Privacy Rights And Laws In India

Privacy laws in India are virtually missing and Indian government seems to be in no rush to have suitable privacy and data protection laws in India. Even the national privacy policy of India is missing. However, recent developments pertaining to cyberspace and ICT, has forced Indian government to think about privacy issues in India.

Indian government has been launching projects without proper procedural safeguards and parliamentary scrutiny. These projects and authorities are openly violating the human rights in cyberspace but Indian government is not deterred by this issues.

It is only after the United Nations has declared that access to Internet is a human right that Indian government is thinking about civil liberty issues in cyberspace. In order to confer legitimacy to projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), etc, they must be supported by a techno legal framework. Presently, none of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

While lack of privacy law has already stalled Natgrid yet other projects like unique identification project of India or Aadhar project of India are simply unconstitutional by their very existence and being violative of privacy rights as conferred under Indian constitution.

For some strange reasons, Indian government has been ignoring enactment of good techno legal privacy laws in India. Various governmental ministries have started the exercise of enacting the privacy law for India time to time but ultimately none of them materialised. These exercises proved to be futile and till now we are still waiting for the enactment of sufficient and strong privacy laws in India.

Unaccountable Natgrid Is Not A Panacea For Intelligence Failures Of India

Intelligence Failures in India are in abundance. This is not necessarily due to the fault of Intelligence Agencies of India but in majority of cases this happen due to non sharing of intelligence information among themselves in a timely manner. Overall, Intelligence Infrastructure of India is in a bad shape.

This is the reason why Projects like National Intelligence Grid (NATGRID), National Counter Terrorism Centre (NCTC), etc assume significance. These are ambitious Projects that must be implemented in a Constitutional and Planned manner. Here lies the real problem.

While NCTC is out of picture for some more years yet NATGRID Project is based upon “Faulty Premises” and “Improper Management”.

Home Minister P. Chidambaram is pressing hard for the NATGRID Project upon the premises that it would solve all the Intelligence and Terrorism related problems. This is not true. NATGRID Project cannot and would not stop terrorist attacks and it would play almost no role in the absence of good Intelligence Gathering and Analysis Capabilities. It can supplement intelligence capabilities but never supplant the same.

Secondly, NATGRID Project of India is badly implemented. There is no sign of any sort of “Accountability and Transparency” in the dealing of NATGRID Project. Even Parliamentary Scrutiny is missing and in an environment where E-Surveillance has already gripped India, this is a bad news.

There is no “Public Information” about NATGRID Project nor are there any “Procedural Safeguards” that can prevent the possible misuse of this E-Surveillance Project. Civil Liberties are at stake as there is no protection of Human Rights in Cyberspace.

Home Minister P. Chidambaram must understand that NATGRID Project of India is “Not a Panacea” for all National Security problems in India. If at all NATGRID Project would work, it must be made more “Systematic and Planned”. Of course, it must also be “Constitutional”. Presently NATGRID Project is not meeting any of the abovementioned requirements.

M-Governance Policy Of India

Mobile governance (m-governance) is an innovative method of using mobile technologies for effective governance and public services delivery. M-governance facilitates many public services in almost real time and without hassles. However, along with the benefits of m-governance it has many drawbacks as well.

Firstly, we have no implementable m-governance policy in India. In the absence of proper planning and a sound m-governance policy it is not a wise option to utilise m-governance services in India.

Secondly, we have no dedicated legal framework for m-governance in India. This may create problems in cases of mobile banking, m-governance, m-commerce, etc. Of course, we have information technology act 2000 (IT Act 2000) as the cyber law of India yet it is far from perfect for even e-governance purposes and it is not at all applicable to m-governance environment.

Another issue pertains to the exercises of e-surveillance and phone tapping by Indian government and its agencies. Till now we have no lawful interception law in India. Phone tapping is done under the colonial and outdated Indian telegraph act 1885 and e-surveillance is done under the IT Act 2000. Both these acts are violating the letter and spirit of Indian constitution and have incorporated many unconstitutional provisions that are well beyond the parliamentary and judicial scrutiny.

Recently, the ministry of communication and information technology (MCIT) has launched the central monitoring system project of India. It has the capabilities to monitor all sorts of telecommunication and electronic communications. However, it is a pure executive exercise with no legal framework, civil liberty safeguards and parliamentary and judicial scrutiny.

At the international level some development for safeguarding the human rights in cyberspace has been taking place. United Nations has declared that access to Internet is a human right. This shows that human rights protection in cyberspace cannot be ignored by nations in future.

Finally, m-governance cannot succeed till we ensure cyber security for m-governance in India. Till now even the basic level cyber security is missing in India and we have no cyber security policy in India. Further, the IT Act 2000 need to be suitably amended or a dedicated legislation for m-governance must be enacted in India.

All these issues are integral part of the m-governance policy of India. Before jumping upon the fancy idea of m-governance we must ensure that it can operate and flourish in India.

Central Monitoring System Project Of India

Central Monitoring System Project of India (CMS Project of India) is a very crucial project to safeguard Information and Communication Technology (ICT) related security and e-surveillance issues in India. It is mooted by the Central Ministry of Communication and Information Technology (MCIT).

The aim of CMS Project of India is to have a “Centralised Mechanism” where Telecommunications and Internet Communications can be analysed by the MCIT, Indian Government and its Agencies. Some have called this mechanism as the Internet Kill Switch of India where Internet Communications all over India can be suspended through this mechanism.

Recently, the United Nations declared “Right to Access” to Internet as Human Right. This would have a positive impact upon many Human Rights in Cyberspace. For instance, Right to Speech and Expression, Right to Privacy, Right to Know, etc cannot be violated by the CMS Project of India. United Nations must expand Human Rights Protection to many more issues.

This is the real problem for the CMS Project of India. We have no dedicated Privacy Laws in India, Data Security Laws in India and Data Protection Laws in India. Further, the CMS Project of India is also beyond the “Parliamentary Scrutiny”. The Cyber Law of India, incorporated in the Information Technology Act 2000 (IT Act 2000), was drastically amended through the Information Technology Amendment Act 2008 (IT Act 2008).

The IT Act 2008 incorporated various “Unconstitutional Provisions” in the Cyber Law of India that clearly violates the Human Rights in Cyberspace. For instance, provisions regarding Internet Censorship, Website Blocking, Encryption and Decryption, etc have no inbuilt “Procedural Safeguards” as mandated by the Constitution of India. This is the reason why the Cyber Law of India needs to be repealed.

Further, we have no E-Surveillance Policy in India. Even Phone Tapping in India is done in an “Unconstitutional Manner” and even by private individuals with or without Governmental approval.

If CMS Project of India has to be “Legal and Constitutional” it must be subject to “Parliamentary Oversight”. Further, the IT Act 2000 must be repealed as soon as possible as it is clearly not in conformity with the Constitution of India and Civil Liberties Protection in Cyberspace.

Of course, if India Government persists in this “Unconstitutional Approach”, taking recourse of “Self Defence Measures” is not a bad option. Rather that remains the “Sole Option” when our Parliament, Executive and Judiciary fail to protect Fundamental Rights enshrined in the Constitution of India and the Human Rights Charter of United Nations.

Indian Government Waking Up To Privacy Laws Requirements

Of late Fundamental Rights and Civil Liberties of Indian Citizens in Cyberspace have been totally neglected by the Executive and Legislative Branches of Indian Constitution. Unfortunately, even Judiciary failed to interfere and we have reached a “Precarious Situation” where the Constitution of India, especially Fundamental Rights, are about to be made “Redundant and Non Existent”.

While United Nations has declared that “Access to Internet” is Human Rights yet Indian Government is well committed to deny not only this Human Rights but also all other possible Human Rights in Cyberspace.

Naturally, there is a need to protect Human Rights in Cyberspace before we fully launch various E-Surveillance and Civil liberties Violating Projects in India. Security and E-Surveillance Projects have been launched by Indian Government without any “Procedural Safeguards” and in active “Violation” of Human Rights in Cyberspace. The only solace is that these Projects are in their infancy stage and they can still be made “Constitutional”.

For instance, Projects like National Intelligence Grid (NATGRID), Central Monitoring System of India (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Aadhar Project of India, Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), etc have no “Procedural Safeguards” and they are violating Human Rights and Fundamental Rights in their “Present Form”. These Projects have been launched without any Legal Framework and Parliamentary Oversight. Further, even the most “Basic Laws” like Data Protection Laws, Data Security Laws, Privacy Laws, etc are missing in India.

Realising the “Gravity of the Situation”, the Planning Commission of India has now decided to call a high-level meeting of experts, civil society representatives and government officials to address these concerns. The Commission admits that initiatives like UID, NATGRID, DNA profiling, brain mapping and tapping communication, etc are “Genuine Concerns” and they need to be addressed properly. The Commission has also suggested using “Inbuilt Technological Safeguards” for all these Projects.

At Perry4Law and Perry4Law Techno Legal Base (PTLB) we have been constantly suggesting that privacy is a key concern in all these Projects as people's personal information would be stored in a single database and the possibility of corruption and exploitation could not be ruled out.

The minister, incharge of IT in the plan panel, said it is necessary to have in-depth and threadbare discussion with experts, civil society representatives and government officials to ensure that the objective of national security and efficiency in public service delivery mechanism are effectively reconciled with the privacy concern of citizens.

This is a good step in the right direction and Perry4Law and PTLB welcome this step of Indian Government.

Encryption Policy Of India Is Needed

Use of Encryption in India has never been smooth. Intelligence Agencies in general and Central Home Ministry of India in particular are very much concerned about use of Encryption beyond 40 bits. However, what Home Ministry is not realising is that anything below 128 bits of encryption is definitely “Unsafe” and anything below 256 is “Potentially Unsafe”.

The Stakeholders that need “Higher Encryption Level Protection” includes Banks, Stock Exchanges, E-Mail Service Providers, Corporate Communications, Sensitive Government Communications, etc. It is “Not Feasible” to ask for Encryption Level below 256 bits.

Obviously, Indian Government has to take care of National Security and Law Enforcement needs as well. This does not mean we should have a “Weak Cyber Security Infrastructure” in India. On the contrary, we must ensure a Strong, Robust and Resilient Cyber Security Infrastructure for India.

At Perry4Law Techno Legal Base (PTLB) we believe that India should invest in establishing good Techno Legal Cyber Security Capabilities on the one hand and Cyber Skills and Intelligence Gathering Skills Development in India on the other hand. We believe that E-Surveillance can never be an “Alternative” for good and effective Cyber Security and Intelligence Gathering Capabilities. E-Surveillance must “Supplement” Intelligence Gathering Skills and “Not Supplant” the same.

This entire problem is happening because we have no Encryption Policy in India that clearly demarcates what level of Encryption can be used and what level cannot be. Further, we have no Legal Framework regarding Encryption usage in India.

We also have no Encryption Laws in India or Encryption Framework and Norms in India that have been “Prescribed” by the Parliament of India. All we have are “Encryption Guidelines” that are incorporated in various “Civil Contracts” with Telecom Companies and other such Companies. At most they are “Departmental Guidelines” but they do not have the “Force of Law”.

They are indirectly made applicable as “Forced Conditions” by the Telecom Companies and other Stakeholders. The “Legality” of this is very much doubtful as “End Users” have no “Autonomy” and “Free Choice” in such cases.

The Cyber Law of India, as applicable through Information Technology Act 2000 (IT Act 2000) has a single provisions in this regard. Section 84A of IT Act 2000 says that the Central Government may prescribe the modes or methods of Encryption. Till now the Central Government has not prescribed any “modes or methods” of Encryption usage in India. In fact, the IT Act 2000 is so “Badly Drafted” that many of its provisions are “Unconstitutional” and there is an urgent need to “Repeal” the Cyber Law of India.

It is high time for us to formulate a Techno Legal Encryption Policy for India as soon as possible. The Encryption Policy of India must keep in mind the Commercial, Cyber Security, Cyber Law, National Security, Intelligence Agencies and Law Enforcement requirements.

Further, the Indian Encryption Policy must also keep in mind the Civil Liberties in Cyberspace. Recently, the United Nations has declared that “Access to Internet” is a Human Right. Indian Government must “Balance” the National Security Requirements with Human Rights in Cyberspace as giving “Primacy” to one over another is not feasible.

Perry4Law and PTLB hope that Indian Government would take immediate steps to accommodate these “Suggestions” of ours.

Cyber Security Must Be An International Issue

I personally believe that Cyber Security is an “International Issue” and not a “National One”. Those who believe it to be a National Issue are going to suffer a lot. Similarly, “Self Regulation” is not going to help us in the long run especially when countries all over the world are establishing Cyber Commands and Cyber Warfare Capabilities.

I also believe that despite all odds, we must try to formulate International Cyber Law Treaty and International Cyber Security Treaty. Without clearly demarcating the “Roles and Responsibilities” of Nations in the Cyberspace, International Mutual Cooperation in this regard is next to impossible.

United Nations has a bigger role to play in this regard. On the one hand it must formulate International Cyber Law and Cyber Security Treaty whereas on the other hand it must make these Treaties in conformity with the Human Rights in Cyberspace.

Developed Countries like US are not interested in Treaties on Cyber Law and Cyber Security except to the extent permitted by present International Legal Framework .This Framework was formulated at a different time and in a different context. It is high time to abandon the same in the larger interest of “International Community”.

The growing Cyber Attacks on Gmail, Citicorp, etc are happening because of this “Void” at the International level. This “Void” is also forcing the Countries to adopt their own Cyber Security safeguards. Australia has planned a Cyber Defence Strategy whereas European Union has set up a team of Cyber Crime Fighters. Countries are adopting this “National Approach” because there is no “International Framework” to deal with these issues.

The sooner we have International Frameworks for Cyber Law and Cyber Security related issue the better it would be for the interest of International Cyberspace Community at large.

CCS Did Not Approve Natgrid Project Absolutely

National Intelligence Grid (NATGRID) Project of India is still in troubled waters as lack of Privacy Laws and Data Protection Laws has put it in doldrums. Media reports are full of rumours that the Cabinet Committee on Security (CCS) has cleared the NATGRID Project. However, this is not true as CCS has just granted the “in principle approval” to NATGRID Project and nothing more.

In the past as well in principle approval was given to NATGRID Project but it was not able to proceed as it lacks the basic Planning, Management and Legal Framework. Even today and after the in principle approval of CCS, NATGRID Project is still without any Legal Framework and Parliamentary Oversight.

Further, the CCS has granted its approval to NATGRID Project for “Limited Purposes” only. CCS has allowed NATGRID to operate for “Limited Phases” only that also where the same can operate within the limits of present Legal Framework. For subsequent stages, NATGRID has “not been approved” till “Suitable Amendments” are made in the Laws of India.

Experts in India have been saying that NATGRID Project of India must comply with Civil Liberties in order to be Legal and Constitutional. Fortunately, the CCS has also “Endorsed” this view and this is the reason why it did not give permission for subsequent and “Final Phases” of NATGRID Project. The CCS has just cleared first two “non-controversial phases” and it is still holding back nod for later phases that require Legal Alterations

The real problem with India is that it is not respecting Human Rights in Cyberspace. We have no E-Surveillance Policy in India and Lawful Interception Law in India is missing. Phone Tapping in India is not done in a Constitutional manner and Laws like Information Technology Act 2000, Official Secrets Act, Indian Telegraph Act 1885, etc are “no more constitutional” and deserve to be repealed.

It is only now that India has started paying attention towards issues like Privacy Laws but even these efforts lack Protection of Civil Liberties in Cyberspace and Protection of Privacy Rights in the Information Era.

NATGRID Project of India would not be finished before Five Years in these circumstances. This is despite the claims of Home Minister P. Chidambaram. If NATGIRD Project is finished before that time period and within the present Legal Framework it means only two things. Either the CCS has “forsaken” the Civil Liberties of India Citizens or Home Ministry is operating the NATGIRD Project “Illegally and Unconstitutionally” and without the knowledge of CCS.