Centre for Internet and Society

Debating Ethics: Dignity and Respect in Data Driven Life

Admin — 2018-11-07T03:03:25Z

Elonnai Hickok was a speaker in the panel "Move Slower and Fix Things" which was part of the 40th International Conference of Data Protection and Privacy Commissioners. The event was organized by International Conference of Data Protection and Privacy Commissioners (ICDPPC) from October 22 - 26, 2018 in Brussels. Elonnai participated in the event on October 24 and 25, 2018.

Click to read about the Programme here

For more details visit http://editors.cis-india.org/internet-governance/news/debating-ethics-dignity-and-respect-in-data-driven-life

Debate: Five Aadhaar Myths that Don’t Stand Up to Scrutiny

praskrishna — 2016-04-01T15:48:17Z

We need to reboot the Aadhaar debate by asking why we want to create a centralised biometric database of Indian residents in the first place.

The article by Reetika Khera was published in the Wire on March 23, 2016.

A recent article, ‘Identification simplified, myths busted’, by Piyush Peshwani and Bhuwan Joshi (hereafter, Peshwani & Joshi) makes some questionable claims about the UID project. Peshwani & Joshi’s strategy appears to be to ignore those questions to which they do not have an answer (e.g., that Aadhaar is mostly redundant as far as NREGA, PDS, etc., are concerned). For others, they cherry-pick ‘facts’ without acknowledging the debates surrounding those facts. Here is a selection.

#1: To get Aadhaar, you need a Proof of ID (PoID) and Proof of address (PoA)

Peshwani & Joshi: “For many, Aadhaar is perhaps the first document of their existence – a robust proof of their identity and address that can be verified online. No more closed doors for them!”

Peshwani & Joshi: “The Demographic Data Standards and Verification Procedures committee prescribes a list of valid 18 proof of identity and 33 valid proof of address documents for getting an Aadhaar.”

Fact: In fact, 99.97% of those who have Aadhaar, used PoID and PoA to get it. For those who have neither, there is an “introducer system”, but according to a reply to an RTI request, only 0.03% of those who have the Aadhaar number used this route.

As far as closed doors are concerned, Aadhaar does not guarantee any benefits: work through NREGA, widow or old-age pensions or PDS rations. There are separate eligibility conditions for those programmes which continue to apply.

#2 On costs

Peshwani & Joshi: “Does it justify the cost? Yes, absolutely, according to the World Bank, which said the initiative is estimated to be saving the Indian government about $1 billion annually by thwarting corruption, even as it underlined that digital technologies promote inclusion, efficiency and innovation.”

Fact: Savings due to the use of Aadhaar have been disputed. The government has claimed it has saved Rs. 14,672 crore on LPG subsidies due to Aadhaar while they are likely lower – by a factor of 100 (see Business Standard or Wall Street Journal).

Peshwani & Joshi: “Even before the World Bank’s endorsement of Aadhaar, the Delhi-based National Institute of Public Finance and Policy (NIPFP) conducted a detailed cost-analysis study on Aadhaar in 2012… the study found that the Aadhaar project would yield an internal rate of return in real terms of 52.85% to the government.”

Fact: The NIPFP cost-benefit was based on unrealistic assumptions – e.g., estimates of leakages that Aadhaar could plug were available for only two out of seven schemes; for the rest, they assumed leakage rates which are termed ‘conservative’, but are actually not.

In their response, the NIPFP team admitted that “a full-fledged cost benefit analysis of Aadhaar is difficult” because “many gains from Aadhaar are difficult to quantify because they are intangible” and, “even if in specific schemes there may be tangible benefits, the information available on those schemes does not permit a precise quantification of those benefits.”

They went on to say that “The study has steered away from relying exclusively on analyses of isolated and small sample sets”. What evidence did the NIPFP study rely on? “For ASHAs, Janani Suraksha Yojana and scholarships, no analysis, large or small has been used. For the Indira Awaas Yojana, the three analyses relied on exclusively are a Times of India news report, a press release based on a discussion in Parliament and a “Scheme Brief” by the Institute for Financial Management and Research (IFMR). Interestingly, the corruption estimate in the IFMR brief cross-refers to the Times of India article (apart from a CAG report)!” (Khera, 2013)

#3 De-duplication

Peshwani & Joshi: “Aadhaar means no fake, ghost or duplicate beneficiaries. Double-dipping will become more and more difficult with Aadhaar, a number that is well de-duplicated with the use of biometrics.”

Fact: De-duplication is one possible contribution of Aadhaar – but that needs biometrics, not a centralised biometric database. Local biometrics (used extensively in Andhra Pradesh before UID) mean that biometric data is stored by the concerned government department or on the local e-POS machine’s memory chip. It has the advantage that connectivity is not required (you are authenticated by the machine), errors and corrections can be correctly locally, making it more practical. The distinction between a local and centralised database is important (see #5 below).

Further, no one has a reliable estimate of the duplication problem. Two government estimates of duplicates exist: the Dhande committee for LPG (2%) and in NREGA job cards from the Government of Andhra Pradesh (also 2%).

#4 Exclusion

Peshwani & Joshi: “As far as exclusion in delivery of other services due to biometric authentication accuracy is concerned, it is important to go beyond scratching the surface.”

Fact: When the PDS was integrated with Aadhaar: “The Andhra Pradesh Food and Civil Supplies Corporation found that…nearly one-fifth ration card holders did not buy their ration.” Further, “When the government delved deeper in the issue, it was found that out of the 790 cases interviewed for the study, 400 reported exclusion. Out of the excluded cases, 290 were due to fingerprint mismatch and 93 were because of Aadhaar card mismatch. The remaining 17 cases were due to failure of E-PoS.” More here.

Moreover, Peshwani & Joshi pick one definition of ‘exclusion’ (due to biometric failure) when in fact, exclusion has a broader meaning. For instance, “In Chitradurga (Karnataka), Rs.100-150 million in wages from 2014-15 were held up for a year. When payments were being processed, their job cards could not be traced in NREGAsoft. Upon enquiry, the district administration learnt field staff had deleted them to achieve ‘100% Aadhaar-seeding’.”

#5 Profiling and privacy violations

Peshwani & Joshi: “A prominent criticism of Aadhaar is that it ‘profiles’ people.” …“Most of us have one or more identity/address documents, such as a passport, ration card, PAN card, driving licence, vehicle registration documents or a voter ID card. The government departments managing these already have our data. Aadhaar is no different. We give our data to banks, to insurance companies and to telecom companies for accounts, policies and mobile connections.”

Fact: That’s like saying BJP can be more corrupt because the Congress was corrupt. Instead we need to engage more seriously with the work of Sunil Abraham, Amber Sinha and others at the Centre of Internet and Society. There are crucial differences between Aadhaar and Social Security Number in the US, see this. Malavika Jayaram listed the UID project among a slew of “big brother” projects facilitating mass surveillance in India.

Conclusion

The debate on UID tends to begin with the premise that Aadhaar is necessary for ‘good governance’. Those claims of the UIDAI have long been demolished. In a nutshell, Aadhaar cannot help identify the poor, its possession does not guarantee inclusion into government social welfare (go to #1). It cannot reduce PDS or NREGA corruption as claimed in their early documents. Thankfully, PDS–NREGA corruption has been on the decline without Aadhaar – more needs to be done. (More details? Try this and this.)

Bihar shows how much corruption in the PDS can be reduced without Aadhaar. Credit: Reetika Khera

Aadhaar is not required for portability of benefits or for cash transfers. Cash transfers need bank accounts. To get a bank account, you need a proof of ID and a proof of address (go to #1). Aadhaar can help de-duplicate, but so can local biometrics (go to #3). We need to “reboot” the Aadhaar debate, starting on the right terms – why exactly do we need to create a centralised biometric database of Indian residents?

For more details visit http://editors.cis-india.org/internet-governance/news/the-wire-march-23-2016-reetika-khera-debate-five-aadhaar-myths-that-dont-stand-up-to-scrutiny

Debate over #Aadhaar Turns Nasty as Critics Accuse Supporters of Online Trolling

praskrishna — 2017-06-07T13:09:10Z

Internet Freedom Foundation’s Kiran Jonnalagadda has alleged that iSPIRT and its co-founder Sharad Sharma set up fake Twitter profiles to harass, intimidate Aadhaar critics.

The article by Ajoy Ashirwad Mahaprahasta was published in the Wire on May 19, 2017.

As bizarre as this may sound, one of the founders of the Indian Software Products Industry Round Table (iSPIRT) – an influential think-tank closely associated with the Unique Identification Authority of India (UIDAI) – Sharad Sharma, is battling allegations of trolling anti-Aadhar campaigners through fake Twitter profiles.

Kiran Jonnalagadda, one of the founders of Internet Freedom Foundation (IFF), has alleged that a number of fake profiles started to troll him online earlier this month in response to his criticism of Aadhar on Twitter. Surprisingly, he said, one of the profiles –@confident_India – which trolled him was apparently operated by Sharma, considered highly influential within the IT and start-up industry and a governing council member of iSPIRT.

What is iSPIRT?

In 2013, a group of volunteers working with NASSCOM founded iSPIRT to represent the software products industry independently. It is widely known that many of these same volunteers also helped the UIDAI develop much of the initial Aadhaar infrastructure and ecosystem. According to Forbes India, iSPIRT helps Indian software product companies “draft and take policy proposals to government officials; create reusable ‘playbooks’ from successful companies that can be applied by others; and create ‘self-help communities’.” It aims to facilitate Indian software product companies, which build affordable and innovative technologies, get a footprint in sectors like health, education, infrastructure and create conditions so that they get an equal platform to compete with big multinationals.

In this mission, iSPIRT believes that Aadhaar-based technologies, which Indian software product companies may create, could help the Indian software product industry gain an advantage over multinationals, which may be skeptical about using Aadhaar. In other words, iSPIRT, one of the biggest advocates of Aadhaar, sees a commercial advantage to the increasing use of Aadhaar for many of the entrepreneurs associated with the Round Table. To this end, iSPIRT runs two initiatives – ProductNation and IndiaStack, a collection of open APIs for technology infrastructure projects like UPI and Aadhaar.

While the mission may sound fine, many of the Aadhaar advocates within iSPIRT have had to face questions from civil society, most of which have to do with the suspicion that Aadhaar could compromise online privacy. This, over the past few months, has led to heated social media battles between iSPIRT and anti-Aadhaar campaigners.

However, the debate took a darker turn when Jonnalagadda uploaded a video showing that the @Confident_India Twitter handle could be traced back to Sharma’s personal mobile phone number on Twitter. Sharma, has since then, apparently changed his number.

“It was only when I started to grow suspicious of the handle that I thought of using Sharma’s phone number to verify the account,” Jonnalagadda tells The Wire.

In an article – “Inside the mind of India’s chief tech stack evangelist” – where he narrates the events, he says “a flurry of newly created Twitter trolls accounts began heckling me about Aadhaar”.

Around 10 such handles started making unprovoked attacks on Jonnalagadda and another founder of IFF, Nikhil Pahwa, accusing them of being guided by “greed, profit, and deceit” for being in the “#AntiAadhaar brigade.”

As the argument continued, @confident_India called Jonnalgadda “pretentious” mouthing “highfalutin stuff” and “techno-babble”.

“All these did not perturb me as it was a part of routine arguments,” says Jonnalagadda.

However, in what he calls a “lightbulb moment”, he had the first inkling that Sharma could be operating the account of @confident_India through this thread:

“Sharad Sharma’s original account doesn’t follow any of these people on the thread. The conversation would not have shown on his timeline. Yet both @confident_India and Sharad Sharma made the same argument,” says Jonnalagadda.

Then, he says, Sharma gave it out. A question addressed to Sharad Sharma ended up being answered by @confident_India.

@Confident_India also went on a tirade against the IFF fellows and called them “JNUtype”, “ISISstooge” or belonging to Lutyens Delhi, insinuating that the IFF fellows are terrorists or largely belong to a certain social elite category of people.

When this prompted Jonnalagadda to verify the account with Sharma’s number, it matched. He later posted the video on his account.

An email from The Wire to Sharad Sharma remained unanswered at the time of writing.

However, soon after this alleged expose kicked off a Twitter war between the two groups, Sharad responded with a reply to Nikhil Pahwa’s tweet.

iSPIRT also responded in various online forums. “Sharad Sharma, co-founder of iSPIRT, named in these allegations is in the US for a medical emergency in his family. As of this morning, Eastern Standard Time, Sharad has categorically denied these allegations. We will further investigate the confusion around the alleged link of mobile number and clarify all outstanding questions. For the moment, we are prioritising the well-being of Sharad and his family,” says the organisation’s response.

“We want to categorically state that the allegations against iSPIRT coordinating and/or promoting any troll campaign are false and the evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack” it added.

Interestingly, however, what has emerged out of the controversy is another allegation by the IFF that iSPIRT had made trolling part of its policy to counter Aadhaar’s “detractors.”

At a fellows meeting earlier this year in February, iSPIRT charted out a “Detractors Matrix” in which they categorised the anti-Aadhar campaigners into four categories, namely “misinformed, fearful, and engaging”, “informed, fearful and engaging”, “misinformed and trolling” and lastly, “informed yet trolling”. In an internal iSPIRT presentation, Reetika Khera, IIT professor and a renowned economist, and Nikhil Pahwa, IFF’s co-founder were shown as belonging to the last two categories.

To counter Aadhaar critics on online platforms, iSPIRT volunteers intended to group themselves into “archers” and “swordsmen” who would challenge their theories on Twitter and elsewhere.

iSPIRT has acknowledged discussing the “detractor matrix” in its reply to the allegation but dismissed it being equivalent to trolling, as Jonnalagadda alleges. Co-founder of iSPIRT, ThiyagaRajan Maruthavanan, while responding to allegations said that there was no official involvement on behalf of iSPIRT.

CIS allegations

Many of the pro-Aadhaar Twitter trolls, most noticeably Confident_India, have also lashed out at other Internet rights organisations. This includes the Bangalore-based Centre for Internet and Society (CIS) which last month released a report that claimed that over 100 million Aadhaar numbers were publicly exposed by four government websites. The Confident_India Twitter handle has alleged that CIS has violated foreign funding regulations (under the Foreign Contributions Regulations Act), that they are likely “funded by ISI” and that because of their “advocacy efforts”, the organisation should be shut down.

It should be noted that the Unique Identification Authority of India has also sent a sharp letter to CIS over its report and has suggested that some of the Aadhaar data that the report documented could not have been gotten through legal means.

For more details visit http://editors.cis-india.org/internet-governance/news/the-wire-may-19-2017-ajoy-ashirwad-mahaprahasta-debate-over-aadhaar-turns-nasty-as-critics-accuse-supporters-of-online-trolling

Dear Milind Deora, Prakash Javadekar Deserved The Truth

praskrishna — 2013-09-05T10:38:05Z

Milind Deora, the Minister of State for Communications, Information Technology and Shipping, isn’t your typical politician.

This article by Rohin Dharmakumar was published in Forbesindia Magazine on August 22, 2013. Sunil Abraham is quoted.

At just 36, he’s way younger than the average cabinet minister (64) or Member of Parliament (53). He’s also richer (Rs.17.5 crore compared to Rs.5.3 crore for the average M.P.)

He’s got his own website - www.milinddeora.in - which unlike most of his peer’s websites, is fairly well-designed and constantly updated. He’s also an avid user of social networks like Twitter (@milinddeora) and Facebook.

Oh, he’s also a Blues fan and a pretty good guitarist.

In short, he’s the kind of politician or minister many Indians would like to vote for.

And vote they do, in fact. Deora’s won the Mumbai (South) parliamentary constituency two times in a row, garnering nearly twice his next opponent’s votes during the 2009 elections.

Which is why it’s surprising, and saddening, to see Deora trot out a patently false set of answers to how America’s global dragnet of Internet surveillance is affecting the privacy of Indians.

On 16th August Deora responded to a question from Rajya Sabha M.P. and BJP Spokesperson Prakash Javadekar, asking the following:

(a) whether it is a fact that India was the fifth most tracked country by the United States intelligence, particularly on the internet;
(b) if so, the details thereof;
(c) the impact of USA”s surveillance program-Prism and Boundless Information on the country; and
(d) the steps Government intends to take to protect country”s interests and the privacy of its citizens?

Javadekar’s question was sorely needed in light of the near-daily disclosures being made about the scarily omnipresent extent to which the US Government spies on global Internet users through a myriad of ways.

India, as Javadekar rightly pointed out, was indeed the fifth most monitored country under the “Boundless Informant” data mining tool that tracks the NSA’s (the US’ lead communications spy agency) global surveillance efforts. In just March 2013 alone, according to a leaked presentation on the tool, the NSA collected 6.3 billion pieces of information from India. Suffice it to say, the information would have come from Indian citizens, businesses, ministries, bureaucrats and of course, members of Parliament (most of who now use webmail and social network from the likes of Google and Facebook).

The only countries that were spied upon more than us were Iran, Pakistan, Jordan and Egypt. Some sobering company, that!

One would thus expect Deora to be seized of the urgency and concern behind Javadekar’s questions. His answer was:

(a) & (b) In June 2013, Media reports have disclosed that India is the fifth largest target of United States electronic surveillance programmes, in terms of interception of communications on fibre cables and other infrastructure. As per media reports, United States agencies used a number of methods to gather intelligence including intercepting communication on fibre cables and infrastructure, collecting information from servers of global internet and Telecom Service Providers. Such companies include Google, Facebook, Microsoft, Apple, Yahoo, AOL,Youtube, Paltalk and Skype.

Here we have a member of Parliament asks India’s Minister for Communications & IT about the extent to which Indian citizens and businesses are being spied upon by the US – ostensibly a friendly country – and all the Minister could do was cite newspaper reports?

What about your own investigations Mr.Minister? What is the opinion of your leading spy agencies like the NTRO, R&AW and IB? Are they also relying on newspaper reports?

But wait, Deora does go on to provide a few more answers:

(c) & (d) Government has expressed concerns over reported United States monitoring of internet traffic from India. Concerns with regard to violation of any Indian laws relating to privacy of information of ordinary Indian citizen as well as intrusive data capture deployed against Indian citizens or government infrastructure have been conveyed to the United States. The issue of United States Cyber surveillance activities was discussed during the Indo-US (India United States ) strategic dialogue meeting held in New Delhi on 24.06.2013.

Whew. That was reassuring. We expressed “concerns with regard to violation of any Indian laws relating to privacy of information” to the US during a “strategic dialogue meeting”.

Let me guess what the US side responded: “Sure. We’ll do that. Come back to us when you have a privacy law. Ha ha!”

As Sunil Abraham, the director for the Center for Internet & Society points out in Forbes India, India has no modern and comprehensive privacy law. And the government is working on a new one for only the last three years:

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

Which brings me to the final part of Deora’s response to Javadekar:

United States official responded that PRISM dealt only with Meta Data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored. United States Officials maintained that data content/content of emails are not accessed or not monitored under these surveillance programmes; therefore, it is not a violation of privacy. It was stated by United States that its agencies need to get separate authorization from Foreign Intelligence Surveillance Act (FISA) court, if they want to access the content of any of the data intercepted by these surveillance programmes.

Dear Mr.Minister, either you have been lied to by your friendly “United States Official”, or, well…

Firstly, by limiting the answer to only PRISM, which happens to be just one of the NSA’s secret tools for online surveillance, you are willfully or inadvertently narrowing down Javadekar’s question which specifically mentions other tools like Boundless Informant.

Almost all of the big Internet companies revealed to be part of the NSA’s global spying mechanism have also used the same tactic to tailor their denials. I suppose they got the cue from the NSA, which loves using the “Under This Program” dodge to derail specific questions about its secret programs, according to the Electronic Frontier Foundation:

Another tried and true technique in the NSA obfuscation playbook is to deny it does one invasive thing or another “under this program.” When it’s later revealed the NSA actually does do the spying it said it didn’t, officials can claim it was just part of another program not referred to in the initial answer.

In case you weren’t aware of the NSA’s obfuscation tactics Mr.Minister, here is another great piece on it from the Slate – “How to Decode the True Meaning of What NSA Officials Say”

Thus when your friendly US official tells you that “only meta data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored” under PRISM, not “data content/content of emails”, he or she is technically right.

Because the NSA has other programs that capture all of that. For instance, XKeyscore, which according to leaked presentations, it can capture “nearly everything a typical user does on the internet”. This includes emails, visits to websites, web searches and Facebook chats & private messages.

Did you also know, Mr. Minister, that the XKeyscore surveillance program has servers located inside India?

Finally, you make a statement that is patently false. You say that US spy agencies need authorizations from the secret Foreign Intelligence Surveillance Courts (FISC) in order to access the data collected by various surveillance programs.

FISA courts almost always approve any request made to them (they apparently rejected just 11 requests out of 33,900 made by the US government in the last 33 years), so that’s that for oversight.

And in the NSA’s Orwellian world of doublespeak, large scale interception and storage of Internet communications isn’t considered “collected” till such time one of their agents has had a chance to look at it. Which means if you’re reading this post – the NSA’s secret servers over the world and in India can coolly capture that and store it in vast databases for posterity – without it ever registering as a “collection” or requiring any approval from FISA courts.

Fact is, Mr.Minister, we “foreigners” (unless you belong to one of the four other countries that are part of the “Five Eyes” alliance, in which case you’ll be treated with a wee bit more caution) , that is, us, are fair game:

The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.

The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.

We expected better answers from you Mr.Minister – sorry, expect better.

Alas your recent answers don’t inspire much trust, for instance when you tell us constant surveillance is “good for us” and “will enhance the privacy of citizens”.

Or when you tell us that “Google Hangouts” – a service provided by a company that looms over nearly everything Indians do online – is a better medium to reach out to people than Parliament or Television.

We deserve the truth from you Mr.Minister. Just like Prakash Javadekar.

For more details visit http://editors.cis-india.org/news/forbesindia-august-22-2013-rohin-dharmakumar-dear-milind-deora-prakash-javadekar-deserved-the-truth

Deadline For Linking Bank Accounts With Aadhaar To Be Extended To 31 March

Admin — 2017-12-16T13:24:59Z

The government does away with the existing deadline of 31 December for linking of bank accounts with Aadhaar and PAN

The article by Komal Gupta and Ramya Nair was published in Livemint on December 14, 2017

The government on Wednesday extended the deadline for linking of bank accounts with Aadhaar to 31 March, in line with its submission to the Supreme Court.

The earlier deadline was 31 December.

Bank account holders will have to furnish their 12-digit unique biometric identity number and Permanent account number or PAN by 31 March or within six months of opening the account, whichever is earlier, said a statement from the finance ministry.

This will provide temporary relief to crores of bank account holders who had not linked their bank accounts with the 12-digit unique identity number.

Last week, the income tax department had extended the deadline for linking of Aadhaar with the permanent account number to 31 March from 31 December.

The move comes a day before a Constitution bench of the Supreme Court starts hearing the issue of stay against mandatory linking of Aadhaar with bank accounts and mobile phone numbers.

The statement added that the bank account will cease to be operational in case of failure to furnish Aadhaar and PAN as on 31 March or at the end of six months. The account will become operational again only after the furnishing of documents.

“This is just a gesture from the government, seeking to avoid the court granting an interim stay against the mandatory linkage of Aadhaar with bank accounts. This apparent extension won’t truly help ordinary people, who will continue being harassed through constant messages urging them to provide their Aadhaar number to continue receiving entitlements, services, and for access to one’s own money,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

For more details visit http://editors.cis-india.org/internet-governance/news/deadline-for-linking-bank-accounts-with-aadhaar-to-be-extended-to-31-march

Data Usage by Political Parties

Admin — 2018-05-03T03:14:02Z

Sunil Abraham spoke to ANI regarding collection of data and its use by political parties for electoral gains.

In law, if bio metrics, passwords & health info are collected, only then consent is needed. The more a political party has in its database, the more they can micro-target you. It'll be an influence: Sunil Abraham,cyber expert on date usage by political parties #KarnatakaElections pic.twitter.com/eUk478jJbB
— ANI (@ANI) 1 May 2018

See the original here

For more details visit http://editors.cis-india.org/internet-governance/news/ani-may-2-2018-data-usage-by-political-parties

Data Retention in India

elonnai — 2013-07-12T15:51:13Z

As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Debate around Data Retention

According to the EU, data retention “refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”.[1]

The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or a priori data retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.[2] Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.

Data Retention vs. Data Preservation

Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.[3] Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.[4] Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.[5] Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.[6]

Data Retention in India

In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.

ISP License

According to the ISP License,[7] there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.

According to the ISP License, each ISP must maintain:

Users and Services: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).

Outward Logins or Telnet: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).

Packets: Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).

Subscribers: A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).
Internet Leased Line Customers: A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).

Diagram Records and Reasons: A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).
Commercial Records: All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).
Location: The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).

Remote Activities: A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).

UASL License

According to the UASL License[8], there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept.

According to the license, service providers must maintain and make available:

Numbers: Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).
Interception records: Time, date and duration of interception when required (Section 41.10).
Location: Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).
All call records: All call data records handled by the system when required (Section 41.10). This includes:
1. Failed call records: Call data records of failed call attempts when required. (Section 41.10).
2. Roaming subscriber records: Call data records of roaming subscribers when required. (Section 41.10)
Commercial records: All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).
Outgoing call records: A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).
Calling line Identification: A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).
Location: The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).
Remote access activities: Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section 41.20 (xv)).

RTI Request to BSNL and MTNL

On September 10, 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices:

Does MTNL/BSNL store the following information/data:

Text message detail (To and from cell numbers, timestamps)
Text message content (The text and/or data content of the SMS or MMS)
Call detail records (Inbound and outbound phone numbers, call duration)
Bill copies for postpaid and recharge/top-up billing details for prepaid
Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)

If it does store data then

For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?
What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?
What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?
What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?

BSNL Response

BSNL replied by stating that it stores at least three types of information including:

IP session information - connection start end time, bytes in and out (three years offline)
MAC address of the modem/router/device (three years offline)
Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).

MTNL Response

MTNL replied by stating that it stores at least () types of information including:

Text message details (to and from cell number, timestamps) in the form of CDRs (one year)
Call detail records including inbound and outbound phone numbers and call duration (one year)
Bill copies from postpaid (one year)
Recharge details for prepaid (three months)
Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)

It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.

Conclusion

The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:

What constitutes a ‘commercial record’ which must be stored for one year by service providers?
How much data is retained by service providers on an annual basis?
What is the cost involved in retaining data? For the service provider? For the public?
How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?
How many criminal and civil cases rely on retained data?
What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?

Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation.

Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection,

A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level. If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:

Any request for preservation and access to records must be legitimate and proportional
Accessed and preserved records must be used only for the purpose indicated

Accessed and preserved records can only be shared with authorized authorities

Any access to preserved records that do not pertain to an investigation must be deleted

These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place.

[1]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: http://bit.ly/14qXW6o. Last accessed: January 21st 2013
[2].Draft International Principles on Communications Surveillance and Human Rights: http://bit.ly/UpGA3D
[3]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31^st 2012. Available at: http://bit.ly/14qXW6o . Last accessed: January 21^st 2013.
[4]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31^st 2012. Available at: http://bit.ly/14qXW6o. Last accessed: January 21^st 2013.
[5]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: http://bit.ly/WOfzaX. Last Accessed: January 21^st 2013.
[6]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: http://bit.ly/VoQxQ9. Last accessed: January 21^st 2013
[7]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.
[8]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3^rd 2009.

For more details visit http://editors.cis-india.org/internet-governance/blog/data-retention-in-india

Data Protection: We can innovate, leapfrog

sunil — 2018-01-22T01:45:46Z

About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent.

The article was published in the Deccan Herald on January 20, 2018.

Even if we can read them, we may not have the necessary legal training to understand them. According to a tweet thread by Pat Walshe (@privacymatters), the Tetris app, a popular video game, has a privacy policy that details the third-party advertising companies that they share data with. These third-parties include "123 Ad Networks; 13 Online Analytics companies; 62 Mobile Advertising Networks; 14 Mobile Analytics companies. The linked privacy policies for Tetris run to 407,000 words, compared to 450,000 words for the entire 'Lord of the Rings trilogy'." The child aged four and above that plays the game and her parents need an intermediary to deal with the corporations hiding behind Tetris.

Unlike the European Union, which has more than 37 years of history when it comes to data protection law, India is starting with a near blank slate after the Supreme Court confirmed that privacy is a constitutionally-guaranteed fundamental right in the Puttaswamy case judgement. While we would want to maintain adequacy and compatibility with the EU General Data Protection Regulation (GDPR) because it has become the global standard, we must realise that there is an opportunity for leapfrogging. This article attempts to introduce the reader to three different visions for intermediaries that have emerged within the Indian data protection debate around the accountability principle. I will also provide a brief sketch of an idea that we are developing at the Centre for Internet and Society. This is an incomplete list as there must be more proposals for regulatory innovation around the accountability principle that I am currently unaware of.

n Account Aggregators: The 'India Stack' ecosystem that has been built around the Aadhaar programme first proposed intermediaries called Account Aggregators. Account Aggregators manage consent artifacts. India Stack has traditionally been described as having four layers -- presenceless, paperless, cashless and consent. The consent layer is supposed to feature Account Aggregators. If, for example, a data subject wanting an insurance policy visits an insurance portal, the portal would collect personal information and a consent artifact from her and pass it on to multiple insurance companies. These insurance companies would send personalised bids to the portal, which would be displayed on a comparative grid to enable empowered selection.

The data structure consent artifact has been provided in the Master Direction from RBI titled "Non-Banking Financial Company Account Aggregator Directions," published in September 2016. How does this work? The fields includes (i) identity and optional contact information; (ii) nature of the financial information requested; (iii) purpose; (iv) the identity of the recipients, if any; (v) URL/address for notifications when the consent artifact is used; (vi) consent artifact creation date, expiry date, identity and signature/digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI. While Account Aggregators make it frictionless for the grant of consent and also for the harvesting of consent by data controllers, it does not make it easy for you to manage and revoke your consent.

n Data Trusts: Most recently, Na.Vijayashankar, a Bengaluru-based cybersecurity and cyberlaw expert, has proposed intermediaries called 'Data Trusts' registered with the regulator and who (i) will work as escrow agents for the personal data (which would be classified by type for different degrees of protection); (ii) will make privacy notices accessible by translating them into accessible language and formats; (iii) disclose data minimally to different data controllers based on the purpose limitation; (iv) issue tokens or pseudonymous identifiers and monetise the data for the benefit of the data subject. To ensure that Data Trusts truly protect the interests of the data subject, Vijayashankar proposes three requirements: (a) public performance reviews (b) audits by the regulator and (c) "an arms-length relationship with the data collectors." In his proposal, Data Trusts are firms with "the ability to process a real-time request from the data subject to supply appropriate data to the data collector."

n Learned Intermediaries: The Takshashila Institution published a paper titled Beyond Consent: A New Paradigm for Data Protection, authored by Rahul Matthan, partner at the law firm Trilegal. Learned Intermediaries would perform mandatory audits on all data controllers above a particular threshold. Like Vijayashankar, Matthan also requires these intermediaries to be certified by an appropriate authority. The main harm that he focuses on is, bias or discrimination. He proposes three stages of audit which are designed for the age of Big Data and Artificial Intelligence: "(i) Database Query Review; (ii) Black Box Audits; and (iii) Algorithm Review". Matthan also tentatively considers a rating system. Learned Intermediaries are a means to address information asymmetry in the market by making data subjects more aware. The impact of churn on their bottom-lines, it is hoped, will force data controllers to behave in an accountable manner, protecting rights and mitigating harms.

n Consent Brokers: Finally, I have proposed the model of a 'Consent Broker' by modifying the concept of the Account Aggregator. Like the Account Aggregator proposal, we would want a competitive set of consent brokers who will manage consent artifacts for data subjects. However, I believe there should be a 1:1 relationship between data subjects and consent brokers so that the latter compete for the business of data subjects. Like Vijayashankar, I believe that the consent broker must have an "arms-length distance" from data controllers and must be prohibited from making any money from them. Consent brokers could also be trusted to take proactive actions for the data subjects, such as access and correction.

The need of the hour is the production of regulatory innovations and robust discussions around them for all the nine privacy principles in the Justice AP Shah committee report -- notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability.

For more details visit http://editors.cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog

Data Protection: Understanding the General Data Protection Regulation

Aditi Chaturvedi — 2017-07-04T16:12:56Z

As recently as May 27, 2016, the General Data Protection Regulation (REGULATION (EU) 2016/679) (hereinafter referred to as GDPR) was adopted. The Data Protection Directive (1995/46/EC) (hereinafter referred to as DPD) will be replaced by this Regulation.

It will come into force on 25th May 2018 and it is expected that under this Regulation data privacy will be strengthened. Substantive and procedural changes have been introduced and for compliance, industries and law enforcement agencies will have to adjust the ways in which they have operated thus far. Click here to read the report

For more details visit http://editors.cis-india.org/internet-governance/blog/data-protection-understanding-the-general-data-protection-regulation

Data protection experts slam state for sending mass SMSes

praskrishna — 2012-03-27T03:46:00Z

Experts in the field of data protection, privacy law and media have criticised the West Bengal government's mass SMS sent to individuals, companies and media houses through private mobile networks last Friday. Lara Choksey reports this in an article published in the Statesman on March 25, 2012.

The government's use of private data in order to spread political messages is ethically dubious and dangerous, say some. The SMS indirectly refers to The Telegraph's publication of the Poonam Pandey tweet, warning against the transmission of “provocative and indecent photographs for hurting the religious sentiments of people and disrupting communal harmony.” It urges recipients to “frustrate the designs of … unscrupulous people and maintain peace and communal harmony,” and is signed by “Mamata Banerjee, Chief Minister”.

Speaking to The Statesman on Saturday, Mumbai-based media lecturer Ms Geeta Seshu identified two issues with the government sending out political messages through mobile phone networks.

Firstly, from an ethical standpoint, the unchecked freedom of mobile phone companies to hand out private data is “completely wrong”, she said.

Secondly, the use of government funds for such dissemination needs to be transparent. If the state government has used public funds to distribute its message through a mobile phone network, then this information should be readily available, said Ms Seshu.

The Telecom Regulation Authority of India's (Trai) unsolicited commercial communications regulations allow unsolicited advertising through mobile phone networks.

Mr Apar Gupta, partner of Delhi-based law firm Advani and Co., explained, “The regulations are not wide enough to prohibit communications from a political party.” He observed, “Using SMS messages is a very efficient propaganda tool because so many people have access to mobile phones.”

Mobile phone networks such as Vodafone make it clear in their privacy policies that the personal data of its customers “may be used for inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party” (source Vodafone website).

Any third party ~ governmental or corporate ~ can therefore access the company's directory of private mobile numbers at the discretion of the network in question.

It is not yet clear which government department coordinated the SMS, or what funds were used to cover the costs. Representatives from the ministry of information and cultural affairs were not able to shed a light on the matter. “I know that a message was sent out,” said the I & CA director Umapada Chatterjee, "But it was not sent from this department. I do not know that information.”

Some commentators did not condemn the government's SMS. Delhi High Court lawyer and cyber law expert, Mr Praveen Dalal, criticised the publication of the Poonam Pandey tweet on the grounds of it violating the due diligence guidelines of the Cyber Law of India. He commented, “If casual and careless publications … continue, there would be no other option left for the government but to regulate their affairs in a more intrusive manner.”

However, executive director of the Centre for Internet and Society, Mr Sunil Abraham, called the state government's use of unsolicited SMS a “clear abuse of the powers afforded by elected office.” Mr Abraham explained that elected representatives would be justified in such measures, and in utilising public funds, in the event of a disaster, or when public order, public health or national security are compromised.

“However in this case, the government is abusing the provisions of the law and using this incident as a pretext to threaten media professionals with surveillance and to intimidate for the purposes of reigning in free speech,” he told The Statesman. The chief minister was unavailable to make a comment on the matter.

Read the original published in the Statesman

For more details visit http://editors.cis-india.org/news/data-protection-experts-slam-state-for-sending-mass-smses

Data Protection and Privacy in India: The (Fundamental) Right Way

Admin — 2017-11-27T14:01:02Z

Amber Sinha attended a roundtable conference on data protection and privacy on October 30, 2017 at India Habitat Centre in New Delhi. The close-door event was organised by the Indian Council for Research on International Economic Relations.

Participants at the conference discussed:

Role of consent in data protection, how it should be configured in India
Conflicts between the data minimization principle and big data
Governance approaches to data protection
Propertarian view of data
Need for capacity building in India and institutions who should be involved in the data protection regime, and
Cross border data flows and data localisation

For more details visit http://editors.cis-india.org/internet-governance/news/data-protection-and-privacy-in-india-the-fundamental-right-way

Data Privacy: Footprints on the Web

Admin — 2018-06-25T16:48:34Z

Technology has made data protection a hot button issue. Now, a group of eminent citizens, mostly lawyers, have formulated a draft privacy bill, a legal framework that protects the individual’s right to privacy, but it faces legal jurisdiction issues

The blog post by Sujit Bhar was published in IndiaLegal on June 21, 2018.

Lack of data privacy is a modern day peril. Quite like the individual’s right to privacy—one that has been raised to the level of a Fundamental Right by the Supreme Court—data privacy today is prime, because technology has made our lives fully dependant on associated data. Hence, by extension of the same logic and arguments that the top court used for personal privacy, data privacy should be protected.

The methodology to be adopted, though, is not as easy to determine given the lack of legislation in the field, the improbability of existing technology to ensure complete privacy and because of legal jurisdiction issues.

Also, to what extent data privacy can and should be allowed is a legal argument that needs to be supported by other fields of knowledge. The Supreme Court decision to award privacy as a Fundamental Right will act as a plinth in determining this.

To that end a group of eminent citizens, mostly lawyers, came together and formulated a draft privacy bill with the objective of slicing through banal arguments that would ensue if this was to wait for public re-reference/debate.

The proponents—Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman M Aggarwal, Praavita Kashyap, Prasanna S, Raman Jit Singh Chima, Ujwala Uppaluri and Vrinda Bhandari—have tried to develop their own privacy bill, based on the foundation of the Privacy (Protection) Bill, 2013, “which was drafted over a series of roundtables and inputs conducted by the Centre for Internet and Society, Bangalore”.

In doing so the group started from what it calls “seven privacy principles”, derived from various constitutional and expert texts.

Principle 1: Individual rights are at the centre of privacy and data protection.

This says that “the individual and her rights are primary. The law on privacy must empower you by advancing your right to privacy…”including “your right to autonomy and dignity.

Principle 2: A data protection law must be based on privacy principles.

Here reference is made to the report of the Justice AP Shah Committee of Experts. It’s a method that has been left flexible, to accommodate fast developing technology. There is a reference to Moore’s Law in this. Moore’s Law has remained one of the most overwhelmingly true laws of the IT industry. Originating in 1970, it says that processor speeds, or overall processing power for computers “will double every two years”. While that has remained true till now, with the development of multiple core processors, this law too has seemingly run its course. With the world changing at such a fast pace, if the data privacy bill/law does not remain flexible, it would also be quickly consigned to a museum of laws. Hence this flexible approach will be crucial.

Principle 3: A strong privacy commission must be created to enforce the privacy principles.

This is the part of establishing an oversight authority, “a strong body to ensure that the data protection rights are put into practice and enforced”. This structure has been treated for something “that works in principle and in practice.”

There is one part that says that this proposed “Privacy Commission”, has been “provided wide powers of investigation, adjudication, rule-making and enforcement. The Commission should adopt an approach that builds accountability for the rights of users by having powers to impose penalties that are proportionate to the harm and build deterrence.” This, obviously, means that it will be stepping onto the toes of other laws and that would be a rough road to navigate. However, as the group’s own philosophy says that the problem with technology oriented legislation is that it takes catching up with the progress of technology. To overcome this, the group wants to “make sure that the Privacy Code is not outdated” and hence wants to make sure that the “Privacy Commission can exercise rule making powers to give effect to the data protection principles under the regulation”.

The other part of the philosophy is of acknowledging and addressing public complaints. Hence the legal rigidity of regular acts would be dismissed. How this can work with enforcement agencies, though, will remain a matter of debate. The draft bill says that the “Privacy Commission must serve as the forum for the redressal of the general public’s grievances”, and that “Privacy Commissions should have the ability to investigate (independently through the office of a Director General), hold hearings and pass orders with directions and fines”.

That could be legal nightmare, because unlike a simple code, the bill has to pass through parliament to become an act, and legislators are the ones who have final say in remodelling an existing law. How much power they would agree to delegate is anybody’s guess.

Of course, the draft also calls for the courts to welcome public opinion. There seems to be a slight hitch in the wording, which says that “…while the Privacy Commission serves as the forum for redressal, the public should retain the remedies of approaching the civil courts (even in instances where harm is suffered by a group of people) and of filing police complaints directly”. That questions even the oversight authority of the commission. There is another objective—a hope, one would say—that the Privacy Commission must have jurisdiction over the government, as it does over the private sector. The Privacy Commission should have overriding power and superintendence over all legal entities in matter of data protection and privacy”. While this sounds good on paper, the issue of national security can override all. At this point, according to a cyber security expert, there is talk within the Indian government on how to deal with the social media messaging app WhatsApp. Technically, as the company points out, messaging through an app is encrypted (military grade encryption, it is said) end-to-end. Hence terrorist groups have zeroed in on this as a common idea exchange platform. There could possibly be restrictive legislation on this. That could strike at the heart of data privacy.

The government’s reaction, though, could become counter-productive. This could be visible in what the Justice Srikrishna-led Committee of Experts possibly could recommend.

Principle 4: The government should respect user privacy. Technically, if this bill, in its current form, has to go through parliament, members of both houses should be willing to accept that it will have no snooping powers, ever. The way the government fought tooth and nail against personal privacy in court—and the Aadhaar verdict is still awaited—this proposal seems unlikely to have an easy passage. The draft says: “It is imperative that the government, its arms, bodies and programmes be compliant with the privacy protection principles through a data protection law.”

There is a caveat within this, saying: “We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights.” The proposal also says: “The government is responsible for the delivery of many essential services to the public of India. These services must not be withheld from an individual, due to such individual not sharing data with the government. Withholding services on the pretext of requirement of collection of data effectively amounts to extortion of consent. Individuals cannot be forced to trade away their data and citizenship at the altar of being permitted to use government services and access legal entitlements on welfare.” This will have to wait its validation or dismissal through the Aadhaar verdict.

Principle 5: A complete privacy code comes with surveillance reform

This is another tricky issue for any government. It talks about how the Snowden revelations “brought to public knowledge that our personal data is collected in an indiscriminate manner by governments”. The draft calls this collection procedure “dragnet surveillance”, because it “contravenes the principles of necessity, proportionality and purpose limitation”. Necessity and proportionality have been argued in detail during the Aadhaar debate in court and till that verdict is out, it would, possibly, not be right to delve into this, though a recommendation for procedural safeguards might run into the same wall as in the case of encrypted software in social media apps. The draft accepts the possibility of “individual interception and surveillance”, but says “this should be severely limited in substance and practice through procedural safeguards”.

Principle 6: The right to information needs to be strengthened and protected

This basically refers to the Right to Information Act and seems completely justified, with Information Commissioners being “exempted from interference or control by the Privacy Commissioner”.

Principle 7: International protections and harmonisation to protect the open internet must be incorporated

Another contentious issue, being fuelled by the loss of face by Facebook in its effort to introduce graded access (with paywalls).

The group widens its scope in stating that “we need to be guided by the Supreme Court’s Right to Privacy decision and make reference to the European Union’s General Data Protection Regulation”. More interestingly, the group admits that every law will have certain exceptions. It says: “…but without clear wording sometimes exceptions swallow up the rule. We adopted a three part test in our drafting process in which any exceptions to these privacy principles should be: (a) worded clearly; (b) limited in purpose, necessary and proportionate to the aim; and (c) accompanied by sufficient procedural safeguards”.

On the face of it, the overall draft represents a novel and upright way of thinking, and if some of this is accepted while the government mulls the Justice Srikrishna Committee’s recommendations (expected late this month), it would be a good beginning.

For more details visit http://editors.cis-india.org/internet-governance/news/india-legal-live-june-21-2018-data-privacy

Data Privacy Forum

Admin — 2018-03-01T01:31:56Z

Amber Sinha took part in the Data Privacy Forum organized by the Asian Business Law Institute on February 7, 2018. The forum was held at the Supreme Court of Singapore.

The forum was organised to discuss the findings of a compendium of country reports on cross border data flow regulations in countries from Asia and Australia, and the way forward. The forum had attendance from 18 countries and had about 90 participants. Elonnai Hickok and Amber Sinha were the reporters for India. Amber was a speaker on the first panel on “Adoption and reform of data protection laws in Asia: how legal systems adapt to global developments and regulatory competition”.

Click to read more

For more details visit http://editors.cis-india.org/internet-governance/news/data-privacy-forum

Data Privacy Day 2016

praskrishna — 2016-01-29T15:34:18Z

The Bangalore chapter of Data Privacy Day was organized by Data Security Council of India on January 28, 2016 at Electronic City in Bangalore. Sunil Abraham was a panelist.

Agenda

For more details visit http://editors.cis-india.org/internet-governance/news/data-privacy-day-2016

Data Privacy Day 2014

praskrishna — 2014-02-04T05:34:59Z

January 28 is annually celebrated as Data Privacy Day (DPD). Data Security Council of India (DSCI) organized the annual meeting J N Tata Hall, Bldg 1, Infosys Campus, Infosys Ltd., Electronics City, Bangalore. Elonnai Hickok was a panelist.

Programme Details

2:30 - 3:00 p.m.: Keynote address by Srinath Batni, Member of the Board, Infosys
3:00 - 4:30 p.m.: Panel Discussion on "Privacy today and tomorrow in Indian and Global Context"

Panelists:

M D Sharath, Deputy Superintendent of Police, Cyber Crimes Division, CID Headquarters, Karnataka Police
Srinivas Poosarla, Associate Vice President and Head (Global), Privacy & Data Protection, Infosys Ltd
Joshi Joseph, Senior Information Risk Manager, ING Vyasa Bank
Na.Vijayashankar (Naavi), Information Assurance Consultant
Elonnai Hickok, Policy & Advocacy Associate, Centre for Internet & Society (CIS)

IT Product / Internet services company

Panel will be moderated by Rahul Jain, Principal Consultant, DSCI

4:30- 5:00 p.m.: Presentation on Privacy by Rahul Jain, Principal Consultant, DSCI
5:00- 5:30 p.m.: High Tea

For more info on the event see here.

For more details visit http://editors.cis-india.org/news/data-privacy-day-2014