Internet Privacy in India
The Changing Nature of Information
For example – the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing and re-defining personal data and what type of protections personal data deserves and can be given. For example, seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual. From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation.
The Blurry Line between the Public and Private Sphere
The above example also highlights how the “sphere” of information on the internet is unclear i.e. is information posted on social media public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc. or is information posted on social media – private, and thus requires authorization for further use. For example, in India, in 2013 the Mumbai police established a “social media lab” for the purposes of monitoring and tracking user behavior and activities.[1]
Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information. Similar dilemmas have been dealt with by other countries. For example, in the U.S, individuals have contested the use of their tweets without permission,[2] while courts in the US have ruled that tweets, private and public, can be obtained by law enforcement with only a subpoena, as technically the information has been shared with another entity, and is therefore no longer private.[3] Indian Courts have yet to deal directly with the question of social media content being public or private information.
The Complication of Jurisdiction
The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Thus, for example an Indian using Gmail, will be subject to the laws of the United States. On one hand this could be seen as a positive, if one country has stronger privacy protections than another, but could also be damaging to privacy in the reverse situation – where one company has lower privacy standards and safeguards. In addition to the dilemma of different levels of protection being provided over data as it flows through different jurisdictions, access by law enforcement to data stored in a different jurisdiction, or data from one country accessible to law enforcement because it is being processed in their jurisdiction, are two other complications that arise. These complications cannot be emphasized more than with the case of the NSA Leaks. Because Indian data was residing in US servers, the US government could access and use the data with no obligation to the individual.[4] In response to the NSA leaks, the government of India has stated that all facts need to be known before any action is taken, while citizens initially sought to hold the companies who disclosed the data to US security agencies such as Google, Facebook etc. accountable.[5]
Despite this, because the companies were acting within the legal limits of the United States where they were incorporated, they could not be held liable. In response to the dilemma, many actors in India, including government and industry are asking for the establishment of 'domestic servers'. For example, Dr. Kamlesh Bajaj, CEO of Data Security Council of India was quoted in Forbes magazine promoting the establishment of India centric social media platforms.[6] Similarly, after the PRISM scandal became public, the National Security Advisor requested the Telecom Department to only route traffic data through Indian servers.[7]
In these contexts, the internet is a driving force behind a growing privacy debate and awareness in India.
Current Policy for Internet Privacy in India
Currently, India's most comprehensive legal provisions that speak to privacy on the internet can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online privacy. Provisions that clearly protect user privacy include: penalizing child pornography,[8]penalizing, hacking and fraud[9] and defining data protection standards for body corporate.[10]
Provisions that serve to dilute user privacy speak to access by law enforcement to user's personal information stored by body corporate[11] collection and monitoring of internet traffic data[12] and real time monitoring, interception, and decryption of online communications.[13] Additionally, legislative gaps in the ITA serve to weaken the privacy of online users. For example, the ITA does not address questions and circumstances like the evidentiary status of social media content in India, merging and sharing of data across databases, whether individuals can transmit images of their own “private areas” across the internet, if users have the right to be notified of the presence of cookies and do-not track options, the use of electronic personal identifiers across data bases, and if individuals have the right to request service providers to take down and delete their personal content.
Online Data Protection
Since 2010, there has been an increasing recognition by both the government and the public that India needs privacy legislation, specifically one that addresses the collection, processing, and use of personal data. The push for adequate data protection standards in India has come both from industry and industrial bodies like DSCI – who regard strong data protection standards as an integral part of business, and from the public, who has voiced increasing concerns that governmental projects, such as the UID, involved with collecting, processing, and using personal data are presently not adequately regulated and are collecting and processing data in such a way that abuses individual privacy. As mentioned above, India's most comprehensive data protection standards are found in the ITA and are known as the Information Technology “Reasonable security practices and procedures and sensitive personal data or information” Rules 2011.[14]
The Rules seek to provide rights to the individual with regards to their information and obligate body corporate to take steps towards protecting the privacy of consumer's information. Among other things, the Rules define “sensitive personal information' and require that any corporate body must publish an online privacy policy, provide individuals with the right to access and correct their information, obtain consent before disclosing sensitive personal information ' except in the case of law enforcement, provide individuals the ability to withdraw consent, establish a grievance officer, require companies to ensure equivalent levels of protection when transferring information, and put in place reasonable security practices. Though the Rules are the strongest form of data protection in India, they have not been recognized by the European Union as meeting the EU standards of “data secure”[15] and many gaps still exist. For example, the Rules apply only to:
- Body corporate and not to the government
- Electronically generated and transmitted information
- A limited scope of sensitive personal information.
- A body corporate when a contractual agreement is not already in place.
These gaps leave a number of bodies unregulated and types of information unprotected, and limits the scope of the Rules. It is also unclear to what extent companies are adhering to these Rules, and if they are applying the Rules only to the use of their website or if they are also applying the Rules to their core business practices.
Cyber Cafés
In 2011 the Guidelines for Cyber Café Rules were notified under the Information Technology Act. These Rules, among other things, require Cyber Café’s to retain the following details for every user for a period of one year: details of identification, name, address, contact number, gender, date, computer terminal identification, log in time, and log out time. These details must be submitted to the same agency as directed, on a monthly basis.[16] Cyber Cafes must also retain the history of websites accessed and logs of proxy servers installed at the cyber café for a period of one year.[17] Furthermore, Cyber Café’s must ensure that the partitions between cubicles do not exceed four and half feet in height from floor level.[18] Lastly, the cyber café owner is required to provide every related document, register, and information to any officer authorized by the registration agency on demand.[19] In effect, the identification and retention requirements of these rules both impact privacy and freedom of expression, as cyber cafes users cannot use the facility anonymously and all their information, including browser history, is stored on an a-priori basis. The disclosure provisions in these rules also impact privacy and demonstrate a dilution of access standards for law enforcement to users internet communications as the provision does not define:
- An authorization process by which the registration agency follows to authorize individuals to conduct inspections.
- Circumstances on which inspection of a Cyber Café by an authorized officer is necessary and permissible.
- The process for which information can be requested, and instead vaguely requires cyber café owners to disclose information “on demand”.
Online Surveillance and Access
The ITA also allows for the interference of user privacy online by defining broad standards of access to law enforcement and security agencies, and providing the government with the power to determine what tools individuals can use to protect their privacy. This is most clearly demonstrated by provisions that permit the interception, monitoring, and decryption of digital communications[20] provide for the collection and monitoring of traffic data[21] and allow the government to set the national encryption standard.[22] In particular, the structure of these provisions and the lack of safeguards incorporated, serve as a dilution to user privacy. For example, though these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. Furthermore, the provisions place extensive security and technical obligations on the service provider – as they are required to extend all facilities necessary to security agencies for interception and decryption, and hold the service provider liable for imprisonment up to seven years for non-compliance. This creates an environment where it is unlikely that the service provider would challenge any request for access or interception from law enforcement. Interception is also regulated through provisions and rules under the Indian Telegraph Act 1885 and subsequent ISP and UAS licenses.
Scope of Surveillance and Access
The extent to which the Government of India lawfully intercepts communications is not entirely clear, but in 2011 news items quoted that in the month of July 8,736 phones and e-mail accounts were under lawful surveillance.[23]
Though this number is representative of authorized interception, there have been a number of instances of unauthorized interceptions that have taken place as well. For example, in 2013 it was found that in Himachel Pradesh 1371 phones were tapped based on verbal approval, while the Home Ministry had only authorized interception of 170.[24] This demonstrates that there are instances of when existing safeguards for interception and surveillance are undermined and highlights the challenge of enforcement for even existing safeguards.
Demonstrating the tensions between right to privacy and governmental access to communications, and at the same time highlighting the issue of jurisdiction was the standoff between RIM/BlackBerry and the Indian Government. For several years, the Indian Government has requested that RIM provide access to the company’s communication traffic, both BIS and BES, as Indian security agencies have been unable to decrypt the data. Solutions that the Indian Government has proposed include: RIM providing the decryption keys to the government, RIM establishing a local server, local ISPs and telcos developing an indigenous monitoring solution. In 2012, RIM finally established a server in Mumbai and in 2013 provided a lawful interception solution that satisfied the Indian Government.[25]
The implementation of the Central Monitoring System by the Indian Government is another example of the Government seeking greater access to communications. The system will allow security agencies to bypass service providers and directly intercept communications. It is unclear if the system will provide for the interception of only telephonic communications or if it will also allow for the interception of digital communications and internet traffic. It is also unclear what checks and balances exist in the system. By removing the service provider from the equation the government is not only taking away a potential check, as service providers can resist unauthorized requests, but it is also taking away the possibility for companies to be transparent about the interception requests that they comply with.
Future frameworks for privacy in India: The Report of the Group of Experts on Privacy
In October 2012 the Report of the Group of Experts on Privacy was published by a committee of experts chaired by Justice A.P. Shah.[26] The report creates a set of recommendations for a privacy framework and legislation in India. Most importantly, the Report recognizes privacy as a fundamental right and defines nine National Privacy Principles that would apply to all data controllers both in the private sector and the public sector. This would work to ensure that businesses and governments are held accountable to protecting privacy and that legislation and practices found across sectors, states/governments, organizations, and governmental bodies are harmonized. The privacy principles are in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security.
The Report also envisions a system of co-regulation, in which the National Privacy Principles will be binding for every data controller, but Self Regulatory Organizations at the industry level will have the option of developing principles for that specific sector. The principles developed by industry must be approved by the privacy commissioner and be in compliance with the National Privacy Principles. In addition to defining principles, the Report recommends the establishment of a privacy commissioner for overseeing the implementation of the right to privacy in India and specifies that aggrieved individuals can seek redress either through issuing a complaint the privacy commissioner or going before a court.
The nine national privacy principles include:
Notice: Principle 1: Notice
A data controller shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:
During Collection
- What personal information is being collected;
- Purposes for which personal information is being collected;
- Uses of collected personal information;
- Whether or not personal information may be disclosed to third persons;
- Security safeguards established by the data controller in relation to the personal information;
- Processes available to data subjects to access and correct their own personal information;
- Contact details of the privacy officers and SRO ombudsmen for filing complaints.
Other Notices
Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Service providers would have to explain how the information would be used and if it may be disclosed to third persons such as advertisers, processing Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.
Example of Implementation: A telecom service provider must make available to individuals a privacy policy before any personal information is collected by the company. The notice must include all categories of information as identified in the principle of notice. For example, the service provider must identify the types of personal information that will be collected from the individual from the initial start of the service and during the course of the consumer using the service. For a telecom service provider this could range from name and address to location data. The notice must identify if information will be disclosed to third parties such as advertisers, processers, or other telecom companies. If a data breach that was the responsibility of the company takes place, the company must notify all affected customers. If individuals have their personal data accessed or intercepted by Indian law enforcement or for other legal purposes, they have the right to be notified of the access after the case or other purpose for the data has been met.
Principle 2: Choice and Consent
A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required.
Example of implementation: If an individual is signing up to a service, a company can only begin collecting, processing, using and disclosing their data after consent has been taken. If the provision of information is mandated by law, as is the case for the census, this information must be anonymized after a certain amount of time if it is published in public databases. If there is a case where consent is not possible, such as in a medical emergency, consent before processing information, does not need to be taken.
Principle 3: Collection Limitation
A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.
Example of Implementation: If a bank is collecting information to open an account for a potential customer, they must collect only that information which is absolutely necessary for the purpose of opening the account, after they have taken the consent of the individual.
Principle 4: Purpose Limitation
Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.
Example of Implementation: If a bank is collecting information from a customer for opening a bank account, the bank can only use that information for the purpose of opening the account and any other reasons consented to. After a bank has used the information to open an account, it must be destroyed. If the information is retained by the bank, it must be done so with consent, for a specific purpose, with the ability of the individual to access and correct the stored information, and in a secure fashion.
Principle 5: Access and Correction
Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.
Example of Implementation: An individual who has opened a bank account, has the right to access the information that was initially provided and subsequently generated. If there is a mistake, the individual has the right to correct the mistake. If the individual requests information related to him that is stored on a family member from the bank, the bank cannot disclose this information without explicit consent from the family member as it would impact the privacy of another.
Principle 6: Disclosure of Information
A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.
Example of Implementation: If a website, like a social media site, collects information about how a consumer uses its website, this information cannot be sold or shared with other websites or partners, unless notice of such sharing has been given to the individual and consent has been taken from the individual. If websites provide information to law enforcement, this must be done in accordance with laws in force, and cannot be done through informal means. The social media site would be prohibited from publishing, sharing, or making public the personal information in any way without obtaining informed consent.
Principle 7: Security
A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.
Example of Implementation: If a company is a telecommunication company, it must have security measures in place to protect customers communications data from loss, unauthorized access, destruction, use, processing, storage, modification, denanonmyization, unauthorized disclosure, or other forseeable risk. This could include encrypting communications data, having in place strong access controls, and establishing clear chain of custody for the handling and processing communications data.
Principle 8: Openness
A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
Example of Implementation: If a hospital is collecting and processing personal information of, for example, 1,000 patients, their policies and practices must reflect and be applicable to the amount, sensitivity, and nature of information that they are collecting. The policies about the same must be made available to all individuals – this includes individuals of different intelligence, skill, and developmental levels.
Principle 9: Accountability
The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.
Example of Implementation: To ensure that a hospital is in compliance with the national privacy principles, it must undertake activities like running trainings and providing educational information to employees on how to handle patient related information, conducting audits, and establishing an officer or body for overseeing the implementation of privacy.
Public Discourses on Privacy
In India, there have been a number of important discourses related to privacy around various projects and topics. These discourses have been driving public awareness about privacy in India, and represent an important indication of public perception of privacy and privacy concerns.
The Unique Identification Project
One of these discourses is a public dialogue and debate on the Unique Identification Project. Since 2009 the Government of India has been rolling out an identity scheme known as UID or Aadhaar. The scheme is applicable to all residents in India, and seeks to provide individuals with an identity based on their fingerprints, iris scans, and photograph. The project has been heavily supported by some, and at the same time, heavily critiqued by others. Of those critiquing the project, which included a Parliamentary Standing Committee on Finance,[27] privacy has been a driving force behind the concerns about the project. Arguing that not only does the UID Bill not have sufficient privacy safeguards in its provisions[28] but the design of the project and the technology of the project places individual privacy at risk. For example, the project relies on centralized storage of biometrics collected under the scheme; it does not account for or address how transaction data that is generated each time an individual identifies himself/herself with the UID will be stored, processed, and shared; and does not provide adequate security measures to protect sensitive information like biometrics.
The Human DNA Profiling Bill
In 2006 the Department of Biotechnology piloted a draft human DNA Profiling Bill with the objective of creating DNA databases at the national and regional levels, and enabling the creation and storage of DNA profiles for forensic purposes. Since 2006 there have been two more drafts of the bill released to the public, and an expert committee has been created to finalize the text of the bill. Individuals, including the Centre for Internet and Society, publicly raising concern about the bill, cite a lack of privacy safeguards in the provisions, and expansive circumstances and reasons that the bill permits the creation and storage of DNA profiles.[29]
Surveillance
For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation. As discussed above, the current surveillance regime is lacking on many fronts, while at the same time the government continues to seek greater interception powers and more access to larger sets of information in more granularity. Projects like the Central Monitoring System, NATGRID, and Lawful Interception Solutions have caused individuals to question the government on the proportionality of State surveillance and ask for a comprehensive privacy legislation that also regulates surveillance.
The need for strong and enforceable surveillance provisions is not unique to India, and in 2013 the International Principles on the Application of Human Rights to the Surveillance of Communications were drafted. The principles lay out standards that ensure that surveillance is in compliance with international human rights law and serve as safeguards that countries can incorporate into their regimes to ensure the same. The principles include: legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, safeguards against illegitimate access. Along with defining safeguards, the principles highlight the challenge of rapidly changing technology and how it is constantly changing how information can be surveilled by governments and what information surveilled by governments, and how information can be combined and analysed to draw conclusions about individuals.
A Privacy Legislation for India
Since 2010, there has been a strong public discourse around the need for a privacy legislation in India. In November 2010, a “Privacy Approach” paper was released to the public which envisioned the creation of a data protection legislation. In 2011, the Department of Personnel and Training released a draft privacy bill that defined a privacy regime that encompassed data protection, surveillance, and mass marketing, and recognized privacy as a fundamental right.[31] In 2012 the Report of the Group of Experts on Privacy, as discussed above, was published.[32] Presently, the Department of Personnel and Training is drafting the text of the Governments Privacy Bill. In 2013, the Centre for Internet and Society drafted the Citizen’s Privacy Protection Bill – a citizen’s version of a privacy legislation for India.[33] From April 2013 – October 2013, the Centre for Internet and Society, in collaboration with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, held a series of seven Privacy Roundtables across India. The objective of the Roundtables was to gain public feedback to a privacy framework in India. Topics discussed during the meetings included, how to define sensitive personal information vs. Personal information, if co-regulation should be a model adopted as a regulatory framework, and what should be the legal exceptions to the right to privacy.[34]
Conclusion
Clearly, privacy is an emerging and increasingly important field in India’s internet society. As companies collect greater amounts of information from and about online users, and as the government continues to seek greater access and surveillance capabilities, it is critical that India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians and foreigners whose data resides temporarily or permanently in India. The first step towards this is the enactment of a comprehensive privacy legislation recognizing privacy as a fundamental right. The Report of the Group of Experts on Privacy and the government considering a draft privacy bill are all steps in the right direction.
[1]. http://www.zdnet.com/in/india-sets-up-social-media-monitoring-lab-7000012758/
[2]. http://www.techdirt.com/articles/20130203/18510621869/investigative-journalist-claims-her-public-tweets-arent-publishable-threatens-to-sue-blogger-who-does-exactly-that.shtml
[3]. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us
[4]. http://www.bbc.co.uk/news/technology-24744695
[5]. http://www.thehindu.com/news/national/sc-to-hear-pil-on-us-surveillance-of-internet-data/article4829549.ece
[6]. http://forbesindia.com/article/checkin/indias-internet-privacy-woes/35971/1
[7]. http://www.thehindubusinessline.com/industry-and-economy/info-tech/route-domestic-net-traffic-via-india-servers-nsa-tells-operators/article5022791.ece
[8]. ITA section 67
[9]. ITA section 43, 66, and 66F
[10]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011.
[11]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011. section 6(1)
[12]. Information Technology (Procedure and Safeguards for monitoring and collection of Traffic Data or other information) Rules 2009
[13]. Information Technology (Procedure and Safeguards for intercepting, monitoring, and decryption) Rules 2009
[14]. Ibid footnote 6
[15]. Business Standard. Data secure status for India is vital: Sharma on the FTA with EU. September 3rd 2013. Available at: http://www.business-standard.com/article/economy-policy/data-secure-status-for-india-is-vital-sharma-on-fta-with-eu-113090300889_1.html
[16]. Guidelines for Cyber Cafe Rules 5(2) & 5(3). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf
[17]. Guidelines for Cyber Cafe Rules 5(4)
[18]. Guidelines for Cyber Cafe Rules 5(6)
[18]. Guidelines for Cyber Café Rules 5(6)
[19]. Guidelines for Cyber Café Rules 7(1)
[20]. Ibid footnote 9
[21]. Ibid footnote 8
[22]. ITA section 84A
[23]. Jain, B. 8,736 phone and e-mail accounts tapped by different government agencies in July. September 17th 2011. Available at: http://articles.economictimes.indiatimes.com/2011-09-17/news/30169231_1_phone-tap-e-mail-accounts-indian-telegraph-act
[24]. The Economic Times. Action to be taken in ‘phone tapping’ during BJP rule: Virbhadra Singh. March 6th 2013. Available at: http://articles.economictimes.indiatimes.com/2013-03-06/news/37500338_1_illegal-phone-virbhadra-singh-previous-bjp-regime
[25]. Chaudhary, A. BlackBerry’s Tussle with Indian Govt. Finally Ends; BB Provides Interception System. http://www.medianama.com/2013/07/223-blackberrys-tussle-with-indian-govt-finally-ends-bb-provides-interception-system/
[26]. Report of the Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf
[27]. http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf
[28]. http://www.indianexpress.com/news/uid-bill-skips-vital-privacy-issues/688614/
[29]. http://www.epw.in/authors/elonnai-hickok
[30]. http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf
[31]. http://www.iltb.net/2011/06/analysis-of-the-privacy-bill-2011/
[32]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf
[33]. http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft
[34]. http://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings