Monthly Archives: June 2013

US FCC Voted For A Declaratory Ruling That All Carriers Must Safeguard The Private Data In Their Customers’ Mobile Devices

US FCC Voted For A Declaratory Ruling That All Carriers Must Safeguard The Private Data In Their Customers' Mobile DevicesPrivacy issues in United States are in the middle of the storm due to the recent disclosure about the surveillance and eavesdropping exercises of NSA code named PRISM. Even James Clapper has confirmed that NSA is targeting foreign nationals for surveillance purposes.

India is even worst situated when it comes to e-surveillance and eavesdropping. India has launched e-surveillance oriented project like Central Monitoring System (CMS) that is extremely dangerous in nature.

India has also announced initiatives like national critical information infrastructure protection centre (NCIPC), national cyber coordination centre (NCCC), national intelligence grid (Natgrid), etc. None of these projects are governed by any regulatory framework and parliamentary oversight. In these circumstances self defence and privacy protection in India must be ensured through techno legal means.

Meanwhile, U.S. is trying to justify its stand on PRISM and e-surveillance exercises. NSA has claimed in the past that all e-surveillance exercises engaged by NSA are in conformity with U.S. laws especially Section 702 of the FISA.

Now the Federal Communications Commission (FCC) of U.S. has released a Declaratory Ruling that would protect the privacy of consumers of wireless services. The FCC has clarified its customer proprietary network information (CPNI) policies in response to changes in technology and market practices in recent years.

The ruling has endorsed the principle that when a telecommunications carrier collects CPNI using its control of its customers’ mobile devices, and the carrier or its designee has access to or control over the information, the carrier is responsible for safeguarding that information.

Specifically, the Declaratory Ruling makes clear that when mobile carriers use their control of customers’ devices to collect information about customers’ use of the network, including using preinstalled apps, and the carrier or its designee has access to or control over the information, carriers are required to protect that information in the same way they are required to protect CPNI on the network. This sensitive information can include phone numbers that a customer has called and received calls from, the durations of calls, and the phone’s location at the beginning and end of each call.

Carriers are allowed to collect this information and to use it to improve their networks and for customer support. Carriers’ collection of this information can benefit consumers by enabling a carrier to detect a weak signal, a dropped call, or trouble with particular phone models. But if carriers collect CPNI in this manner, today’s ruling makes clear that they must protect it.

The Declaratory Ruling does not impose any requirements on non-carrier, third-party developers of applications that consumers may install on their own. The ruling also does not adopt or propose any new rules regarding how carriers may use CPNI or how they must protect it.

The Commission can take enforcement action in the event that a failure to take reasonable precautions causes a compromise of CPNI on a device. This clarification avoids what would otherwise be an important gap in privacy protections for consumers.

Today’s action is the latest by the FCC to protect consumer privacy as part of the agency’s mission to serve the public interest. By taking action in this area, the Commission reaffirms that it is looking out for consumers in the telecommunications market.

Self Defence And Privacy Protection In India Must Be Ensured

Self Defence And Privacy Protection In India Must Be EnsuredThe recent exposure of United States e-surveillance exercises through PRISM project by National Investigation Agency (NSA) is now well known and globally protested. India  has not only expressed its concerns regarding e-surveillance exercises by U.S. agencies but has also demanded information about the data and information of Indians accessed during such project that has resulted in violation of their civil liberties.

This reaction is natural as James Clapper, director of NSA, has confirmed that NSA has been targeting foreign citizens for surveillance and this includes Indian citizens as well. Speculations about use of Utah data centre for e-surveillance purposes have also been raised but NSA has denied the same in the past. Further, national security letters (NSLs) are openly used by FBI to gather warrant less information.

The command and control servers of malware and e-surveillance tool FinFisher have also been found in 36 countries including India. Cyber espionage tools like Stuxnet, Duqu, Flame, etc are already used widely by national governments. In the absence of internationally acceptable cyber law and cyber security treaties, there is no uniform application of international law to tackle cyber terrorism and cyber warfare. Even Tallinn manual is not applicable to international cyber warfare attacks and defence.

Meanwhile, India has launched its own version of PRISM in the form of Central Monitoring System (CMS) that is extremely dangerous in nature. India has also announced initiatives like national critical information infrastructure protection centre (NCIPC), national cyber coordination centre (NCCC), national intelligence grid (Natgrid), etc. None of these projects are governed by any regulatory framework and parliamentary oversight.

Further, in the absence of privacy laws and constitutional lawful interceptions laws in India, the CMS is even worst than the PRISM project of NSA. Nevertheless no sovereign government would allow other government to do e-surveillance and eavesdropping upon its citizens, at least not openly.

Civil liberties protection in cyberspace is a very difficult process. This is the reason that even the United Nation has taken decades to raise protest against e-surveillance. So we have governments that are well committed to indulge in e-surveillance, we have inadequate or no laws to protect privacy and we have no international organisation to support civil liberties protection in cyberspace.

So what is the alternative left to us to protect our civil liberties in cyberspace? We believe that self defence in cyberspace is the only viable option left to those who wish to exercise their civil liberties in cyberspace. Technology can assist us in achieving this task.

We can use disposable e-mails to avoid e-mail surveillance, safeguards like TOR against illegal Internet eavesdropping and sniffing, use TOR for instant messaging (IM) and mobile phones for private and secure conversations, for Blackberry users and those believing in a good combination of privacy and security, use Pretty Good Privacy (PGP) along with any good smart phone, use Enigmail for encrypted e-mails, use VPNs and reliable proxies, use open source browsers like Firefox with addons, use secured connections while communicating online, use of search engines like Startpage or DuckDuckGo, etc.

There are many more options available here that can be availed of by civil liberty activists around the world. We hope these tools and resources would help Indian citizens to reclaim their privacy and civil liberties in Indian cyberspace.

James Clapper Confirms That NSA Is Targeting Foreign Citizens For Surveillance

James Clapper Confirms That NSA Is Targeting Foreign Citizens For SurveillanceUnited State intelligence agencies have been engaging in eavesdropping and e-surveillance for long. They are using methods like warrant less phone tapping, national security letters (NSLs), surveillance systems like PRISM, etc.

This is not a U.S. specific problem. In fact, India is worst situated than U.S. as in India we do not need a court warrant to do phone tapping and e-surveillance. We have no dedicated privacy laws in India and phone tapping is done in an unconstitutional and illegal manner. A lawful and constitutional interception law in India must be formulated as soon as possible.

United Nations finally broke its silence on civil liberties violations that are happening at global level. However, U.N must do much more than showing its displeasure regarding the contemporary e-surveillance practices adopted by nations around the world.

Meanwhile, James Clapper, Director of National Intelligence agency (NSA), has maintained that the PRISM project is both legal and vital to national security. He concurred that NSA has been using PRISM to gather digital information and data of targeted foreign citizens using the Internet outside the U.S.

He also maintains that PRISM is overseen by a secret court under laws approved by the US Congress. However, targeting of U.S. citizens cannot be ruled out in these circumstances.

The basic argument of Clapper is that PRISM is an internal government computer system to facilitate the government’s statutorily authorised collection of foreign intelligence information from electronic communication service providers under court supervision.

If this is the purpose and scope of PRISM project, there is not much to protest as it is the law that has to be protested against. Blaming Internet companies complying with court orders is also unjustified in these circumstances. But if NSA or any other law enforcement agency indulges in warrant less phone tapping or e-surveillance or if NSLs are use din an abusing manner it is a grate cause of concern for U.S. citizens.

Stung by these disclosures, White House has been considering whether a criminal investigation must be initiated against those found guilty as per U.S. laws for putting U.S. national security in danger.

Meanwhile, Internet companies have denied their involvement in the e-surveillance project and have maintained that they have not provided any direct access to their servers to the NSA or any other authority. These companies maintain that they are providing user data to governments only in accordance with the law.

What these companies must be doing is providing a secure and dedicated access to NSA and other agencies through a web portal where the requested information can be posted by the concerned company and accessed by the NSA/FBI.

However, the real question is whether such information is provided only after a court warrant in each and every case or on the mere asking of the NSA/FBI. In the former case, it may be legal and constitutional whereas in the latter case it is illegal and unconstitutional.

But there is no doubt about the proposition that the accused Internet companies are sharing information about their respective users with NSA and FBI and if they claim they are not aware of such sharing through a dedicated portal, they are simply lying.  Now the question is how much foreign citizens can trust these companies for their personal and sensitive information?

United Nations Finally Broke Its Silence On Civil Liberties Violations

United Nations Finally Broke Its Silence On Civil Liberties ViolationsUnited Nations has preferred to keep itself aloof from civil liberties issues, especially those exercised in the cyberspace. The problem is that there are no internationally acceptable standards that protect human rights in cyberspace. This is all the more reason that UN must protect human rights in cyberspace.

However, the indifference on the part of UN in this regard has raised doubts about it role in the protection of civil liberties in cyberspace. Although UN has declared that “access to internet” is a human right yet in practice this has not been adopted by member of the UN.

Meanwhile, countries keep on pushing e-surveillance oriented projects and executive orders. The position reached a stage where if UN did not interfere, the situation could have got out o hands.

UN has now opined (PDF) that the increasing state surveillance could be a serious threat to right to privacy. UN believes that state surveillance of communications is ubiquitous, and such surveillance severely undermines citizens’ ability to enjoy a private life, freely express themselves and enjoy their other fundamental human rights.

Countries around the world, including India, are denying legal safeguards and using new technologies and surveillance techniques to invade citizens civil liberties. For instance, India is using e-surveillance projects like Aadhaar, central monitoring system, national intelligence grid, etc to defeat civil liberties of Indians. Till now we have no dedicated privacy law in India.

In U.S. Google has been challenging the FBI’s national security letters (NSLs) that although declared to be unconstitutional are still required to be followed. U.S. government is also the biggest buyer of malware. Global cyber espionage networks and botnets are also used by rouge nations. The command and control of FinFisher malware were found in 36 countries, including India.

UN has taken a good step in the right direction but it has to implement civil liberties protection in cyberspace vis-à-vis its member nations as well.

Google’s Challenge To FBI National Security Letters Narrowed Down By The Court

Google’s Challenge To FBI National Security Letters Narrowed Down By The CourtThe civil liberties in cyberspace are passing through a difficult phase. Countries around the world are well inclined to invade privacy rights and exercise excessive e-surveillance. In United States the federal investigation agency FBI has been issuing national security letters (NSLs) for long by showing national security requirements.

FBI has also issued gag orders in this regard that were declared unconstitutional by the U.S District Judge Susan Illston. Meanwhile Google continued to challenge the NSLs themselves that demanded warrant less information seeking under the USA Patriot Act.

Unfortunately, now Judge Susan Illston has held that Google must comply with the NSLs granting the government access to users’ private info without court warrants. Judge Illston’s latest ruling appears to contradict her decision earlier this year ordering the government to stop issuing the letters.

The judge put the Google ruling on hold until the 9th U.S. Circuit Court of Appeals can decide the matter. Until then, she said, the company would have to comply with the letters. It could be many more months before the appeals court rules on the constitutionality of the letters and till then Google may have to comply with the FBI’s NSLs.

The only solace for Google is the fact that Google can file a fresh petition challenging the specific letters it had received, rather than challenging the NSLs in general. It seems, like India, U.S. has also failed to maintain a balance between national security and civil liberties.

Privacy Law Of India In Pipeline

Privacy Law Of India In PipelineIndia has no dedicated privacy law though provisions pertaining to privacy protection are scattered across various legislations. Even the Constitution of India did not carry any provision protecting privacy rights in India.

It is only by way of judicial interpretation that privacy rights have been conferred by Indian Supreme Court upon Indian citizens under Article 21 of Indian Constitution.

Indian government soon realised that a dedicated privacy law has to be enacted that can consolidate various privacy related aspects at a single place. However, it proved a mammoth task for Indian government to formulate such privacy law.

After many committees and many attempts it has now been indicated that the privacy law of India may be submitted before the Parliament of India during the forthcoming monsoon session of Indian Parliament. One of the proposed provisions of the privacy law has imposed a penalty of Rs. 2 crore for illegal telephone tapping in India.

However, it seems Indian government is still hesitant to formulate such a law. It is natural as well as e-surveillance projects like Aadhaar, central monitoring system, national intelligence grid, etc are in direct conflict with the privacy notions. India has a poor track record of maintaining a balance between national security and privacy protection requirements.

We would cover more about this issue in our subsequent discussions and articles.

Illegal Phone Tapping In India May Attract Rs 2 Crore Penalty In Future

Illegal Phone Tapping In India May Attract Rs 2 Crore Penalty In FuturePhone taping is a controversial subject in India especially when private individuals are openly doing the same in an unregulated manner. The position has been made complicated due to absence of dedicated privacy laws and data protection laws in India.

The Information Technology Act, 2000 also contains unconstitutional provisions that empower our government and its agencies to do e-surveillance and eavesdropping on electronic communications.

The net result is that we have no constitutionally sound lawful interception law in India as on date.  For instance, the cell site data location laws in India and privacy issues must be suitably regulated by a new law. Similarly, the cell site location based e-surveillance in India and surveillance of internet traffic in India must also be part and parcel of a new legislation.

Indian government is presently working upon the draft privacy law of India and the same is expected to be put before the Indian Parliament in its monsoon session. One of the clauses in the proposed privacy law prescribes a stringent penalty of Rs. 2 Crore for illegal phone tapping in India.

As on date, only government agencies, on prior permission from the Home Ministry, are allowed to tap telephone calls. However, law enforcement agencies, including those under the Finance Ministry and the CBI, are allowed to tap phones of any individual for security or operational reasons for 72 hours even without permission from the Home Secretary.

In India there is no requirement to obtain a court warrant to engage in e-surveillance and eavesdropping. Further, with the introduction of central monitoring system of India, the scope for judicial intervention has been absolutely ruled out.

It is not difficult to ascertain that the proposed penalty may act as a deterrent to private individuals alone. For Indian government and its agencies, this clause has no relevance as they are the final arbiter for deciding the need and legality of any phone tapping and e-surveillance till the matter is leaked out. Even then Indian judiciary would not take any stringent action against the Indian government as no such action has been taken in so many decades till now.