Yesterday, we joined the #DigitalLawsAsia discussion to talk about threats to free expression in India. Today, we are back to talk about the importance of data protection and surveillance reform in a world where our smartphones know us better than ourselves. 1/n
India currently does not have a data protection law and the proposed Bill which is being evaluated by a Joint Parliamentary Committee grants wide exemptions to the govt and fails to provide adequate independent oversight. 2/n #DigitalLawsAsia
Here is our submission to the Joint Parliamentary Committee highlighting problems in the proposed Personal Data Protection Bill. 3/n #DigitalLawsAsia
Want to know what a model privacy law for India could look like? Check out the Indian Privacy Code by the #SaveOurPrivacy campaign which was created by volunteers and revised based on public comments. 4/n #DigitalLawsAsia
In addition to parliamentary advocacy, we have also approached courts seeking surveillance reform and challenged the constitutionality of S.69, IT Act which empowers the govt to conduct electronic surveillance without any judicial or parliamentary oversight. 6/n #DigitalLawsAsia
Read more about this case which led to disclosure of the government's Standard Operating Procedure for electronic surveillance here. 7/n #DigitalLawsAsia
During the COVID-19 pandemic, the govt has expanded its surveillance infrastructure through apps like Aarogya Setu which claim to be voluntary but are mandatory for all practical purposes. 8/n #DigitalLawsAsia
Here is a comprehensive working paper on COVID-19 surveillance in India which spans 88 pages. 9/n #DigitalLawsAsia
Aarogya Setu has been one of our top priorities in the past few months and we have analysed the app’s data sharing protocol in detail to explain why it does not protect your data despite using all the right buzzwords. 10/n #DigitalLawsAsia
And Aarogya Setu isn’t the only invasive surveillance project being rolled out during the pandemic. The govt has also issued a tender for wearable tracking devices which are termed as a patient tracking tool but will be used for national security purposes. 11/n #DigitalLawsAsia
Here is an explainer on the BECIL tender which should concern us all. 12/n #DigitalLawsAsia
These surveillance technologies are operating in a legal vacuum because the Personal Data Protection Bill is yet to be enacted and the IT SPDI Rules 2011 are limited to body corporates and do not apply to govt agencies. 13/n #DigitalLawsAsia
For instance, NCRB has issued a tender for an Automated Facial Recognition System and claimed that a cabinet note from 2009 is the legal basis for the project. 14/n #DigitalLawsAsia
The deadline for the tender has been extended several times and we have continued engaging with NCRB about the illegality of such a project in the absence of any parliament enacted legislation. 15/n #DigitalLawsAsia
Indian internet users are particularly vulnerable to data breaches because S.43, IT Act fails to draw a distinction between malicious hacking and good faith vulnerability disclosure. As a result, security researchers are constantly at risk of penal action. 16/n #DigitalLawsAsia
Here is an explainer on why security researchers need more bug bounties and less vexatious lawsuits. 17/n #DigitalLawsAsia
The proposed amendments to the Intermediaries Guidelines also raise privacy concerns because they contain a "traceability" requirement which could undermine encryption. Encryption has even become a hot button issue before courts. 18/n #DigitalLawsAsia
Join the #DigitalLawsAsia discussion hosted by @APC_News and tell us which laws and cases do you think we should focus on which could threaten online privacy of internet users! 19/n
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Been hearing some chatter around #DigiYatra? As scary questions about ownership, transparency, and data flow emerge, here is a quick rundown of everything we know about the service, and more importantly, everything we don’t. 😶🌫️🧵1/7
1️⃣Who owns DigiYatra?
In 2019, @MoCA_GoI passed on DigiYatra's operations & data ecosystem to a *private company* created for this very purpose – DigiYatra Foundation. DYF is a joint venture between 5 Indian airports (public-private, 74% stake) & @AAI_Official (public, 26%). 2/7
2️⃣ Such a public-private venture must be answerable to citizens?
Not exactly. Neither DYF nor its security audit agency @IndianCERT fall under the RTI Act. It cannot, technically, be forced to disclose any information on its data practices & security. 3/7 medianama.com/2023/03/223-ci…
Were you among the millions of @WhatsApp users who got a DM from ‘Viksit Bharat Sampark’? 🫠🫠
The account, seeking feedback on government initiatives, is now barred by the Election Commission from sending messages.
But several concerns persist… (1/10) internetfreedom.in/whatsapp-messa…
The message, accompanied by a letter from the PM, listed the various schemes and initiatives introduced by the incumbent government and was, in many cases, sent after the ECI released its Model Code of Conduct for upcoming elections. (2/10)
It stirred a storm and how…
First, we wonder how exactly did MeitY secure the contact information of such a large number of people and when/how did it begin using this information for outreach purposes? (3/10)
@GoI_MeitY has notified the @PIBFactCheck of the @MIB_India as the fact-checking unit (FCU) under the IT Amendment Rules, 2023.
The notified FCU will be empowered to flag online “false”, “fake”, or “misleading” information related to the Union govt. 1/9 🧵
The establishment of the FCU less than a month before the country heads for the #GeneralElections2024 could vastly affect the nature of free speech on the internet as it holds the potential to be (mis)used for proactive censorship, most importantly in the context of dissent. 2/9
This notification follows the March 13 decision of the Bombay HC, where the Bench refused to restrain the setting up of an FCU until the third Judge decides on the constitutionality of the 2023 Amendment.
This effectively allowed the Union govt to operationalise the FCU, despite its constitutionality being under deliberation before the High Court. 3/9
‼️Indian Railways has floated a tender for the installation of 3.3L facial recognition-enabled CCTV cameras inside railway coaches with a central face-matching server to surveil & identify passengers (adults & children) to ‘curb crime’. (1/7)
@amofficialCRIS invited tech providers to install FRT-enabled tech with ‘video analytics’ to identify faces & send them to a ‘face matching server’. This lacks legal safeguards, creates a fertile land for misidentification & staff bias, & fails Puttaswamy criteria. (2/7)
CCTV systems enabled with FRT operate in regulatory limbo as there is no legislative basis to use it to combat crime. & there’s the currently inoperational DPDPA which may not adequately regulate CCTV and FRT, leaving individuals' sensitive facial data vulnerable to misuse. (3/7)
🚨🔊May I have your attention please. @RailMinIndia is planning to install over 3.3 Lakh facial recognition-enabled CCTV cameras inside 44,038 train coaches across India… and our right to privacy is about to depart from platform number five. 🔊🚆1/7 medianama.com/2024/02/223-in…
With an intent of enhancing security for passengers in trains, @amofficialCRIS has floated a tender for installing CCTV surveillance systems enabled with ‘video analytics’ & facial recognition in coaches & at exit/entry points. 2/7 medianama.com/wp-content/upl…
A face image cropping tool built into the 4 entry/exit CCTV cameras will identify faces of passengers from the camera’s live feed & send the metadata to a central ‘face matching server’ in real time. This ecosystem will collect & store facial data of adult & child passengers alike. 3/7
Can we catch a break!?
The past few days in the Parliament align on the chaotic bad plane. Suspensions, followed by more suspensions, followed by draconian bills passing without any opposition (because, yk, suspensions). 🎪
Broadcasting Bill, Telecom Bill, & now the criminal reform bills – our digital rights are in deep waters. 1/n
The bills were introduced in the Monsoon Session aimed to "decolonise" criminal laws, but actually pose threats to privacy and free speech, as the bills digitise criminal procedures without clear safeguards, & expand executive powers for digital evidence search & seizure. 3/n