Centre for Internet and Society

Crypto Night

praskrishna — 2013-08-06T06:04:05Z

Challenging government snooping at an all-night cryptography party.

This article by Rahul M was published in the Caravan on August 1, 2013. Pranesh Prakash and Bernadette Langle are quoted.

Satyakam Goswami sat in a conference hall in the Institute of Informatics & Communication in Delhi University's South Campus, furiously typing code into his laptop. He typed the string “/var/log/tor#”, into a Linux terminal, then turned to me and said, “I am one step away, man.” It was around midnight on a muggy July Saturday, and Goswami had been here for six hours. He resumed typing—and cursing under his breath in Telugu as he realised that the online instructions he was following weren’t helping.

Around him, the room bustled with the activity of around 25 other people, all participants at a Cryptoparty, a cryptography event at which programmers and non-programmers meet to share information and expertise on tools that can help thwart government spying.

Goswami was one of the organisers of the event, which was led by Bernadette Längle, a German ‘hacktivist’ who is a member of the Chaos Computer Club (CCC), Europe’s largest association of hackers. Längle was one of the organisers of the CCC’s Chaos Communication Congress in 2012, an international hackers’ meet held in Hamburg that year. While processing participant applications for the Congress, she came across a group that wanted to organise what they called a “Cryptoparty” at the meet. “I thought Cryptoparty would be a bunch of guys coming together, learning crypto and having a party,” she told me. Only at the event did she realise that Cryptoparties are rather more political affairs, at which participants experiment with ways of combating governmental intrusions into privacy and freedom.

After she graduated, Längle decided she wanted to travel. “I hadn’t been to America or Asia, and I don’t think I want to enter America,” she said. “I thought India might be a good point to start.” While she was exploring her options, she met Goswami online. “I first met Bernadette on an IRC channel, ‘hasgeek’, where she expressed her interest to come to India,” Goswami said. “I suggested that she write a proposal to CIS [the Centre for Internet and Society, in Bangalore].” Längle applied, and was accepted to work with the organisation for six months.

When Längle was teaching a one-week course on email cryptography at a CIS event, a participant suggested to her that she organise a Cryptoparty in the city. “I thought I was travelling anyway, and I can make a Cryptoparty everywhere I go,” Längle said. This led to the Bangalore Cryptoparty on 30 June, followed by the Delhi edition on 6 July. Längle then held a Cryptoparty in Dharamsala in the second week of July, and plans to hold another in Mumbai in October. At each of these, she gave tutorials on specific aspects of cryptography, such as the Pretty Good Privacy (PGP) encryption and decryption program, which Edward Snowden used to communicate with The Guardian’s Glenn Greenwald during their now-famous collaboration. Participants would then experiment with these tools, sending emails and messages to each other using secure channels. The Delhi edition, which saw around 70 participants, continued late into the night, with the last exhausted stragglers shutting off their gadgets and heading home at 4 am.

I met Längle again the day after the Delhi event; with her was Pranesh Prakash, policy director at CIS, who is a commentator on issues related to surveillance and privacy. Both agreed that the Indian government’s Central Monitoring System programme, as well as Edward Snowden’s recent leaks, had resulted in a greater interest in cryptography in the country in recent months. “Without the PRISM stuff, there wouldn’t have been so many people attending,” Längle said. “People are concerned about that.” Prakash believes that the NSA leaks have served as a loud wake-up call about a longstanding state of affairs. “It’s this I-told-you-so moment for lots of people right now,” he said. “This isn’t the first time there have been revelations about the NSA spying beyond their authority. These revelations have been happening at least since 2006.”

For more details visit http://editors.cis-india.org/news/caravan-magazine-august-1-2013-rahul-m-crypto-night

Crowdsourcing Incidents of Communication Privacy Violation in India

sumandro — 2015-10-16T10:49:17Z

In the context of several ongoing threads of debates and policy discussions, we are initiating this effort to crowdsource incidents of violation of digital/online/telephonic privacy of persons and organisations in India. The full list of submitted incidents is publicly shared, under Creative Commons Attributions-ShareAlike 4.0 International license. Please contribute and share with your friends and colleagues.

Report an incident: http://goo.gl/forms/8Xcf0zcWZW

Collected incidents: http://bit.ly/privacy-violation-india (CC BY-SA 4.0)

You are welcome to cross-post this to your website or other online forum. Please provide attribution, and link back to this page. For any clarification, write to Sumandro Chattapadhyay, Research Director, CIS, at sumandro[at]cis-india[dot]org.

For more details visit http://editors.cis-india.org/internet-governance/crowdsourcing-incidents-of-communication-privacy-violation-in-india

Crowdsourced innovation for government projects and services is easier said than done

praskrishna — 2017-02-07T15:36:38Z

Late January. The buzz was palpable at the MLR Convention Centre in South Bengaluru. Developers were streaming into 50p, a conference organised by HasGeek, which has curated technology forums since 2011. But this wasn't just one of the six HasGeek communions that the programmers attend annually. 50p put the spotlight on digital payments, which meant the gathering would be more diverse than anything before.

The article by Kunal Talgeri was published in the Times of India on February 3, 2017. Sunil Abraham was quoted.

Of the 250-plus attendees in two days, only 40% were developers. There were around 10 lawyers, an activist here, a social-impact investor there, product managers, and a 20-strong team from online payment systems company PayPal. There were managers from traditional banks too. "We realised early on that one thing the developer community really needs to know is how various payment-systems work, like who makes what percentage (in the value chain)?," said Zainab Bawa, cofounder of HasGeek. "It is a big mystery to them."

Kiran Jonnalagadda, co-founder of HasGeek and Bawa's husband, concurred: "A payment conference cannot primarily be centred on technology. Regulations make a bulk of the difference." So the interdisciplinary forum traversed areas as diverse as customer data and privacy, payment-systems unique to India, regulations, and the Watal Committee report apart from technology.

HasGeek got folks from the payments industry to converse with developers. At the outset, Bawa spelt out to the audience something about technology's role in society. "While we (coders) are here to bridge gaps, we also need to understand that technology is not necessarily the solution. Developers must have their ears to the ground." She had touched upon the divide between the coder community and the government.

Globally, governments are only just beginning to be exposed to the geeks. "The broader theme of digitisation and opening up of APIs (application programming interface) is happening across the world," said Sanjay Swamy, managing partner at Prime Venture Partners, and an Aadhaar volunteer with the Unique Identity Authority of India (UIDAI) until early 2011. APIs empower developers to build applications that access the features or data of an operating system or service. This requires developers to come together with, in this case, the government.

The digital dream has never showed more promise in India—the chance for a few developers to build a platform that can digitise government services for millions of users. "The government wants to use hackathons for digital disruption—leverage hackers to build solutions for them," says Subhendu Panigrahi, co-founder of Venturesity that helps companies find developers.

This is easier said than done. But how did India even get to this point?

CODE NAME: GENESIS
On 10 June 2016, the Indian Software Product Industry Round Table (iSPIRT) think-tank released a paper that took note of the country moving from "data poor to data rich."

This was a few weeks after the UIDAI platform Aadhaar crossed 1 billion enrolments. "The Aadhaar system can authenticate 100 million transactions per day in real time," iSPIRT stated. The paper also pointed to three national platforms - essentially services that would in time digitise government services on a national scale.

These were the Goods and Services Tax (GST) Network, the Bharat Bill Payment System which would cover utility services (electricity, water, gas, and so on), and the electronic toll collection system.

All three platforms come under the National Payments Corporation of India (NPCI), an umbrella organisation for retail payment systems in India. iSPIRT had helped NPCI organise a hackathon in Mumbai in February 2016 to build prototypes for harnessing the Unified Payment Interface (UPI) platform's application programming interface to digitise bank transfers in real time. Similarly, steps were being taken to open up APIs to large companies for the other NPCI platforms.

On its part, iSPIRT was drawing the attention of a breed of software developers to the national-scale opportunities ahead. It unequivocally stated: "Data flows benefit public services and governments." But even as India moves to being data rich, the outreach to developers - estimated to be more than 5 million in India - could be futile for two reasons.

First, government departments and traditional systems of, say, nationalised banks have a technology procurement culture that is at odds with how developers build digital solutions. While government is the largest technology procurer, procurement contracts typically have clauses that encourage lowest (cost) bidders, which rarely spawns innovation.

"Government needs to adopt and evangelise pro-challenger tools and policies that reduce barriers to experimentation, level-playing field and encourage innovating around national issues," wrote Swati T Satpathy for iSPIRT in a November 2015 paper titled 'Igniting Hundreds of Experiments'.

Second, independent developers still have to come out in larger numbers for the best solutions to shine. Sachin Gupta, CEO of HackerEarth, another developer platform, agrees: "Governments may still go ahead and give projects to a TCS and Wipro, but they want to crowdsource the innovation, prototype and the whole concept. They want to build an active relationship with the tech community."

These can be government bodies at the state level, too, like the Department of Urban Land Transport in Karnataka, for whom Venturesity helped with a 'transit hack' to solve traffic in Bangalore with submissions like how to enable carpooling or track public transport.

"The government is really interested in the final product or an app they can use," Panigrahi said. For this, governments are willing to distribute their APIs to eventually own the app. "Developers participate in such hackathons to make it part of their portfolios or resumes, or because they love building products, or for the prize-money."

This is crowd sourced innovation. Yet, culturally, it is hard for developers and governments' interests to be aligned.

INSIDE THE DICHOTOMY
The API-driven approach is based on a philosophy in the United States that dates back to the 1960s. It a culture of giving powerful building blocks, as opposed to just building an actual solution, said Jonnalagadda. A 'solution' evolves into a platform if it can serve as 'building blocks' for the next set of developers to build on.

"A good product is also one on top of which something more can be built. That has been the principle on which the developer community has thrived," he said. This approach works well in technology. "It means you are slow, but also that you are a lot more mature and innovative."

The government has got this aspect right, by opening up secure APIs to nationalscale projects and systems. But while they have provided such building blocks, they have already decided the path to meet goals like financial inclusion. Mobile apps like BHIM (Bharat Interface for Money) are becoming the default mode of reaching the masses. Many observers agree with the smartphone as a medium for India, but developers feel web browsers are more secure than apps.

Jonnalagadda cites a 50p session, 'Everyone can see your credit card details. Seriously,' where the speaker Arnav Gupta described the flow of the web as independent websites that can't actually communicate with each other. As against this, every function of a mobile app is a subset of the parent app. "So whatever password you type for one 'function' can be visible to the parent, which never happens on the web," Jonnalagadda said. "If security is defined by the fact that it is tested against being broken, a mobile app is trusted on the basis of goodwill. For developers, this is a shitty way to do technology. It bothers the heck out of him when a security model assumes goodwill because government wants an app."

Also, solutions need a decentralised approach from governing bodies like local municipalities. Independent budgets and decision-making can lead to stronger links between government and local service providers. There are exceptions to this, like Singapore, a city nation. But in larger developed countries like the United States, local government bodies are stronger than in India. "Here, we are getting even more centralised over time," Jonnalagadda said. It makes the government look like a monolith in the eyes of developers. How can the two be compatible? "We haven't found a solution yet."

For more details visit http://editors.cis-india.org/internet-governance/news/the-times-of-india-february-3-2017-kunal-talegri-crowdsourced-innovation-for-government-projects-and-services-is-easier-said-than-done

Cross-Border Data Sharing and India: A study in Processes, Content and Capacity

Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu — 2018-09-29T00:37:39Z

A majority of criminal investigations in the modern era necessitate law enforcement access to electronic evidence stored extra-territorially. The conventional methods of compelling the presentation of evidence available for investigative agencies often fail when the evidence is not present within the territorial boundaries of the state.

The crux of the issue lies in the age old international law tenet of territorial sovereignty.Investigating crimes is a sovereign act and it cannot be exercised in the territory of another country without that country’s consent or through a permissive principle of extra-territorial jurisdiction. Certain countries have explicit statutory provisions which disallow companies incorporated in their territory from disclosing data to foreign jurisdictions. The United States of America, which houses most of the leading technological firms like Google, Apple, Microsoft, Facebook, and Whatsapp, has this requirement.

This necessitates a consent based international model for cross border data sharing as a completely ad-hoc system of requests for each investigation would be ineffective. Towards this, Mutual Legal Assistance Treaties (MLATs) are the most widely used method for cross border data sharing, with letters rogatory, emergency requests and informal requests being other methods available to most investigators. While recent gambits towards ring-fencing the data within Indian shores might alter the contours of the debate, a sustainable long-term strategy requires a coherent negotiation strategy that enables co-operation with a range of international partners.

This negotiation strategy needs to be underscored by domestic safeguards that ensure human rights guarantees in compliance with international standards, robust identification and augmentation of capacity and clear articulation of how India’s strategy lines up with the existing tenets of International law. This report studies the workings of the Mutual Legal Assistance Treaty (MLAT) between the USA and India and identifies hurdles in its existing form, culls out suggestions for improvement and explores how recent legislative developments, such as the CLOUD Act might alter the landscape.

The path forward lies in undertaking process based reforms within India with an eye on leveraging these developments to articulate a strategically beneficial when negotiating with external partners.As the nature of policing changes to a model that increasingly relies on electronic evidence, India needs to ensure that it’s technical strides made in accessing this evidence is not held back by the lack of an enabling policy environment. While the data localisation provisions introduced in the draft Personal Data Protection Bill may alter the landscape once it becomes law, this paper retains its relevance in terms of guiding the processes, content and capacity to adequately manoeuvre the present conflict of laws situation and accessing data not belonging to Indians that may be needed for criminal investigations.As a disclaimer,the report and graphics contained within it have been drafted using publicly available information and may not reflect real world practices.

Click here to download the report With research assistance from Sarath Mathew and Navya Alam and visualisation by Saumyaa Naidu

For more details visit http://editors.cis-india.org/internet-governance/blog/cross-border-data-sharing-and-india-a-study-in-processes-content-and-capacity

Cross Border Sharing of Data: Challenges and Solutions

Admin — 2017-11-20T15:20:18Z

Centre for Internet & Society (CIS) has been following the debates around MLAT process taking place globally and researching potential areas of tension in the tools that India uses to access data across borders. As part of this research, CIS is hosting a workshop on cross border sharing of data on December 8, 2017 at India Islamic Centre from 10.30 a.m. to 5.00 p.m.

For more details visit http://editors.cis-india.org/internet-governance/events/cross-border-sharing-of-data-challenges-and-solutions

Criminal Defamation and the Supreme Court’s Loss of Reputation

bhairav — 2016-06-03T03:05:14Z

The Supreme Court’s refusal, in Subramanian Swamy v. Union of India, to strike down the anachronistic colonial offence of criminal defamation is wrong. Criminalising defamation serves no legitimate public purpose; the vehicle of criminalisation – sections 499 and 500 of the Indian Penal Code, 1860 (IPC) – is unconstitutional; and the court’s reasoning is woolly at best.

The article was published in the Wire on May 14, 2016.

Politics and censorship

Two kinds of defamation actions have emerged to capture popular attention. First, political interests have adopted defamation law to settle scores and engage in performative posturing for their constituents. And, second, powerful entities such as large corporations have exploited weaknesses in defamation law to threaten, harass, and intimidate journalists and critics.

The former phenomenon is not new. Colonial India saw an explosion of litigation as traditional legal structures were swept away and native disputes successfully migrated to the colonial courts. These included politically-motivated defamation actions that had little to do with protecting reputations. In fact, defamation litigation has long become an extension of politics, in many cases a new front for political manoeuvring.

The latter type of defamation action is far more sinister. Powerful elites, both individuals and corporations, have cynically misused the law of defamation to silence criticism and chill the free press. By filing excessive and often unfounded complaints that are dispersed across the country, which threaten journalists with imprisonment, powerful elites frighten journalists into submission and vindictively hound those who refuse to back down. Such actions are called Strategic Lawsuits against Public Participation (SLAPPs) which Rajeev Dhavan warns have created a new system of censorship.

Petitions and politicians

Defamation originates from the concept of scandalum magnatum – the slander of great men – which protected the reputations of aristocrats. The crime was linked to sedition, so insulting a lord was akin to treason. In today’s neo-feudal India, political leaders are contemporary aristocrats. Investigating them can invite devastating consequences, even death. Most of the time, they retaliate through defamation law. Since the criminal justice system is most compromised at its base, where the police and magistrates directly interact with people, the misuse of criminal defamation law hurts ordinary citizens.

This is different from politicians prosecuting each other since they rarely, if ever, suffer punishment. Of all the petitions before the Supreme Court concerning the decriminalisation of defamation, the three that received the most news coverage were those of Subramanian Swamy, Rahul Gandhi, and Arvind Kejriwal. They are all politicians, their petitions were made in response to defamation complaints filed by rival politicians. On the other hand, there are numerous cases which politicians have filed against private members of civil society to silence them. When presented with these concerns, the Supreme Court simply failed to seriously engage with them.

The architecture of defamation

Defamation has many species, a convoluted history, and complex defences. Defamation can be committed by the spoken word, which is slander, or the written word, which is libel. The historical distinction between these two modes of defamation is based on the permanence of written words. Before the invention of the printing press, the law was chiefly concerned with slander. But as written ideas proliferated through mass publication technologies, libel came to be viewed as more malevolent and the law visited serious punishments on writers and publishers.

Such a distinction presumes a literate readership. In largely illiterate societies, the spoken word was more potent. This is why films and radio have long attracted censorship and state control in India. Before mass publishing forked defamation into libel and slander, there existed only the historical crime of libel. Historical libel had four species: seditious libel, blasphemous libel, obscene libel, and defamatory libel.

Seditious libel, which has been repealed in Britain, prospers in India as the offence of sedition which is criminalised by section 124A of the IPC. Blasphemous libel, repealed in Britain, fares well in India as the offence of blasphemy under section 295A of the IPC. Obscene libel, as the offence of obscenity, is criminalised by section 294 of the IPC. And defamatory libel, repealed in Britain, which is the offence of criminal defamation that the Subramanian Swamy case upheld, continues to exist under section 499 of the IPC.

Confusing harms

Of the many errors that litter the Supreme Court’s May 13, 2016 judgment in the Subramanian Swamy case, perhaps the most egregious is the failure to recognise the harm that criminal defamation poses to a healthy civil society in a free democracy. At the crux of this mistake is the Supreme Court’s failure to distinguish between private injury and social harm. Two people may, in their private capacities, litigate a civil suit to recover damages if one feels the other has injured her reputation. This private action of defamation was not in issue before the court.

On the other hand, by criminalising defamation, why should the state protect the reputations of individuals while expending public resources to do so? This goes to the concept of crime. When an action is serious enough to harm society it is criminalised. Rape strikes at the root of public safety, human dignity, equality, and peace, so it is a crime. A breach of contract only injures the party who was expecting the performance of contractual duties; it does not harm society, so it is not a crime. Similarly, a loss of reputation, which is by itself difficult to quantify, does no harm to society and so it should not be a crime.

Truth and the public good

It may be argued, and the Supreme Court hints, that at its fundament, society is premised on the need for truth; so lies should be penalised. This is where defamation law wanders into moral policing. In Indian and European philosophies, truth is consecrated as a moral good. The Supreme Court quotes from the Bhagavad Gita on the virtue of truth. But while quotes like these are undoubtedly meaningful, they have no utility in a constitutional challenge. In reality, society is composed of truth, lies, untruths, half-truths, rumour, satire, and a lot more. In fact, the more shades of opinion there are, the livelier that society is. So lies should not invite criminal liability.

If we concede the moral debate and arrive at a consensus that the law must privilege truth over lies, then truth alone should be a complete defence to defamation. If the law criminalises untruth, then it must sanctify truth. That means when tried for the crime of defamation, a journalist must be acquitted if her writing is true. But the law and the Supreme Court require more. In addition to proving the truth, the journalist must prove that her writing serves the public good. So speaking truth is illegal if it does not serve the public good.

In fact, truth has only recently been recognised as a defence to defamation, albeit not a complete defence. This belies the social foundations of criminal defamation law. The purpose of the offence is not to uphold truth, it is to protect the reputations of the powerful. But what is reputation? The Supreme Court spends 25 pages trying to answer this question with no success. Instead, the court declares that reputation is protected by the right to life guaranteed by Article 21 of the Indian Constitution but it offers no sound reasoning to support this claim. The court also fails to explain why the private civil action of defamation is insufficient to protect reputation.

The constitution and constitutionalism

There are two core constitutional questions posed by the Subramanian Swamy case. They are:

Does the crime of defamation fall within one of the nine grounds listed in Article 19(2) of the constitution; and
Are sections 499 and 500 of the IPC which criminalise and punish defamation reasonable restrictions on the right to free speech?

Article 19(2) contains nine grounds in the interests of which a law may reasonably restrict the right to free speech. Defamation is one of the nine grounds, but the provision is silent as to which type of defamation, civil or criminal, it considers. However, B.R. Ambedkar’s comments in the Constituent Assembly arguably indicate that criminal defamation was intended to be a ground to restrict free speech.

The answer to the second question lies in measuring the reasonableness of the restriction criminal defamation places on free speech. If the restriction is proportionate to the social harm caused by defamation, then it is reasonable. However, restating an earlier point, criminalising defamation serves no legitimate public purpose because society is unconcerned with the reputations of a few individuals. Even if society is concerned with private reputations, the private civil action of defamation is more than sufficient to protect private interests. Further, the danger that current criminal defamation law poses to India’s free speech environment is considerable. Dhavan says: “Defamation cases [are] a weapon by which the rich and powerful silence their critics and censor a democracy.”

The Subramanian Swamy case highlights several worrying trends in India’s constitutional jurisprudence. The judgment is delivered by one judge speaking for a bench of two. Such critically significant constitutional challenges cannot be left to the whims of two unelected and unaccountable men. Moreover, from its position as the guarantor of individual freedoms, the Supreme Court appears to be in retreat. This will have far-reaching and negative consequences for India’s citizenry. If the court fails to enhance individual freedoms, what is its constitutional role? The judiciary would do well to stay away from policy mundanities and focus on promoting India’s democratic project, lest it injure its own reputation.

For more details visit http://editors.cis-india.org/internet-governance/blog/criminal-defamation-and-the-supreme-court2019s-loss-of-reputation

CPDP 2015

praskrishna — 2014-09-30T09:52:52Z

The eighth international conference on computers, privacy and data protection will be held in Brussels from January 21 to 23, 2015. The Centre for Internet and Society is a moral supporter of CPDP.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University and has grown into a platform carried by 20 academic centers of excellence from the EU, the US and beyond. As a world-leading multidisciplinary conference CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. Within an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world in Brussels offering them an arena to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world. CPDP2014 welcomed 854 guests including 343 speakers from 43 different countries dispersed over more than 60 panels which took place during three full days. It attracted another 500 people in several public evening events including debates, a pecha kucha evening and an art exhibition. CPDP2015 aims to repeat the success of last year and will stage panels within the following main topical themes: Data Protection Reform: European and Global Developments, Mobility (mobile technologies, wearable technologies, border surveillance), EU-US developments concerning the regulation of government surveillance, Health, privacy and data protection, Love and lust in the digital age, Internet governance and privacy.

In 2015 CPDP will take place from January 21 to 23, 2015 in the Halles de Schaerbeek, Brussels, Belgium. Registrations are already open: http://www.cpdpconferences.org/Registration.html. For more details see here.

For more details visit http://editors.cis-india.org/internet-governance/news/cpdp-2015

CPDP 2014 Reforming Data Protection: The Global Perspective

praskrishna — 2013-12-11T03:39:50Z

Already in its 7th edition, the annual Computer Privacy and Data Protection conference (organised by CPDP) is being held in Brussels from January 22 to 24, 2014. Malavika Jayaram will be speaking at this event.

The Centre for Internet and Society is one of the sponsors for this event. Click here to read the full programme.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University, which has now grown significantly and incorporates a consortium of 21 conference partners.

CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. In an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world.

CPDP2014 has become truly global: it is co-organized by conference partners from Europe and the United States, and devotes panels to Latin-America and India. Moreover, CPDP is reaching out to the Asia-Pacific with speakers coming from all over the region.

The progressive growth of CPDP will culminate in an unprecedented 7^th edition. A terrific programme will include more than 60 panels held over three consecutive days. The panels will focus on key issues that cover all current debates: The data protection reform in the European Union, PRISM, big data, cybercrime, data retention, cloud computing, enforcement by Data Protection Authorities, biometrics, e-health, privacy by design, and much, much more. In addition, there will be a day event on the ethical issues of data collection on minorities, and the use of technology to advance the status of Roma.

CPDP will offer valuable contributions from the leading names in the field, including key representatives from all the major European institutions - the European Commission, the European Parliament, the European Data Protection Supervisor, and the Council of Europe.

In addition to the well-known classic Pecha Kucha side event, there will be several public debates held in the evenings – both in Dutch and English.

CDP2014 will continue to pay particular attention to high-level and innovative research from PhD Students and outstanding junior researchers by organizing sessions completely devoted to their work. CPDP2014 will also remain home to several award ceremonies, such as the award for the best Multidisciplinary Privacy Paper and the EPIC International Champion of Freedom Award.

Whether you are involved in the Conference as a sponsor, supporter, partner or participant or not, CPDP2014 welcomes you to join the event and contribute to the debate on emerging privacy and data protection issues.

For up to date information, registration and the programme, please visit http://www.cpdpconferences.org/ and follow CPDP on Facebook (cpdpconferences) and Twitter (@cpdpconferences).

If you have any questions please contact: info@cpdpconferences.org

For more details visit http://editors.cis-india.org/events/cpdp-2014-reforming-data-protection-global-perspective

CPDP (Computers, Privacy and Data Protection) 2017

praskrishna — 2017-02-03T02:02:05Z

Amber Sinha participated as a panelist in a panel on 'EU Adequacy Status for International Data Transfers' in Brussels, Belgium on January 26, 2017. The event was organized by Privacy International.

EU Adequacy Status for International Data Transfers

According to EU data protection laws, countries only have blanket freedoms to receive and process personal data from the EU if they have been awarded an adequacy status by the Commission. Given the vital importance of data transfers between countries in the global economy, having such a status is a valuable asset, as other available legal means of transfer are more limited. India, for e.g. is said to be losing in excess of Euro 30 billion per year through lost trade with the EU, as it lacks such adequacy status. In the 20+ years since the data protection Directive was passed, only 11 states have been decided to be ‘adequate’ by the Commission – which include the US with its recently awarded Privacy Shield. The Commission methodology and procedures for granting adequacy to countries is increasingly under scrutiny – for e.g. a recent study found that the way it makes adequacy decisions for its trade partners could be accused of being obscure, inconsistent and without clear criteria or rules or timeframes. This also makes EU data protection laws vulnerable to challenge under world trade rules. This panel will address the following questions:

Questions to be considered:

On what basis does the EU and the Commission make decisions on whom to grant adequacy status?

In the light of the Schrems judgement defining adequacy as ‘essentially equivalent’, should all past decision be revised?

Given that more than 100 countries now have general data protection laws, how should countries be chosen for adequacy judgements?
What criteria and methodologies should be used to ensure all countries are treated equally, to ensure fundamental rights are equally upheld, and to avoid possible challenge under WTO rules?
(New) What are your views on the EC proposal to facilitate international transfers of personal data, recently published?

Panel:

Chair: Jan Albrecht MEP

Panel:

Kristina Irion, Institute of Information Law (IVIR), University of Amsterdam:

Kristina is expert academic in both data protection and related trade issues, author of recent study ‘Trade and Privacy: complicated bedfellows’

Amber Sinha, Centre for Internet and Society (CIS), India

Amber is policy researcher specialising in privacy and big data ; CIS is an India NGO and partner organisation of Privacy International.

Daniel Cooper, Covington and Burling ;

Dan is partner at this global law firm, which advises both business and government clients round the world ; he leads the data protection practice in London

Bruno Gencarelli, European Commission DG Justice ;

Bruno is the head of the new DG Justice unit on data flows and data protection, and as such the Commission boss of adequacy

Veronica Perez-Asinari, European Data Protection Supervisor (EDPS).

Veronica is the EDPS head of unit for supervision and enforcement; she has also recently spent some months working with the Argentina DPA (Argentina has EU adequacy).

Moderator: Anna Fielder, Privacy International

For more details visit http://editors.cis-india.org/internet-governance/news/cpdp-computers-privacy-and-data-protection-2017

CoWIN Breach: What Makes India's Health Data an Easy Target for Bad Actors?

Shweta Mohandas and Pallavi Bedi — 2023-07-04T09:39:03Z

Recent health data policies have failed to even mention the CoWIN platform.

The article was originally published in the Quint on 19 June 2023.

Last week, it was reported that due to an alleged breach of the CoWIN platform, details such as Aadhaar and passport numbers of Indians were made public via a Telegram bot.

While Minister of State for Information Technology Rajeev Chandrashekar put out information acknowledging that there was some form of a data breach, there is no information on how the breach took place or when a past breach may have taken place.

This data leak is yet another example of our health records being exposed in the recent past – during the pandemic, there were reports of COVID-19 test results being leaked online. The leaked information included patients’ full names, dates of birth, testing dates, and names of centres in which the tests were held.

In December last year, five servers of the All India Institute of Medical Science (AIIMS) in Delhi were under a cyberattack, leaving sensitive personal data of around 3-4 crore patients compromised.

In such cases, the Indian Computer Emergency Response Team (CERT-In) is the agency responsible for looking into the vulnerabilities that may have led to them. However, till date, CERT-In has not made its technical findings into such attacks publicly available.

The COVID-19 Pandemic Created Opportunity

The pandemic saw a number of digitisation policies being rolled out in the health sector; the most notable one being the National Digital Health Mission (or NDHM, later re-branded as the Ayushman Bharat Digital Mission).

Mobile phone apps and web portals launched by the central and state governments during the pandemic are also examples of this health digitisation push. The rollout of the COVID-19 vaccinations also saw the deployment of the CoWIN platform.

Initially, it was mandatory for individuals to register on CoWIN to get an appointment for vaccination, and there was no option for walk-in-registration or to book an appointment. But, the Centre subsequently modified this rule and walk-in appointments and registrations on CoWIN became permissible from June 2021.

However, a study conducted by the Centre for Internet and Society (CIS) found that states such as Jharkhand and Chhattisgarh, which have low internet penetration, permitted on-site registration for vaccinations from the beginning.

The rollout of the NDHM also saw Health IDs being generated for citizens.

In several reported cases across states, this rollout happened during the COVID-19 vaccination process – without the informed consent of the concerned person.

The beneficiaries who have had their Health IDs created through the vaccination process had not been informed about the creation of such an ID or their right to opt out of the digital health ecosystem.

A Web of Health Data Policies

Even before the pandemic, India was working towards a Health ID and a health data management system.

The components of the umbrella National Digital Health Ecosystem (NDHE) are the National Digital Health Blueprint published in 2019 (NDHB) and the NDHM.

The Blueprint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs. Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.

The National Health Authority (NHA), established in 2018, has been given the responsibility of implementing the National Digital Health Mission.

2018 also saw the Digital Information Security in Healthcare Act (DISHA), which was to regulate the generation, collection, access, storage, transmission, and use of Digital Health Data ("DHD") and associated personal data.

However, since its call for public consultation, no progress has been made on this front.

In addition to documents that chalk out the functioning and the ecosystem of a digitised healthcare system, the NHA has released policy documents such as:

the Health Data Management Policy (which was revised three times; the latest version released in April 2022)
the Health Data Retention Policy (released in April 2021)
Consultation paper on the Unified Health Interface (UHI) (released in December 2022)

Along with these policies, in 2022, the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) – India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines, published in August 2022, did not even refer to the draft National Digital Health Data Management Policy (published in April 2022).

Interestingly, the recent health data policies do not mention CoWIN. Failing to cross-reference or mention preceding policies creates a lack of clarity on which documents are being used as guidelines by healthcare providers.

Can a Data Protection Bill Be the Solution?

The draft Data Protection Bill, 2021, defined health data as “…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.”

However, this definition as well as the definition of sensitive personal data was removed from the current version of the Bill (Digital Personal Data Protection Bill, 2022).

Omitting these definitions from the Bill removes a set of data which, if collected, warrants increased responsibility and increased liability. Handling of health data, financial data, government identifiers, etc, need to come with a higher level of responsibility as they are a list of sensitive details of a person.

The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused.

While the current version of the draft DPDP Bill states that the data fiduciary shall notify the data principal of any breach, the draft Bill also states that the Data Protection Board “may” direct the data fiduciary to adopt measures that remedy the breach or mitigate harm caused to the data principal.

The Bill also prescribes penalties of upto Rs 250 crore if the data fiduciary fails to take reasonable security safeguards to prevent a personal data breach, and a penalty of upto Rs 200 crore if the fiduciary fails to notify the data protection board and the data principal of such breach.

While these steps, if implemented through legislation, would make organisations processing data take their data security more seriously, the removal of sensitive personal data from the definition of the Bill, would mean that data fiduciaries processing health data will not have to take additional steps other than reasonable security safeguards.

The absence of a clear indication of security standards will affect data principals and fiduciaries.

Looking to bring more efficiency to governance systems, the Centre launched the Digital India Mission in 2015. The press release by the central government reporting the approval of the programme by the Cabinet of Ministers speaks of ‘cradle to grave’ digital identity as one of its vision areas.

The ambitious Universal Health ID and health data management policies are an example of this digitisation mission.

However breaches like this are reminders that without proper data security measures, and a system for having a person responsible for data security, the data is always vulnerable to an attack.

While the UK and Australia have also seen massive data breaches in the past, India is at the start of its health data digitisation journey and has the ability to set up strong security measures, employ experienced professionals, and establish legal resources to ensure that data breaches are minimised and swift action can be taken in case of a breach.

The first step to understand the vulnerabilities would be to present the CERT-In reports of this breach, and guide other institutions to check for the same so that they are better prepared for future breaches and attacks.

For more details visit http://editors.cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution

Court’s approval needed to tap phones: Panel

praskrishna — 2012-10-22T07:02:34Z

Investigators can monitor a person for 15-20 days on executive orders in case of emergencies, suggests panel.

Surabhi Agarwal's article was published in LiveMint on October 18, 2012. Sunil Abraham is quoted.

Government agencies need judicial permission before intercepting any communication or starting surveillance of any individual, a panel on the proposed privacy law suggested on Thursday.

If there is any urgency, investigators can tap phones or monitor a person’s movements for 15-20 days on executive orders but will then have to approach the courts to continue, the committee led by retired Delhi high court judge Ajit P. Shah recommended.

“Phone tapping under the present regime is done under executive permission whereas in other countries it is done only with the permission of the courts,” Shah said.

Security agencies currently require permission from home secretaries, either at the Centre or the states, to set up wiretaps or monitor emails. An oversight group of the cabinet, law and telecom secretaries at the Centre reviews all such authorizations.

	The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies. Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles. The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies.

Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles.

The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The Shah panel has recommended appointing privacy commissioners and a system under which organizations will have to develop privacy standards that will be approved by a commissioner as a means of self-regulation.

Sectoral industry associations would form a code of conduct for companies that will comply with law as they will be approved by the privacy commissioner, according to Kamlesh Bajaj, chief executive officer of Data Security Council of India, one of the members of the committee. “These associations could also act as alternative dispute-resolution mechanisms,” Bajaj said.

The committee’s other recommendations include giving individuals a choice to provide personal information, collection of only critical personal information, use of data only for the purpose for which it has been collected, and a penalty for violations.

“Without a comprehensive horizontal regulatory framework and the office of the regulator both private and public entities in India have been trampling on the rights of citizens without complying to any of the international best practices when it comes to protecting the right to privacy,” said Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore-based advocacy group. After the privacy law is enacted and the office of a privacy commissioner is created, people will be able to seek redressal against these erring pubic and private entities if their rights are violated, he added.

The government has been looking to enact a privacy law to ensure data collected by various programmes such as the National Population Register, Unique Identification Authority of India and National Intelligence Grid was not misused. It was expected to scotch criticism of these programmes by privacy and Internet activists. It later expanded the scope of the proposed legislation after catching flak for a leak of tapped conversations between corporate lobbyist Niira Radia, industrialists and journalists.

The government now aims to uphold the right of all Indians against any misuse of personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication. That means it effectively covers everything from the misuse of data collected by the government to spam.

However, there could be opposition from law enforcement agencies if the privacy law mandates that prior permission of the courts will be required before intercepting communication.

If judges begin taking a call on interception requests, there could be chances of leakage, “since there are so many judges at so many levels”, said Rumel Dahiya, deputy director general at Institute of Defence Studies and Analyses, a New delhi-based think tank. “The government carries out surveillance to gain fool-proof intelligence. That purpose will be defeated.”

Last week, Prime Minister Manmohan Singh said a fine balance needs to be maintained between the right to information and the right to privacy.

The Shah committee included representatives from the private sector, the department of information technology, ministry of home affairs, department of telecommunication, the law ministry and the department of personnel and training.

Kirthi V. Rao contributed to this story.

For more details visit http://editors.cis-india.org/news/livemint-october-18-2012-surabhi-agarwal-courts-approval-needed-to-tap-phones

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit http://editors.cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon

Counter Comments on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

amber — 2017-11-23T14:29:06Z

The Centre for Internet & Society (CIS) has commented on the Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in three main parts. The first part 'Preliminary' introduces the document. The second part 'About CIS' is an overview of the organization. The third part contains the 'Counter Comments' on the Consultation Paper taking into account the submission made by other stakeholders.

Download the full submission here

For more details visit http://editors.cis-india.org/internet-governance/blog/counter-comments-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector

Could better DNA testing facilities in India have saved the Talwars?

praskrishna — 2012-10-11T09:44:30Z

Over the last decade, the use of DNA tests to solve crimes has seen a significant rise in crime investigation in India. But forensic experts warn that the absence of standard practices, quality checks and regulation has resulted in irresponsible and inaccurate application of the technology.

This article by Pallavi Polanki was originally published in FirstPost on October 11, 2012. CIS press statement is mentioned.

The use of outdated technology and lack of expertise to competently collect and analyse DNA samples from the crime scene has compromised investigation and led to instances where courts have rejected DNA evidence as being unreliable or inconclusive.

Says GV Rao, DNA analyst and formerly chief staff scientist at the Hyderabad-based Centre For DNA Fingerprinting and Diagnostics (CDFD), “Today we are very much behind the rest of the World in upgradation of technology as required…Further, the backlog of cases is quite large in each of the DNA labs in India and not much is being done about it. Still we have not obtained or adopted the DNA techniques to identify difficult samples. The recent example of Bhanwari Devi case, where the CBI had to send the victim’s bones to FBI, USA for identification to get it identified. This is a sad reflection of the present status of DNA technology in India.”

Most recently, the demand for more advanced DNA tests to be conducted was unsuccessfully made by dentist couple Rajesh and Nupur Talwar, who have been charged with the murder of their teenage daughter Aarushi and domestic help Hemraj.

Perhaps, no other case has so fully exposed the pathetic state of the crime-scene investigation in India. With most of the crucial evidence either destroyed or contaminated due to shoddy police work, the prosecution’s case has come to depend entirely on circumstantial evidence, without a shred of material evidence to support it.

The police force’s lack of expertise to collect DNA evidence was flagged recently by senior scientist at the All India Institute of Medical Sciences (AIIMS) Anupama Raina at a public meeting by the Bangalore-based Centre for Internet and Society on the DNA profiling Bill, in the Capital.

Raina, speaking at the meeting, emphasized the usefulness of the technology but cautioned that the police were still perfecting the use of DNA samples for forensic purposes.

Elaborating on the inadequate training to cops on collecting DNA evidence, Rao said, “In India, there are no special crime case investigators. We have a law and order police station for each area and from bandobast duty to control crowds. It is a tall order expecting them to collect samples. In some states there are special teams which collect samples for DNA testing and then hand it over to the police….Till date none of the DNA labs have made any sample collection kits made available to police stations or other agencies.”

And what after the samples reach the DNA labs?

Painting a rather bleak picture of existing conditions under which many of the DNA labs are operating, Rao says “There is lack of standards, guidelines, accreditation, proficiency testing of the DNA labs and its experts. Each DNA lab is issuing DNA reports in its own style. Each DNA lab is again following different procedures for conducting the test. ”

“No proper records of the tests conducted are being maintained for production in a court of law for its inspection. DNA experts are not being tested for their proficiency in their expertise by a third party and presently they are getting away with such minimal expertise,” he said.

Will the new draft DNA Profiling Bill fix the problems that beset the use of DNA evidence for forensic purposes in India? And what is the context to the draft DNA profiling bill?

“India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.” (Read the full press statement by CIS here)

Raina endorsed the passing of the bill but with necessary safe-guards. The Bill has raised a degree of alarm for its sweeping proposals to collect DNA profiles and create DNA databases – a move experts believe violates the privacy of citizens.

Helen Wallace, director of GeneWatch UK (a not-for-profit group that monitors developments in genetic technologies from a public interest perspective), who participated in the public meeting on the DNA profiling bill, underlined the absence of a clear purpose for the DNA profiling system as proposed by the bill and its lack of clarity on the collection policy that wishes to profile not just those involved in criminal cases but also civil cases.

Jeremy Gruber, president and executive director of the US-based Council for Responsible Genetics, also warned against the bill’s blind faith in DNA results as the gospel truth and ignoring very real possibilities of false matches, cross-contamination and laboratory errors.

Expressing his disappointment with the draft bill, Rao said, “Unfortunately this bill does not provide for standardization, quality control and regulation except for collection of DNA samples of everybody involved in all civil and criminal cases, including suspects… We need standards, protocols, guidelines, amendments to IPC and CrPC for effective implementation of DNA testing.”

For more details visit http://editors.cis-india.org/news/first-post-pallavi-polanki-oct-11-2012-could-better-dna-testing-facilities-in-india-have-saved-the-talwars

Cos spying on competitors, staff: Study

praskrishna — 2012-06-20T08:46:38Z

Most companies are spying on their competitors and their own employees, according to a recent survey conducted by the Associated Chambers of Commerce and Industry of India (Assocham).

The Statesman published this article on June 19, 2012. Sunil Abraham is quoted in it.

The survey's results raise questions about whether employees have enough privacy in the workplace. Rubbishing the survey's findings, head of the Indian Council of Corporate Investigators, Mr Kunwar Vikram Singh, said businesses are not spying but verifying facts.

The Assocham survey said almost 1,200 of 1,500 executives surveyed admitted to hiring people to spy on their employees and monitor their lifestyles. They said they watch former employees, too, especially those who had been laid off or kicked out for fraud.

In the survey, which was done between January and May this year in Ahmedabad, Bangalore, Chennai, the Delhi-National Capital Region and Mumbai, about 900 top industry officials said they carry out corporate espionage, bug the offices of their rivals and plant moles in other companies. About a quarter of respondents said they have hired computer experts to hack networks and track e-mails of their rivals.

Many more respondents — 1,110 of those questioned — said they use social media sites to track their rival companies and employees. “Most of the companies have mentioned their sensitive details including their data, plans, clients’ details, products and other confidential and trade-related secrets on their page and unknowingly share the same in the social media circuit,” said Mr DS Rawat, national secretary-general of Assocham, “which is why it is the most favoured spying activity being carried out by the companies.”

The practice of companies pilfering trade secrets and ideas may be bad for the country's business environment, said Mr Rawat. It “might dampen the spirit of innovation in the long-run,” he said.

The Indian Council of Corporate Investigators’ Mr Singh, however, disputed Assocham's picture of rampant corporate espionage. “I totally deny that corporates are spying on their employees,” he said. “It is not spying. It is verification of facts.”

Mr Singh said that when companies look into their employees or other companies, for example, before they enter into joint ventures, they are just carrying out “due diligence”. He said they legally gather information needed for companies to survive. He also denied there were any privacy issues.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, though, said there are growing concerns about privacy in the workplace, including about intense video surveillance. “Managers started to object to this,” he said. “What they started saying was it really undermines the morale of these locations ... friends and relatives would ask, 'In spite of you being so educated, it's funny your companies don't trust you at all.'”

Companies need to develop more nuanced ways to deal with these problems — perhaps something more similar to the military's multiple levels of clearance — and different ways for people to acquire and lose trust, Mr Abraham said.

Whether or not surveillance is legal, depends on the type, Mr Abraham said. There is some private information a person will expect to remain private, and some information that is expected to be public — like Twitter feeds.

There is no law against monitoring this second type, known as “clear view surveillance”, he said, and blanket legislation could clash with freedom of expression. He said an ideal law for this should include a “proportional relation to power” clause, which would limit the legal ability of the powerful to monitor, but allow individual citizens more leeway.

For more details visit http://editors.cis-india.org/news/co-spying-on-competitors-staff