. While an extensive surveillance system is being stealthily introduced by the state, several concerns with regard to its extent of use, functioning, and real world impact have been raised owing to ambiguities and <a href="http://editors.cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy">wide gaps in procedure and law</a>. Moreover, the lack of a concrete privacy legislation coupled with the absence of public discourse indicates the lack of interest of the state over the rights of an ordinary citizen. It is under these circumstances that awareness must first be brought regarding <a href="https://www.eff.org/deeplinks/state-surveillance-%26-human-rights">the risks of the mass surveillance</a> on civil liberties which in the absence of established procedures protecting the rights of the citizens of the state can result in the abuse of powers by the state or its agencies and lead to the demise of civil freedoms even in democratic states.</p>
<p style="text-align: justify; ">The architecture and working of a <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">proposed Internet Monitoring System</a> must be examined in an attempt to better understand the functioning, capabilities and possible impact of a Central Monitoring System on our society and lives. This can perhaps allow more open discourse and a committed effort to preserve the rights of the citizens especially the right to privacy can be made while allowing for the creation of strong procedural guidelines which will help maintain legitimate intelligence gathering and surveillance.</p>
<p style="text-align: justify; "><b>Internet Monitoring System: Setup and Working</b><br />Very broadly, The Internet Monitoring System enables an agency of the state to intercept and monitor all content which passes through the Internet Service Provider’s (ISP) server which includes all electronic correspondence (emails, chats or IM’s, transcribed call logs), web forms, video and audio files, and other forms of internet content. The electronic data is stored and also subject to various types of analysis. While Internet Monitoring Systems are installed locally and their function is limited to specific geographic region, the Central Monitoring System will consolidate the data acquired from the different voice and data interception systems located across the country and create a centralized architecture for interception, monitoring and analysis of communications. Although the exact specifications and functions of the central monitoring system still remain unclear and ambiguous, some parallels regarding the functioning of the CMS can be drawn from the the specifications revealed in the Assam Police <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">tender document</a> for the procurement of an Internet Monitoring System.</p>
<p style="text-align: justify; "><b>Setup</b><br />The deployment architecture of an Internet Monitoring System (IMS) contains probe servers which are installed at the Internet Service Provider’s (ISP) premises and the probes are installed at various tapping points within the entire ISP network. A collection server is also installed and hosted at the site of the ISP. The collection server is used to either collect, analyze, filter or simple aggregate the data from the ISP servers and the data is transferred to a master aggregation server located a central data center. The central data center may also contain more servers specifically for analysis and storage. This type of architecture is being referred to as a ‘high availability clustered setup’ which is supposed to provide security in case of a failure or outage.</p>
<p style="text-align: justify; ">The Assam Police Internet Monitoring System tender document specifically indicates that the deployment in the state of Assam shall require 8 taps or probes to be installed at different ISPs, out of which 6 taps/probes shall be of 10 GBPS and 2 taps are of 1 GBPS. The document however mentions that the specifications are preliminary and subject to change.<i> </i></p>
<p style="text-align: justify; "><b>Types of data</b><br />The proposed internet monitoring system of the Assam state can provide network traffic interception and a variety of internet protocols including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) can be intercepted and monitored. The system can also support monitoring of Internet Relay Chat and various other messaging applications (such as Google Talk, Yahoo Chat, MSN Messenger, ICQ, etc.). The system can be equipped to capture and display multiple file types like text (.doc, .pdf), zipped (.zip) and executable applications (.exe). Further, information regarding login details, login pattern, login location, DNS address, routing address can be acquired along with the IP address and other details of the user.</p>
<p style="text-align: justify; ">Web crawling capabilities can be installed on the system which can provide data from various data sources like social networking sites, web based communities, wikis, blogs and other forms of web content. Social media websites (such as Twitter, Facebook, Orkut, MySpace etc.), web pages and data on hosted applications can also be intercepted, monitored and analyzed. The system also allows capture of additional pages if updated; log periodical updates and other changes. This allows the monitoring agencies the capability of gathering internet traffic based on several parameters like Protocols, Keywords, Filters and Watch lists. Keyword matching is achieved by including phonetically similar words in various languages including local languages.</p>
<p style="text-align: justify; ">More specific functions of the IMS can include complete email extraction which will disclose the address book, inbox, sent mail folder, drafts folder, personal folders, delete folders, custom folders etc. and can also provide identification of dead drop mails. The system can also be equipped to allow country wise tracking of instant messages, chats and mails.</p>
<p>Regarding retention and storage of data, the tender document specifies that the system shall be technically capable of retaining the metadata of Internet traffic for at least one year and the defined traffic/payload/content is to be retained in the storage server at least for a week. However, the data may be retained for a longer period if required. The metadata and qualified data after analysis are integrated to a designated main intelligence repository for storage.</p>
<p style="text-align: justify; "><b>Types of Analysis</b><br />The Internet Monitoring System apart from intercepting all the data generated through the Internet Service Providers is essentially equipped for various types of data analysis. The solutions that are installed in the internet monitoring system provide the capability for real time as well as historical analysis of network traffic, network perimeter devices and internal sniffers. The kinds of analysis based on ‘slicing and dicing of data’ range from text mining, sentiment analysis, link analysis, geo-spatial analysis, statistical analysis, social network analysis, transaction analysis, locational analysis and fusion based analysis, CDR analysis, timeline analysis and histogram based analysis from various sources.</p>
<p style="text-align: justify; ">The solutions installed in the IMS can enable monitoring of specific words or phrases (in various languages) in blogs, websites, forums, media reports, social media websites, media reports, chat rooms and messaging applications, collaboration applications and deep web applications. Phone numbers, addresses, names, locations, age, gender and other such information from content including comments and such can also be monitored. Specifically with regard to social media, the user’s profile and information related to it can be extracted and a detailed ontology of all the social media profiles of the user can be created.<br /><br />Based on the information, the analysis supposed to provide the capability to identify suspicious behavior based on existing and new patterns as they emerge and are continuously applied to combine incoming and existing information on people, profiles, transactions, social network, type of websites visited, time spent on websites, type of content download or view and any other type of gatherable information. The solutions on the system are also supposed to create single or multiple or parallel scenario build-ups that may occur in blogs, social media forums, chat rooms, specific web hosting server locations or URL, packet route that may be defined from time to time and such scenario build-ups can be based on parameters like sentiments, language or expressions purporting hatred or anti-national expressions, and even emotions like expression of joy, compassion and anger, which as may be defined by the agency depending on operational and intelligence requirement. Based on these parameters, automated alerts can be generated relating to structured or unstructured data (including metadata of contents), events, pattern discovery, phonetically similar words or phrases or actions from users. <br /><br />Based on the data analysis, reports or dossiers can be generated and visual analysis allowing a wide variety of views can be created. Further, real time visualization showing results from real-time data can be generated which allows alerts, alert categories or discoveries to be ranked (high, medium, and low priority, high value asset, low value asset, moderate value asset, verified information, unverified information, primary evidence, secondary evidence, circumstantial evidence, etc.) based on criteria developed by the agency. The IMS solutions can also be capable of offering web-intelligence and open source intelligence and allow capabilities like simultaneous search capabilities which can be automated providing a powerful tool for exploration of the intercepted data.<br /><br />Another important requirement mentioned in the tender document is the systems capability to integrate with other interception and monitoring systems for 2G, 3G/UMTS and other evolving mobile carrier technologies including fixed line and Blackberry services and encrypted IP services like Skype services.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />It is clear that a system like IMS with its extensive interception and analysis capabilities gives complete access to an agency or authority of all information that is accessed or transmitted by a person on the internet including information which is private and confidential such as email and instant messages. Although the state has the power to issue directions for interception or monitoring of information under the Information Technology Act, 2000 and certain rules are prescribed under section 69B, they are wholly inadequate compared to the scope and extent of the Internet Monitoring System and its scale of operations. The interception and monitoring systems that are either proposed or already in place effectively bypass the existing procedures prescribed under the Information Technology Act. <br /><br />The issues, concerns and risks are only compounded when it comes to the Central Monitoring System. The solutions installed in present day interception and monitoring systems give the state unprecedented powers to intercept, monitor and analyze all the data of any person who access the internet. Tools like deep packet inspection and extensive data mining solutions in the absence of concrete safeguards and when deployed through a centralized system can be misused to censor any content including legitimate discourse. Also, the perception that access to a larger amount of data or all data can help improve intelligence can also be sometimes misleading and it must be asked whether the fundamental rights of the citizens of the state can be traded away under the pretext of national security. Furthermore, it is essential for the state to weigh the costs of such a project both economically and morally and balance it with sufficient internal measures as well as adequate laws so that the democratic values are persevered and not endangered by any act of reckless force.<br /><br />Reiterating what has been said earlier, while it is important for the state to improve its intelligence gathering tools and mechanisms, it must not be done at the cost of a citizen’s fundamental right. It is the duty of the democratic state to endure and maintain a fine balance between national interest and fundamental rights through timely creation of equitable laws.</p>
<hr />
<p>[<a href="#fr*" name="fn*">*</a>]. <a class="external-link" href="http://necessaryandproportionate.net/#_edn2">http://necessaryandproportionate.net/#_edn2</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/moving-towards-surveillance-state'>http://editors.cis-india.org/internet-governance/blog/moving-towards-surveillance-state</a>
</p>
No publisheratreyaSAFEGUARDSInternet GovernancePrivacy2013-07-15T05:57:15ZBlog EntryMicrosoft releases its first report on data requests by law enforcement agencies around the world
http://editors.cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies
<b>In this post, the Centre for Internet and Society presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Last week, Microsoft released its first report with data on the number of requests received from law enforcement agencies around the world relating to Microsoft online and cloud services. Microsoft´s newly released <a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">2012 Law Enforcement Requests Report </a>depicts the company's willingness to join the ranks of Google, Twitter and other Web businesses that publish transparency reports.</p>
<p style="text-align: justify; "><span>As of 30 June 2012, </span><a href="http://www.internetworldstats.com/asia.htm#in">137 million</a><span> Indians are regular Internet users, many of which use Microsoft services including Skype, Hotmail, Outlook.com, SkyDrive and Xbox Live. Yet, until recently, it was unclear whether Indian law enforcement agencies were requesting data from our Skype calls, emails and other Microsoft services. Thus, Microsoft's release of a report on law enforcement requests is a decisive step in improving transparency in regards to how many requests for data are made by law enforcement agencies and how many requests are granted by companies. Brad Smith, an executive vice president and Microsoft´s general counsel, wrote in his </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">blog post</a><span>:</span></p>
<blockquote class="italized"><i>“As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”</i></blockquote>
<h2><b>Microsoft 2012 Law Enforcement Requests</b></h2>
<p style="text-align: justify; "><span>Democratic countries requested the most data during 2012, according to </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Microsoft´s report</a><span>. The law enforcement agencies in the United States, the United Kingdom, Germany, France and Turkey accounted for 69 percent of the 70, 665 requests Microsoft (excluding Skype) received last year. Although India did not join the rank of the countries which made the fewest requests from Microsoft, it did not join the</span><a href="http://www.itpro.co.uk/data-protection/19488/microsoft-opens-collaboration-law-enforcement-agencies"> top-five league</a><span> which accounted for the most requests, despite the country having </span><a href="https://opennet.net/research/profiles/india">one of the world´s highest number of Internet users</a><span>.</span></p>
<p style="text-align: justify; "><span>Out of the</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 70,665 requests</a><span> to Microsoft by law enforcement agencies around the world, only about 0.6 percent of the requests were made by Indian law enforcement agencies. These 418 requests specified 594 accounts and users, which is significantly low in comparison to the top-five and other countries, such as Taiwan, Spain, Mexico, Italy, Brazil and Australia. Indian law enforcement requests accounted for about 0.5 percent of the total 122, 015 accounts and user data that was requested by law enforcement agencies around the world.</span></p>
<p style="text-align: justify; "><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Content data</a><span> is defined by Microsoft as what customers create, communicate and store on or through their services, such as words in an e-mail or photographs and documents stored on SkyDrive or other cloud offerings. </span><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?_r=1&">Non-content data</a><span>, on the other hand, refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration. According to Microsoft´s 2012 report, the company did not disclose any content data to Indian law enforcement agencies. In fact, only </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">2.2 percent </a><span>of requests from law enforcement agencies around the world resulted in the disclosure of content data, </span><a href="http://www.engadget.com/2013/03/21/microsoft-posts-its-first-law-enforcement-requests-report/">99 percent of which were in response to warrants from courts in the United States</a><span>. Microsoft may have not disclosed any of our content data, but</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 370 requests</a><span> from Indian law enforcement agencies resulted in the disclosure of our non-content data. In other words, 88.5 percent of the requests by India resulted in the disclosure of e-mail addresses, IP addresses, names, locations and other subscriber information.</span></p>
<p style="text-align: justify; "><span>Out of the 418 requests made to Microsoft by Indian law enforcement agencies, </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">only 4 were rejected </a><span>(1 percent) and no data was found for 44 requests (10.5 percent). In total, Microsoft rejected the disclosure of 1.2 percent of the requests made by law enforcement agencies around the world, while data was not found for 16.8 percent of the international requests. Thus, the outcome of the data shows that the majority of the requests by Indian law enforcement agencies resulted in the disclosure of non-content data, while very few requests were rejected by Microsoft (excluding Skype). The following table summarizes the requests by Indian law enforcement agencies and their outcome:</span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total number of requests</p>
</td>
<td>
<p>418 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/Users specified in requests</p>
</td>
<td>
<p>594 (0.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of non-content data</p>
</td>
<td>
<p>370 (88.5%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>44 (10.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests rejected</p>
</td>
<td>
<p>4 (1%)</p>
</td>
</tr>
</tbody>
</table>
<h2><span>Skype 2012 Law Enforcement Requests</span></h2>
<p style="text-align: justify; "><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">Microsoft acquired Skype</a> towards the end of 2011 and the integration of the two companies advanced considerably over the course of 2012. According to the<a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> Microsoft 2012 report</a>, Indian law enforcement agencies made 53 requests for Skype user data and 101 requests for specified accounts on Skype. In other words, out of the total 4,715 requests for Skype user data by law enforcement agencies around the world, the requests by Indian law enforcement accounted for about 0.1 percent. 15,409 international requests were made for specified accounts on Skype, but Indian law enforcement requests only accounted for about 0.6 percent of those.</p>
<p style="text-align: justify; "><span>The</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> report </a><span>appears to be extremely reassuring, as it states that Skype did</span><i> not </i><span>disclose any content data to any law enforcement agencies around the world. That essentially means that, according to the report, that all the content we created and communicated through Skype during 2012 was kept private from law enforcement. Although Microsoft claims to not have disclosed any of our content data, it did </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">disclose </a><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx"><i>non-content data</i></a><span>, such as SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number. However, Microsoft did not report how many requests the company received for non-content data, nor how much data was disclosed and to which countries.</span></p>
<p style="text-align: justify; "><span>Microsoft </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">reported </a><span>that data was not found for 47 of India´s law enforcement requests, which represents 88.6 percent of the requests. In total, Microsoft reported that data was not found for about half the requests made by law enforcement agencies on an international level. Out of the 53 requests, Microsoft provided guidance to Indian law enforcement agencies for 10 requests. In particular, such guidance was provided either in response to a rejected request or general questions about the process for obtaining Skype user data. Yet, the amount of rejected requests for Skype user data was not included in the report and the guidance provided remains vague. The following table summarizes the requests by Indian law enforcement agencies for Skype user data and their outcome:</span><span> </span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total of requests</p>
</td>
<td>
<p>53 (0.1%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/identifiers specified in requests</p>
</td>
<td>
<p>101 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests resulting in disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>47 (88.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Provided guidance to law enforcement</p>
</td>
<td>
<p>10 (18.8%)</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The Centre for Internet and Society (CIS) supports the publication of </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">Microsoft´s 2012 Law Enforcement Requests Report</a><span> and encourages Microsoft (including Skype) to continue releasing such reports which can provide an insight on how much user data is being shared with law enforcement agencies around the world. In order to ensure that such reports adequately provide transparency, they should be broadened in the future to include more data, such as the amount of non-content data requests disclosed by Skype, the type of guidance provided to law enforcement agencies and the amount of requests rejected by Skype. Nonetheless, this report is a decisive first step in increasing transparency and further, more detailed reports are strongly encouraged.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies'>http://editors.cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies</a>
</p>
No publishermariaInternet GovernanceSAFEGUARDS2013-07-12T12:19:31ZBlog EntryInterview with the Tactical Technology Collective on Privacy and Surveillance
http://editors.cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective
<b>The Centre for Internet and Society recently interviewed Anne Roth from the Tactical Technology Collective in Berlin. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of the <a class="external-link" href="https://tacticaltech.org/about">Tactical Technology Collective</a>, it's a Berlin and Bangalore-based non-profit organisation which aims to advance the skills, tools and techniques of rights advocates, empowering them to use information and communications to help marginalised communities understand and effect progressive social, environmental and political change.</p>
<p style="text-align: justify; ">Tactical Tech's <a class="external-link" href="https://tacticaltech.org/what-we-do">Privacy & Expression programme</a> builds the digital security awareness and capacity of human rights defenders, independent journalists, anti-corruption advocates and activists. The programme's activities range from awareness-raising comic films aimed at audiences new to digital security issues, to direct training and materials for high-risk defenders working in some of the world's most repressive environments.</p>
<p style="text-align: justify; "><a class="external-link" href="https://tacticaltech.org/team">Anne Roth</a> works with Tactical Tech on the Privacy & Expression programme as a researcher and editor. <span> <span>Anne holds a degree in political science from the Free University of Berlin. She cofounded one of the first interactive media activist websites, Indymedia, in Germany in 2001 and has been involved with media activism and various forms of activist online media ever since. She has worked as a web editor and translator in the past. Since 2007 she has written a blog that covers privacy, surveillance, media, net politics and feminist issues.</span></span></p>
<p style="text-align: justify; "><span><span>The Centre for Internet and Society interviewed Anne Roth on the following questions:</span></span></p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally”. Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/QZsFf_Qyqyo" width="250"></iframe></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective'>http://editors.cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-18T09:56:16ZBlog Entry