Centre for Internet and Society

Privacy Conference in Ahmedabad PDF

praskrishna — 2011-04-01T07:43:09Z

pdf

For more details visit http://editors.cis-india.org/internet-governance/publications/privacy-conference-ahmedabad.pdf

Privacy Conference at NUJS

praskrishna — 2010-12-29T05:05:43Z

file

For more details visit http://editors.cis-india.org/internet-governance/publications/privacy-nujs-conference

Privacy concerns multiply for Aadhaar, India’s national biometric identity registry

praskrishna — 2017-03-22T14:38:52Z

The largest and most sophisticated biometric identity system of any country in the world, India’s Aadhaar, is sparking new fears that the personal data it stores on more than 1.1 billion people could be vulnerable to exploitation.

The article by Kaelyn Lowmaster was published by One World Identity on March 17, 2017, Sunil Abraham was quoted.

Aadhaar, which translates to “foundation” in Hindi, is a unique 12-digit code tied to citizens’ biometric data and personal information. The system was launched in 2009 in an effort to extend social services to India’s millions of unregistered citizens, and to cut down on welfare benefit “leakage” resulting from an opaque and often corrupt bureaucracy.

Constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates.

The government has also looked to Aadhaar data to underpin mobile payment transfer platforms, which have become crucial for cashless transactions during the country’s demonetization push over past year.

But constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates, who cite several vulnerabilities both with the Aadhaar system and the Modi administration’s planned expansion.

Despite this, recent metrics indicate that Aadhaar has been enormously successful in achieving those goals. Though the program is theoretically voluntary, more than 99% of Indian adults are now enrolled. Over three billion individual identity verifications have been conducted, and some reports indicate that the Indian government is saving a billion dollars per year now that welfare subsidies can be paid to citizens directly through Aadhaar-verified fund transfers.

Prime Minister Narendra Modi has ambitions to broaden the system even further, seeking to use Aadhaar as the gateway for accessing government programs ranging from public education to subsidized cooking gas, as well as partnering with private companies to offer services facilitated by the Aadhaar database.

Concerns, however, remain. One primary worry is that India’s legal framework for information security is still weak and fragmented, despite government assurances that Aadhaar biometrics have never been misused or stolen.

“There are no regulations in India on safeguards over and procedures for the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information by any service provider,” according to a 2016 World Bank report.

A patchwork of rules outlining “reasonable security practices and procedures” for personal data has accumulated since Aadhaar was launched, but there is no codified law outlining how data in the system must be secured, or what penalties exist for potential leaks, fraud or misuse.

“Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records” – Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore

This regulatory gap poses a particularly acute risk now that the government has begun offering companies and app developers support for starting new businesses that use Aadhaar data. Through a new initiative called IndiaStack, the administration is providing open program interfaces for companies in fintech, healthcare, and other areas to integrate Aadhaar-based transactions into their business platforms. While IndiaStack’s terms of use explicitly state that user consent is required for any information sharing between service providers and the Aadhaar database, doubts remain about the integrity of the network infrastructure and the lack of clarity surrounding acceptable information sharing and storing protocols.

Another source of concern is the risk that Aadhaar information could be leveraged by the government itself for political purposes.

“Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station,” Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore, told Reuters. “It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records.”

Further stoking fears of federal overreach, the Modi administration has attempted to make Aadhaar registration mandatory in certain sectors, violating a Supreme Court ruling from October 2015 that enrollment must remain voluntary.

Still, the benefits of building on the Aadhaar identity system appear to be outweighing the risks for now, and the system is gathering momentum worldwide. The World Bank is helping market the Aadhaar model abroad, and Russia, Morocco, Tunisia, and Algeria have all expressed interest in instituting national biometric identity programs of their own. Microsoft is already on board, and Google is negotiating ways to get involved.

Aadhaar may indeed live up to is potential and become the global standard for universal legal identity, but until India can manage to create more robust mechanisms to protect citizens’ personal data, their security could remain uncertain.

For more details visit http://editors.cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry

Privacy By Design — Conference Report

praskrishna — 2011-08-22T12:03:30Z

How do we imagine privacy? How is privacy being built into technological systems? On April 16th,The Center for Internet and Society hosted Privacy by Design, an Open Space meant to answer these questions and more around the topic of privacy. Below is a summary of the conversations and dialogs from the event.

Introduction

On April 16th, The Center for Internet and Society hosted Privacy by Design, an Open Space meant to foster discussions around questions related to how privacy is being designed into technological systems. The day opened with two basic questions: How do we imagine privacy? And how are individuals building technology systems incorporating privacy into the system? Throughout the day the conversations took many twist and turns, but at the end of the day three basic points about privacy had come out of the many discussions: 1. Privacy cannot be limited to one definition; it is constantly changing based on person and on context 2. To a person - privacy is a function of abuse and violation 3. The increased generation of data that was made possible by web 2.0 has lead to a rise in privacy issues and is significantly changing many traditional concepts, spaces, and relationships – such as what constitutes a public space, and the relationship between a state and its citizens.

Database architecture and privacy

The morning discussion focused on databases and privacy, and began with questions like: How can a database be built to protect privacy? When a database is built, what role does privacy play in the migration of data? Is privacy protected in databases simply by limiting access to certain parts of data sets? Though many of these were left unanswered, the conversation highlighted the fact that th databases are coded to segregate /regulate users and information in order to protect the system. Thus, databases are architected to incorporate privacy in such a way that protects the viability of only the system and not the individual. In our research we have seen many cases of this. Individual’s privacy has been violated because of malfunctioning or poorly constructed databases. For example, currently Indian governmental databases often have incorrect information, individuals do not have the ability to access and change their information, and if an individual’s information is compromised the government is not held accountable, and there is no course of action that an individual can take towards redress.

Security vs. Privacy

Embedded in this understanding of how privacy is built into technological systems is the question of what security is, and when systems are built, whether privacy and security are considered to be essentially the same. Thus far in our research we have distinguished between privacy and security, saying that, security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

The right to be forgotten and regulation of data

The possibility of creating systems with "off switches" also came out of this thread of conversation. For instance, can a database be structured to show only necessary information to third parties based on the context. In this scenario a card would be created that has all of an individual’s information on it, but only the pertinent information will be shown based on the different situations - if, for example, a teenager goes to a bar, the card will only show a third party that he is over 18. This idea is already taking shape in many Western countries, and is similar to the idea of a federated identity system. A question to ask though is if such a system could work for India, or be even more appropriate for India than a system like the UID. The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

Data types and privacy

Emerging from the conversation on database structure, a conversation on types of data in databases was started. The question was raised as to whether or not databases can actually handle certain types of data. The example given was caste-related data. Information about a person’s caste is constantly changing as people lie about their caste, change their caste, and become married and take on another caste. Furthermore, some people do not want to live with their caste and want to shed off their caste. Therefore, can a database accurately represent such a dynamic data set? Is it dangerous to put such a politically volatile concept as caste into a database where it will confine a person to one definition once entered? Another side to this question though is that perhaps it is in fact necessary to try and place a person in one caste, as there benefits enshrined by law based on a person’s caste, and an individual who has the ability to change his/her caste at their whim therefore defeats and takes advantage of governmental benefits. The point was also raised that by placing information like caste and identity into a database, governments have the ability to divide the country into subsets of identities that they decide to generate. Caste is not the only data that faces these complications and issues. For instance religion and race raise similar question. How can you define and represent a person’s relationship with God in a database? How to you represent a child of multiracial parents on a database?

Changes in the relationship between the state and the citizen

It was also brought out that the representation of citizens’ identities on a database changes the relationship between a state and its citizenry. States no longer see citizens as individuals, but instead as data samples. The UID is an example of an e-governance program that if enacted, could further such a change in the relationship between the state and the citizen, as the whole of India will suddenly and ubiquitously be recognized by the Government (and other entities/organizations) according to their aadhaar number. The relationship between the state and the citizen is not the only social change that databases bring about. Databases also change the concept of public space. As web 2.0 has facilitated the generation of large amounts of data, public space has become a space where one enters and interacts as a dataset. For example face book and twitter allow individuals to create datasets of them and interact with other people through their datasets. Beyond social networking online banking and online shopping also push people to form datasets about themselves and interact with services that were traditionally done in person as individuals, as datasets.

Questions of ownership

The above thread of conversation led to the next question of whether or not individuals control technology or whether technology controls individuals. The example of Facebook was used to illustrate this question. Even though Facebook has a privacy policy, once a person engages with Facebook he or she accepts Facebook’s definition of privacy – which is two tiered. On one level Facebook defines user privacy in terms of restriction - allowing the user to limit who can see their profiles. On another level Facebook’s privacy policy allows the company to share and sell personal information. In these ways companies are constructing databases so that instead of the company being the custodian of information – an entity that provides a structure to protect and hold information - the companies are now the owners of information- selling and using individuals information for profit. In India, this is a problem. Companies, once they collect data, treat it as their own - selling and sharing data with third parties, or using it in ways that were not agreed to by the customer. The question of ownership was a critical question for the group. In the discussions it was important to individuals that they had control and ownership over their information. Individuals felt that information that could be traced back to them or their identity belonged to them, and that in order to protect privacy consent should be secured before any information is used. For instance, data mining by websites without notice was seen as a violation of privacy. The collection of data in public places for marketing purposes without a person’s consent or awareness was similarly seen as a privacy violation. It was also brought out from this conversation that the digitization of information has caused a commercialization of information, and that has led to a sense of ownership and need for privacy over information. For example, before, if someone were to take one’s name and mis-use it, that person was charged with defamation – not for violation of privacy – but if someone misuses information that is in a database or online, that person is now charged for a violation of privacy. This shift in thinking is another example of how web 2.0 has increased privacy violations.

Perceptions and expectations of privacy

The day ended with a conversation about the perceptions and expectations of privacy. Privacy as it relates to an individual is almost wholly dependent on expectation, which changes from person to person, from community to community, and from culture to culture. Just as the expectation of privacy varies between individuals, so does the degree of violation. Thus, it is important to recognize the changing nature of privacy, because it explains why it is difficult for the legal system to address all the nuances of privacy with one broad legislation. This point has been crucial in our research thus far as we are consulting with the public, analyzing legislation, and following news items to see if privacy legislation is wanted and needed in India, and if it is - how it should be shaped.

From the conversation on perceptions of privacy and privacy violations it was also brought out that the concept of privacy is on one hand related to the notion of ownership, and on the other hand it is related to the violation. From the experiences shared by individuals, their privacy never became a concern until it was violated, or they learned about someone else’s privacy being violated. This led to the observation that not only is it difficult for the law to address privacy violations because the violation is based on perception, but also because the effect when one’s privacy is violated is often an emotional one.

Conclusion

The conversations held throughout the day showed the dynamic and personal nature of privacy, and how when databases are constructed, and how our lives made digital this personal aspect is easily lost. When we think about the conversations held throughout the day in relation to our initial questions: what are the different ways of imagining privacy, and how is privacy being built into technological systems, besides the three basic themes of privacy highlighted in the beginning of this blog - there emerged to more themes. One theme portrayed an imagination of privacy that is more personal, and that address the emotional component and the perception component to privacy. Another theme portrayed an imagination of privacy that is technologically more controlled, that allows for more personal regulation, more precise segregation of information in a database, and restricted access by third parties. This imagination of privacy can be and is being met by new and developing technologies. Increasingly in many countries technology is being structured with privacy built into the system. The larger question that this open space has raised, and not completely answered is if privacy legislation can adequately protect an individual’s privacy, and if it cannot, can technology can fill the gaps that privacy legislation leaves open.

For more details visit http://editors.cis-india.org/internet-governance/blog/privacy/privacy_privacybydesign

Privacy by Design

praskrishna — 2011-04-01T03:49:33Z

For more details visit http://editors.cis-india.org/internet-governance/publications/it-act/PrivacybyDesignPoster.jpg

Privacy Approach Paper

praskrishna — 2010-11-22T11:44:16Z

For more details visit http://editors.cis-india.org/internet-governance/publications/privacyapproachpaper

Privacy and the Indian Copyright Act, 1857 as Amended in 2010

praskrishna — 2011-08-23T03:25:02Z

In this post the author examines the issue of privacy in light of the Indian Copyright Act, 1857 as amended by the Copyright Amendment Bill in 2010. Four key questions are examined in detail and the author gives suitable recommendations for each of the questions that arise.

India's Copyright Act was established in 1857 and was most recently amended in 2010. Although India at present is not a member of WIPO, the provisions in the proposed Bill will work to make the Act WIPO compliant. When looking at privacy in the context of copyright, four key questions arise:

How do DRM technologies undermine privacy and what safeguards are present in the Indian Law to protect citizens’ right to privacy?

Technologies such as digital rights management technologies were developed to be used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices. DRM technologies pose as a privacy threat, because in their ability to monitor what is happening to a copyrighted work, they are also able to collect personal information and send it back to a host without knowledge of the user. The host is then able to use that data for marketing or commercial purposes. In the Copyright Act, 1957 there are no current provisions against DRM circumvention. In the proposed Copyright Bill 2010 there are two proposed provisions to prevent anti circumvention of DMR technologies, and one provision that clarifies what is a DMR technology.

Proposed Legislation

Section 2 (xa): Defines Rights Management information.
Section 65A : Protection of Technological Measures - Any person who knowingly makes or has in his possession any plate for the purpose of making infringing copies of any work in which copyright subsists shall be punishable with imprisonment which may extend to two years. The section includes that any person facilitating circumvention by another person of a technological measure, shall maintain a complete record of such other persons including his name, address and all relevant particulars necessary to identify him.
Section 65B: Protection of Rights Management Information – Any person who removes or distributes, copies or broadcasts any rights management information without authority shall be by punishable with imprisonment.

Recommendation

We find that in this provision the privacy of an individual is brought into question, because there are no safeguards against the commercialization of information, and no formal process of redress if an individual discovers that his information is being used without his consent/prior knowledge. We would recommend that it be clearly articulated in the provision that the collection and commercialization of information and personal data is prohibited by DRM technologies and host companies, and a method of redress be put in place.

Under the present copyright does a person have the ability to expose privacy infringement?

Because DRM technologies often employ the use of spy-ware, it is important that an individual has the ability to know if spy-ware is being used on their computer systems. Currently reverse engineering is permitted under provision 52 (ac). The amended version of provision 52 is less clear on if reverse engineering would be allowed.

Current Legislation

Provision 52 (ac): Certain acts not to be in infringement of copyright include the observation, study or test of functioning of the computer programs in order to determine the ideas and principles which underlie any elements of the program while performing such acts necessary for the functions for which the computer program was supplied. The following acts shall not constitute in infringement of copyright, namely:

Proposed

The proposed amendment reads:

52 (1) The following acts shall not constitute an infringement of copyrights, namely:

(i) (a) a fair dealing with a literary, dramatic, musical or artistic work not being a computer program for the purposes of:

(ii) private use, including research

(iii) Criticism or review, whether of that work or of any other work.

The exclusion of computer program in the proposed bill makes it unclear under what circumstances reverse engineering would be allowed.

Recommendation

We would recommend that for clarity purposes a specific clause be added to the act that details under what circumstances a person is allowed to reverse engineer a product for protection of their own privacy.

How does the proposed exception for the disabled undermine privacy?

In India under the current Copyright Act, 1957 there are no provisions for the benefit of disabled persons, thus currently permission from copyright holders needs to be exclusively sought every time the visually challenged person requires access. Under the Constitution of India and the Berne Convention, India has committed to enshrining the rights of the disabled.

Proposed Legislation

The proposed amendment of the Act will grant compulsory license in respect of publication of any copyrighted works not covered by the exception under section 52 (1) (zb).

The Bill also proposes a board that would establish the credentials of the applicant and satisfy itself that the application has been made in good faith. This compromises the anonymity that most individuals enjoy when a disabled person tries to access a digital library.

Recommendation

We recommend that the proposed Bill limits the authentication process a disabled person must go through when accessing digital libraries, etc, and the extent to which records are to be kept of transaction This will serve to protect the anonymity and privacy of disabled persons.

What is On the horizon?

Examples of Proposed Legislation: The Anti- Counterfeiting Trade Agreement

ACTA is a proposed legislation with the objective to combat counterfeiting and piracy. Partners in the negotiations include the United States, Australia, Canada, the European Union, Japan, Mexico, Morocco, New Zealand, Singapore, South Korea and Switzerland. The treaty will oblige each Contracting Party to adopt, in accordance with its legal system, the measures necessary to ensure the application of the treaty. Though ACTA has not been enacted, many worry that ACTA would facilitate privacy violations by trademark and copyright holders against private citizens suspected of infringement activities without any sort of legal due process. The Act would allow for random searches of laptops, MP3 players, and cellular phones for illegally downloaded or ripped music and movies.

Recommendation

We find that copyright infringement does not appear to justify a three strike regime or cross border searches. ACTA and other international treaties raise the question that if India became compliant with certain international standards, the standards would be too stringent without safeguards, and pose as a risk to a person’s privacy.

For more details visit http://editors.cis-india.org/a2k/blogs/copyright-privacy

Privacy and the Indian Copyright Act

praskrishna — 2013-08-06T13:37:27Z

India's Copyright Act was established in 1957, and is in the process of being placed before the Parliament in 2010. The provisions in the proposed Bill will work to make the Act WIPO Copyright Treaty (WCT) compliant. When looking at privacy in the context of copyright four key questions arise, says Elonnai Hickock as she analyses privacy in the context of the Indian Copyright Act.

How do DRM technologies undermine privacy and what safeguards are present in the Indian law to protect citizens’ right to privacy?

Technologies such as digital rights management technologies were developed to be used by hardware manufacturers, publishers, copyright holders and individuals to control the mode of use of certain digital devices and contents. DRM technologies pose as a privacy threat, because in their ability to monitor what is happening to a copyrighted work, they are also able to collect personal information and send it back to a host without knowledge of the user. The host is then able to use that data for marketing or commercial purposes. In the Copyright Act, 1957 there are no current provisions against DRM circumvention. In the proposed Copyright Bill 2010 there are two proposed provisions: to prevent anti circumvention of DRM technologies and one provision that clarifies what is a DRM technology.

Proposed Legislation

Section 2 (xa): Defines Rights Management Information – it is important to note that within the definition of RMI the provision specifically excludes any device or procedure intended to identify the user from the definition.

Section 65A (1) : Protection of Technological Measures - Any person who circumvents an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act, with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable to fine includes that any person facilitating circumvention by another person of a technological measure, shall maintain a complete record of such other persons including his name, address and all relevant particulars necessary to identify him.

Section 65B: Protection of Rights Management Information – Any person who removes, or distributes, copies, or broadcasts any rights management information without authority shall be by punishable with imprisonment.

Recommendation: We find, not just exclusively to the Copyright Act, but that in all Indian legislation the privacy of an individual is brought into question, because there are no safeguards against the commercialization of information, and no formal process of redress if an individual discovers that his information is being used without his consent/prior knowledge. We would recommend that (perhaps appropriately in legislation on data protection) a provision be included to clearly articulate that the collection and commercialization of information and personal data is prohibited by DRM technologies and host companies, and a method of redress be put in place.

Under the copyright, does a person have the ability to expose privacy infringement?

Because DRM technologies have the ability to collect user information, which could potentially be done through the use of spyware, it is important that an individual has the ability to know if and when their information is being collected. To do this an individual can discover the technological principles of a device, object, or system through a process known as reverse engineering. Currently reverse engineering is permitted under provision 52 (ac). It is further supported by provision 65A (2) (f).

Current Legislation

Provision 52 (ac): Certain acts not to be in infringement of copyright include: the observation, study or test of functioning of the computer programs in order to determine the ideas and principles which underlie any elements of the program while performing such acts necessary for the functions for which the computer program was supplied. The following acts shall not constitute an infringement of copyright, namely:
65A (2) (f): Nothing in sub-section (1) shall prevent any person from, doing anything necessary to circumvent technological measures intended for identification or surveillance of a user.

Recommendation: We have no recommendation, but see this as a positive provision.

How does the proposed exception for the disabled undermine privacy?

In India under the current Copyright Act, 1957 there are no provisions for the benefit of disabled persons, thus currently permission from copyright holders needs to be exclusively sought every time the visually challenged person requires access. Under the Constitution of India and the Bernes Convention, India has committed to enshrining the rights of the disabled.

Proposed Legislation

Section 31B: will grant compulsory license in respect of publication of any copyrighted works not covered by the exception under section 52 (1) (zb). For this a registered intermediary organization that is recognized under The Persons with Disability Act shall apply to the Copyright Board for approval. The board will evaluate the applicant and application, and grant permission if it sees fit. The intermediary will then be responsible for monitoring the usage of the copyrighted work to ensure that copyright law is not violated.

Recommendation: Though currently the Indian legislation does not threaten the privacy of the disabled, we find it concerning that under the WIPO copyright treaty – the anonymity of the disabled would be compromised.

What is On the Horizon?

As copyright and IP is a constantly evolving issue, countries are consistently amending and changing their laws. With the flow of peoples across borders increasing, Indians will be affected by different international policies that could pose to infringe upon their privacy, for example cross-border checks or three strike regimes, which will punish a person if caught infringing copyright three times. For example: France has proposed cutting off Internet to those caught infringing on copyright three times.

Examples of Proposed Legislation: The Anti-Counterfeiting Trade Agreement:

ACTA is a proposed legislation. Its objective is to combat counterfeiting and piracy. Partners in the negotiations include: The United States, Australia, Canada, the European Union, Japan, Mexico, Morocco, New Zealand, Singapore, South Korea, and Switzerland. The treaty will oblige each contracting party to adopt, in accordance with its legal system, the measures necessary to ensure the application of the treaty. Though ACTA has not been enacted, many worry that ACTA would facilitate privacy violations by trademark and copyright holders against private citizens suspected of infringement activities without any sort of legal due process. The Act could allow for random searches of laptops, MP3 players, and cellular phones for illegally downloaded or ripped music and movies.

Recommendation: We find that copyright infringement does not appear to justify cross border searches or other forms of regulating. ACTA and other international treaties raise the question that if India became compliant with certain international standards, would the standards would be too stringent without safeguards, and pose as a risk to a person’s privacy.

For more details visit http://editors.cis-india.org/internet-governance/blog/privacy/privacy-copyright-act

Privacy and the Constitution

praskrishna — 2012-01-30T11:50:44Z

NS Nappinai presentation at the Mumbai conference held in January 2012.

For more details visit http://editors.cis-india.org/internet-governance/privacy-and-the-constitution

Privacy and Surveillance Talk by Sunil Abraham

praskrishna — 2013-09-13T09:47:09Z

For more details visit http://editors.cis-india.org/internet-governance/blog/privacy-surveillance.pdf

Privacy and Surveillance Roundtable

praskrishna — 2014-06-29T14:50:20Z

The Centre for Internet and Society and the Cellular Operators Association of India invite you to a roundtable at the India International Centre, New Delhi on July 4, 2014.

Background and Context to the Roundtables

In India, lawful interception of communications may be conducted by the state in three ways: firstly, intercepting telephone calls and other telecommunications may take place under powers listed in the Telegraph Act, 1885 and procedure set out in the Telegraph Rules, 1951; secondly, intercepting written communications transmitted through the postal service or by private couriers may occur under the Post Office Act, 1898; and, thirdly, intercepting, de-crypting, and monitoring email messages and other electronic communications may take place under the Information Technology Act, 1950 and two sets of Rules issued in 2008.

The government’s intention to create a Central Monitoring System to automate the existing process of telephone tapping is significant for a number of reasons. It will bypass private telephone service providers; currently the active cooperation of TSPs is required and compelled in order to intercept and monitor a telephone conversation. This creates an extra layer of compliance activity for TSPs which is cumbersome and expensive. Interception orders from the state often do not comply with the procedure required by law. This uncertainty is compounded by the lack of an indemnity for TSPs.

However, while the CMS will release TSPs from legal liability, it will leave the government free to conduct telephone interceptions in absolute secrecy and without a credible system of oversight and checks and balances. Amongst the world’s major democratic countries, India is alone in refusing to overhaul its telephone tapping regime. The legal requirements of probable cause, judicial sanction, and warrant-based interception – which are followed with exceptions in democracies around the world – are not adequately protected in India. The same principles also apply to the interception of postal and electronic communications.

There are several intelligence and police agencies in India that conduct interceptions of communications without central coordination. Previous cases in the Supreme Court of India and a few Indian High Courts reveal many cases of improper and even illegal surveillance. The sheer number of interested state agencies, the concerns of inadequate oversight, the lack of a credible legal regime, the constant leaks of private communications, and the poor legal protection given to TSPs and ISPs must be legally addressed.

Information about the Roundtables

The Privacy and Surveillance Roundtables are a CIS initiative, in partnership with the Cellular Operators Association of India (COAI). From June 2014 – November 2014, CIS and COAI will host seven Privacy and Surveillance Roundtable discussions across multiple cities in India. The Roundtables will be closed-door deliberations involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India. The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The Report of the Group of Experts on Privacy

In January 2012 Justice A.P. Shah formed a committee to create a report of recommendations for privacy legislation in India. The committee met seven times from January 2012 to September 2012. The Report is made up of six chapters and begins by reviewing the international best practices around privacy and the relevant Indian jurisprudence. The Report then recommends nine National Privacy Principles to be adopted by each sector in India. The Nine National Privacy Principles reflect international standards, as well as taking into consideration the Indian context. Along with the National Privacy Principles, the Report lays out a regulatory framework for privacy including privacy commissioners at the regional and national level, self regulating organizations at the industry level, and a system of complaints. Finally the report demonstrates how the National Privacy Principles could be used to harmonize existing legislation and practices.

The Draft CIS Citizens Privacy (Protection) Bill 2013

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness, completing in depth research, and driving a privacy legislation in India. As part of this work, the Centre for Internet and Society has drafted the Privacy (Protection) Bill 2013. The Citizens Privacy Protection Bill contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the privacy commissioner, and lays out offenses and penalties for contravention of the Act. The Bill represents a citizens’ version of a privacy legislation, and will be shared with civil society, industry, and government. It is hoped that the review and revision of the Bill will be a participatory process, and thus comments and feedback to it’s’ provisions will be included as annex’s to the Bill.

The International Principles on the Application of Human Rights to Communication Surveillance

These principles were defined in 2013 in response to rapidly changing technologies and surveillance practices. The principles are the outcome of a global consultation with civil society groups, industry and international experts in communications surveillance law, policy and technology, spearheaded by the Electronic Frontier Foundation US and Privacy International UK. As technologies that facilitate State surveillance of communications advance, States are failing to ensure that laws and regulations related to communications surveillance adhere to international human rights and adequately protect the rights to privacy and freedom of expression. These principles attempt to explain how international human rights law applies in the current digital environment, particularly in light of the increase in and changes to communications surveillance technologies and techniques. These principles can provide civil society groups, industry, States and others with a framework to evaluate whether current or proposed surveillance laws and practices are consistent with human rights.

Tentative Agenda

Time	Detail
10.00 11.00	Introduction
11.00 11.30	Tea
11.30 13.00	Discussion
13.00 14.00	Lunch
14.00 16.00	Discussion
16.00 16.15	Tea

Resources

For more details visit http://editors.cis-india.org/internet-governance/events/privacy-and-surveillance-roundtable-new-delhi

Privacy and Surveillance Roundtable

praskrishna — 2014-06-20T05:26:10Z

The Centre for Internet and Society and the Cellular Operators Association of India in collaboration with the Council for Fair Business Practices invite you to a "Privacy Roundtable" at IMC Building, IMC Marg, Churchgate, Mumbai on June 28, 2014, 10.00 a.m. to 4.00 p.m.

Time	Details
10:00 – 11:00	Introduction
11:00 - 11:30	Tea
11:30 - 13:00	Discussion
13:00 - 14:00	Lunch
14.00 - 16.00	Discussion
16.00 - 16.15	Tea

Background and Context to the Roundtables

Information about the Roundtables

The Report of the Group of Experts on Privacy

The Draft CIS Citizens Privacy (Protection) Bill 2013

The International Principles on the Application of Human Rights to Communication Surveillance

Tentative schedule for the Roundtables:

Mumbai – June 28th
New Delhi – July 4th
Ahmedabad/Hyderabad – August 1st
Bangalore – September 5th
New Delhi – October 3rd
Chennai – October 24th
New Delhi – November 7th

Resources

For more details visit http://editors.cis-india.org/events/privacy-surveillance-roundtable

Privacy and Surveillance in India

praskrishna — 2013-09-13T09:49:25Z

Sunil Abraham, Executive Director from the Centre for Internet and Society will give a talk on privacy and surveillance in India at this event organised by the Centre for Culture, Media and Governance, Jamia Millia Islamia on September 18, 2013. The talk will be held at Network Governance Lab, CCMG, Jamia Millia Islamia in New Delhi at 11.30 a.m.

Click to read the brochure

Abstract

The talk will cover the development of privacy policy in India over the last 3 years, particularly in relation to projects such as NATGRID, CMS and UID. Special attention will be paid to the Justice A.P. Shah committee report, the last leak of the privacy bill from the DoPT and also the citizen draft of the privacy bill developed by the Centre for Internet and Society. International experiences such as Snowden's disclosures and the development of communication surveillance principles developed by EFF and others will be compared and contrasted with the Indian context.

About the Speaker

Sunil is the executive director of the Centre for Internet and Society (CIS), Bangalore. CIS is a 4 year old policy and academic research organisation that focuses on accessibility by the disabled, intellectual property rights policy reform, openness [Free/Open Source Software, Open Standards, Open Content, Open Access and Open Educational Resources], internet governance, telecom, digital natives and digital humanities.

He is also the founder of Mahiti, a social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. Sunil continues to serve on the board of Mahiti. He is an Ashoka fellow and was elected for a Sarai FLOSS Fellowship. For three years, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

Sunil currently serves on the advisory boards of Open Society Foundations - Information Programme, Mahiti, Samvada and International Centre for Free/Open Source Software.

For more details visit http://editors.cis-india.org/news/jamia-millia-islamia-new-delhi-september-18-2013-privacy-and-surveillance-in-india