Logo

Defender of your Digital Freedom

All Posts | Jun 09,2020

A Brief on Privacy Concerns Around the COVID-19 Pandemic for the Committee

A Brief on Privacy Concerns Around the COVID-19 Pandemic for the Committee on Information Technology

In order to fight the COVID-19 pandemic, the Government of India launched a contact tracing application “Aarogya Setu”, and is also in the process of deploying various technologies like the patient tracking tool incorporated in the BECIL tender, etc, which have the potential to serve as surveillance tools. In the absence of privacy laws, it is important to have Parliamentary oversight on these technological developments. With the Parliament not in session currently, the Parliamentary oversight is only possible through these committee meetings.

SFLC.in prepared a brief on privacy concerns around the COVID-19 pandemic and suggested questions to the Committee on Information Technology meeting scheduled on June 17, 2020. One of the agendas for the meeting is "Oral Evidence on citizen’s security and privacy by the representatives of the Ministry of Electronics and Information Technology.”

We sincerely hope that the Committee will take up the concerns arising from balancing of public health, technological innovation, and individual data protection rights.

[pdfjs-viewer viewer_width=0 viewer_height=800 url=https://alpha.sflc.in/wp-content/uploads/2020/11/PrivacyConcerns_Questions_VIII_060320...pdf download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

All Posts | Apr 23,2020

Our Statement on the BECIL Tender – COVID – 19 Patient Tracking Tool

Our Statement on the BECIL Tender - COVID – 19 Patient Tracking Tool

Broadcast Engineering Consultants Limited, a government of India undertaking under the Ministry of Information & Broadcasting had recently released a tender inviting “Expression of Interest (EOI) for Empanelment of Agency for Supply of Healthcare Equipments”. The tender invites EOI for agencies to be empaneled to supply various ‘healthcare items’. To this tender a corrigendum was released adding three more items to be supplied: (1) Hand Held Thermal Imaging System (2) Optical Thermal Fever Sensing System (3) COVID – 19 Patient Tracking Tool.

Reading through the specifications of the tracking tool, it is evident that the item, presumably a comprehensive software, goes beyond a healthcare tool and opens up the possibility of mass surveillance.

The first specification for the equipment brands the equipment as an “Intelligence investigation platform & tactical tool to detect, prevent and investigate threats to national security using CDR, IPDR, Tower, Mobile Phone Forensics Data.”

The use of the phrase “national security” points to the possibility of the Government using this equipment to turn on an ‘always-active’ regime of surveillance in the guise of managing a pandemic.

The specification also mandates that it “should allow user to import data extracted from Mobile Forensic Tools like CellebriteUFED, Micro-Systemation XRY and HANCOM GMD”. It is also provided that the tool should be compatible with the i2 Analyst Notebook for advanced link Analysis. Cellebrite UFED (Universal Forensic Extraction Device), Micro-Systemation XRY and HANCOM GMD are linked to mobile forensics. It is not clear as to why a patient tracking tool should have such forensic capabilities. The use of CDR, tower data, and geo-location also indicates that chances are high that the entire system will be connected with already existing systems such as CMS and NATGRID. The tool with analysis of cell tower dumps and gateway scans and CDR records has the potential to be used as a mass surveillance tool.

SFLC.IN considers this move by the government to use technology to build a system that has the potential to be used for mass surveillance to be dangerous as we do not have sufficient safeguards against mass surveillance. Although the use of technology will be required for contact tracing, this has to be done in conjunction with conventional methods of tracking and the pandemic should not be an excuse to introduce a blanket system of surveillance. Many components of the tool included in the tender document go beyond the common requirements of contact tracing and could result in pervasive surveillance. SFLC.in along with other organisations and individuals had earlier sent a joint letter to the Central Government and various state governments requesting that any technology measures taken during the pandemic phase should respect the privacy of citizens and should be time -limited and in tune with the principles of necessity and proportionality.

[pdfjs-viewer viewer_width=0 viewer_height=800 url=https://alpha.sflc.in/wp-content/uploads/2020/11/BECILEOIHealthcarepdf-7dc6ef71921897ecd732748bcc824802.pdf download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]
[pdfjs-viewer viewer_width=0 viewer_height=800 url=https://alpha.sflc.in/wp-content/uploads/2020/11/Corrigendumhealthcarepdf-66a662d4d6c8e2facb46fd1574ab41f4.pdf download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

All Posts | Apr 08,2020

Our Concerns With The Aarogya Setu App

Our Concerns With The Aarogya Setu App

Recently, the Ministry of Electronics and Information Technology (“MEITy”) rolled out its “Aarogya Setu" application (“the App”) for Android and iOS platforms. The app aims at providing users information as to whether they are prone to a COVID-19 infection by analysing their proximity to COVID-19 positive persons. The app requires the user to submit the user’s geodata. It also uses bluetooth to connect to other registered users and from the network thus formed, analyse whether the user has come in contact with anyone who has been tested positive. The app, as per its terms of service is intended to “notify, trace, and suitably support” a registered user regarding COVID-19 infection.

We, at SFLC.IN, went through the software’s features and also took a look at its terms of service and its privacy policy. The application collects personal information some of which are sensitive personal data such as a person’s gender, and travel information. So, it was necessary to scrutinise the App in these testing times. And we do have some concerns with the App. They are as follows:

1. Violation of the law laid down by the Supreme Court– It is important to note that the Aarogya Setu app has been launched in the time of an ongoing pandemic, when the Governments are trying to maximise data collection, often at the cost of privacy rights of citizens. India does not have a law dealing with personal data protection which should be limiting data collection and processing. SFLC.IN, along with a coalition of lawyers, social activists, entrepreneurs, and concerned citizens, had recently sent a joint letter to various ministries of the Central Government and also the heads of states and union territories expressing concerns over the unwarranted and excessive collection of personal data during the ongoing COVID-19 pandemic urging the various governments to follow law enunciated in various Supreme Court judgments. If you haven’t signed on the campaign letter, you can do so by clicking here.

2. “Aarogya Setu” is not open source – Though the Central Government has a prevailing policy on adoption of open source software the Aarogya Setu app’s code has not been made open source. Making the source code available enhances transparency and this also improves security as the code is open to community audit. The app primarily collects personal data from user cellphones and cellphones are an immense repository of personal data of users and sometimes, of a user’s contacts and acquaintances. In this scenario, keeping the source code of such an app proprietary is not advisable.

3. Personal Data Collected and its Use – The app, as per its privacy policy collects the following personal information during registration and stores it in the cloud: (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; (vi) countries visited in the last 30 days; and (vii) whether or not you are a smoker and a person’s current medical condition collected through a series of questions when the app is run for the first time to asses the condition of the user. Moreover, the App continuously collects the location data of the registered user and maintains a record of the places where the user had come in contact with other registered users.

Clause 2 (a) of the Privacy Policy states, concerning the use of collected data, that:

 “The personal information collected from or about you under Clause 1(a) above, will be stored locally in the App on your device and will only be uploaded to and used by the Government of India (i) in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country and/or (ii) in the event you have tested positive for COVID-19 or have come in close contact with any person who has tested COVID-19 positive. Any personal information uploaded to the cloud will only be used for the purpose of informing you, or those you have come in contact with, of possible infection. Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.”

This clause enables the Government to share personal information uploaded to the cloud with “such other necessary and relevant persons” in order to “carry out necessary medical and administrative interventions. This is problematic as the clause is broadly worded allowing the data to be shared with practically anyone that the Government wants.

Moreover, the promises made in the privacy policy can also be detonated through the vagueness of Clause 2 (c) which states:

The personal information collected will not be used for any purpose other than those mentioned in this Clause 2 save as required in order to comply with a legal requirement.” [emphasis supplied]

Nowhere in the policy documents is the phrase “legal requirement” defined. It is not unreasonable to think that this could be defined as whatever the Government wishes. This can lead to excessive collection and use of sensitive personal data. Moreover, true anonymisation of personal data has been debated by technologists and the Government has to prove that it has anonymised the data properly.

4. Very “Limited Liability” - The liability limitation clause of the Terms of Service limits the Government's liability even if inaccurate information is given by the App or in case of failure to generate true positives. It is pertinent to note that this acquits the Government’s liability in case of any harm caused due to incorrect information. Therefore the App’s policies render the App as nothing but another data grabbing exercise.

Moreover, the liability clause also exempts the Government from liability in the event of “any unauthorised access to the [user’s] information or modification thereof” (emphasis supplied). This means that there is no liability for the Government even if the personal information of users are leaked.

5. Restriction on Reverse Engineering

Section 52 clauses (ab) and (ac) of the Copyright Act, 1957 states:

“(ab) the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer programme with other programmes by a lawful possessor of a computer programme provided that such information is not otherwise readily available;

(ac) the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied;”

Through the aforementioned provisions a Central Act enables a lawful possessor of a computer programme to do any act to obtain information essential for inter-operability of an independently created computer programme and to determine the ideas and principles which underline any elements of the programme. Essentially, these provisions enable reverse engineering of a lawfully obtained computer programme.

However, the Aarogya Setu app, through Clause 3 of its Terms of Service, restricts the user from reverse engineering the App.

“...You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”

(emphasis supplied)

Reverse engineering a process through which one is able to study a computer programme and understand how the programme functions and whether the programme is doing only what it is supposed to do or what it was promised by the developers that the app would do.

It is indeed essential for security researchers to study and examine the working of an app like Aarogya Setu which is potentially a surveillance tool that collects the movements and geolocation data of its users.

A provision in a Terms of Service cannot take away a statutory right provided by a Central Act. The former is a violation of the latter. Therefore, this provision within the Terms of Service must be taken off.

Note: We are also doing a technical analysis of the Aarogya Setu app. We will upload more information if we find any more issues.

All Posts | Nov 07,2019

FAQ on surveillance in India.

What exactly is surveillance?

The Merrian - Webster dictionary defines surveillance as “keeping a close watch kept on someone or something”. In the context of this FAQ we refer to the word ‘surveillance’ only to the act of real-time surveillance conducted by Governments through telecommunication systems (namely, telephones and the Internet), though private actors may also conduct surveillance through various methods and offline methods are also used by governments to conduct surveillance.

 

Is there a way that survellience can happen offline as well?

Yes, Section 26 of the Indian Post Office Act, 1898 gives the government the power to intercept articles for public good. It has been mentioned in the section that when there is an occurrence of a public emergency or in the interest of public safety/tranquility an authorized officer of either the state or the central government by making an order in writing can intercept, detain or dispose of any kind of postal article. The subsection (2) of the section mentions that when there is unsurity of if the interception/detention or disposing off was done in public interest, a certificate issued by the government will be conclusive proof. However, for the purpose of this article, we will not be diving into details of offline surveillance.

 

Is suveillance in India legal?

Yes, as there exists a legal framework which enables the Government to conduct surveillance on the occurrence of certain circumstances. However, the surveillance has to be undertaken within the boundaries of this legal framework.

 

Which are the laws that regulate surveillance conducted by the government?

Telephones

1. The Indian Telegraph Act, 1885

  1. Section 3(1AA): Defines what a 'telegraph' is and means, “...any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means...”
  2. Section 5(2): This section is invoked to conduct surveillance over telegraph lines (as defined above, but with the occurence and condition of the pre-requisites of a public emergency or the interest of public safety.

2. Indian Telegraph Rules, 1951

  1. Rule 419A: This provision lays down the procedural law regarding telephone tapping. It was introduced by way of an amendment in 2007, which was necessitated by the Supreme Court's condemnation in the case People's Union for Civil Liberties v. Union of India (AIR 1997 SC 568) of the lack of procedure governing telephone tapping. The provision mandates that telephone tapping can be done only through a lawful order.
diagram explaining how lawful order to tap telephones are procured

Internet

Provisions dealing with Internet surveillance may be found interspersed throughout the Information Technology Act 2000 and several rules made thereunder.

1. Information Technology Act, 2000

diagram depicting the differences between the grounds for interception under Section 5 clause 2 of the Telelegraph Act and Section 69 B of the information technology act

 

  1. Section 69: Modeled extensively after Section 5(2) of the Telegraph Act, allows the Government to engage in surveillance of Internet data. However, there exists no pre- requisites for the invocation of Section 69 when compared with Section 5(2) of the Indian Telegraph Act, 1885 and has enlarged grounds.>
  2. Section 69B: This provision in turn deals with the surveillance of Internet metadata as compared to Internet data. Metadata is any data that gives information about other data. For example, if person A sends a message to person B, then the content of the message will be data and the data such as the time and date of sending and receiving the message, information about the devices from which the message was sent and received, profile information, etc. would be the metadata.

2. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69 of the Information Technology Act.

3. Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69B of the Information Technology Act.

Under both the above Rules, the procedure laid down is substantially similar to the procedure laid down in Rule 419A of the Indian Telegraph Rules, 1951.

In addition to these laws, license agreements such as the Unified Access Service License (UASL), Internet Service License (ISL), and the Unified License (UL) which incorporates the former two licenses between the Department of Telecommunications and telecommunications service providers also enable the government to receive assistance from telecommunication service providers in conducting surveillance. Licensees must also provide in the interests of security, 'suitable monitoring equipment as per the requirement of the DOT or law enforcement agencies.

 

Are there any monitoring systems in place in India?

As per available information, the Central Monitoring System (CMS) and the National Intelligence Grid (NATGRID) are the two intelligence systems in place in India. Also, another system named Network Traffic Analysis (NETRA) was rumoured to be launched in 2014. NETRA was developed by the Centre for Artificial Intelligence and Robotics (CAIR), a lab under the Defense Research and Development Organisation (DRDO). However, not much information is available regarding the project.

In additions to such dedicated systems, state police forces also conduct monitoring of social media platforms and the web. For example, the Mumbai police force monitored social media platforms to tackle fake news surrounding the Maharashtra elections and similarly, the Uttar Pradesh police force has been put on ‘high alert’ in anticipation of the Ayodhya verdict and as part of vigilance, is conducting social media monitoring. However, this is purely not ‘backdoor’ surveillance but a scan and analysis of publicly available social media posts.

 

Which are the government agencies involved or carry out surveillance in India?

In a starred question which was raised in the Lok Sabha and answered on 11.02.2014, the names of the agencies authorised to intercept and collect details of telephonic conversations under Section 5(2) of the Indian Telegraph Act, 1885 read with Rule 419A of Indian Telegraph (Amendment) Rules, 2007. were listed as follows:


# Central Agencies

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Directorate of Enforcement

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Research & Analysis Wing (R&AW)

  9. Directorate of Signal Intelligence, Ministry of Defence - for Jammu & Kashmir, North East & Assam Service Areas only

# State Agencies

  1. Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area only


As per the order of the Ministry of Home Affairs S.O. 6227(E) dated 20.12.2018 the following Security and Intelligence Agences were authorised “for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the Sub-section 69 (1) of the Information Technology Act, 2000 (21 of 2000) read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Enforcement Directorate

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Cabinet Secretariat (RAW)

  9. Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only)

  10. Commissioner of Police, Delhi

 

 

What is the remedy available in case you suspect that you have been placed under surveillance illegaly, for example the WhatsApp-NSO scandal?

Judicial recourse is obviously the effective remedy available for negating unlawful monitoring/surveillance efforts by the Government. Illegal monitoring methods, such as the one employed in the WhatsApp-NSO Spyware employs malicious hacking (also known has black-hat hacking) methods which amount to violation of Sections 43 and 66 of the Information Technology Act, 2000, which ascribes liability on the perpetrator of the crime.

Section 43

Section 43 of the Information Technology Act, 2000 deals with penalties and compensation for damage to computer, computer system etc. Section 43 ascribes civil liability to anyone who causes any damage to a computer or a computer system and demands the actor to pay damages (compensation) to the affected person.

Section 66

Section 66 deals with computer related offences. If any person, dishonestly or fraudulently, does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. Section 66 ascribes criminal liability onto the prepetrator of a cyber crime.

 

 

How can I approach forums for securing a remedy?

1. Approaching Cyber Cells

All state police forces have a cybercrime division or a cyber cell or a dedicated cybercrime police station established where victims of cybercrimes can file complaints in case of a malicious cyber incident. First Information Reports can be filed under S. 154 of the Criminal Procedure Code, 1973 in case you are a victim of a cyber crime such as malicious hacking.

It is advised to provide as much information as you can while filing such complaints, including information regarding application and system logs, IP addresses, relevant screenshots. It would be wise to approach a cyber security expert or a digital forensics examiner if you are unaware of how to retrieve necessary information.

2. Approaching Magistrate Courts

If under any circumstances, the police officer/cell refuses to receive or investigate your complaint, recourse may be taken by approaching the Magistrate court through Section 156 (3) read with Section 190 of the Criminal Procedure Code, 1973 by filing a private complaint and seek a direction to the police station concerned to investigate the matter (called a ‘forwarding petition’).

3. Approaching the High Courts

If you suspect that you are being placed under surveillance through an illegal order in contravention to Section 5(2) of the Indian Telegraph Act, 1955 and Rule 419A of the Indian Telegraph Rules, 1951, or under Section 69 of the Information Technology Act, 2000, you can approach the appropriate state High Court under Article 226 of the Constitution of India invoking the ‘writ’ jurisdiction of the High Court to quash the illegal surveillance order and also for exemplary compensation. It is advisable to obtain relevant information regarding the surveillance order by filing RTI applications.

If you suspect that you are a victim of the WhatsApp-NSO Spyware row, then you can approach the High Court if your name has been revealed in any list released by Citizen Lab or any other publicly reported list.

What if the Information Officer under the State/Central authority refuses to furnish information your RTI Application is rejected citing exemptions under Section 8 of the Right to Information Act, 2005 or is delayed?

Under the RTI Act, application for information maybe refused to be furnished citing exemption from disclosure under different grounds enumerated in Section 8 of the Act (and also Section 9 if it infringes copyright of a person other than the State).

Normally, information sought by an application under the RTI Act, has to be furnished within 30 days from the receipt of the application by the public authority and if the information sought for by the applicant is concerned with the life and liberty of a person, it is to be provided within 48 (forty-eight) hours.

If any of the above is a case concerning your application or if you are not satisfied with the information supplied to you, you can still raise an appeal (within 30 days) to the first appellate authority (who is an officer senior in rank to the Information Officer) in the office of the public authority wherein you sought the application. If in case the first appellate authority also furnishes unsatisfactory information, you can approach the State/Central Information Commission (depending on whether the public authority is under the State or Central Government) by filing an appeal.

All Posts | Oct 31,2019

Our Statement on the WhatsApp Surveillance Issue

Our Statement on the WhatsApp Surveillance Issue

The use of sophisticated surveillance technology by governments violates basic human rights of privacy and free speech on the Internet. Vulnerable groups including journalists, minorities and lawyers rely on end-to-end encryption technology, like the one offered by WhatsApp, to remain secure online. Targeting journalists, academics and civil society by using surveillance technology, compromises constitutional and democratic principles on which our nation is built. Governments should refrain from using such methods which affect the security infrastructure the Internet is built on. At SFLC.in we've always argued that the Indian government must introduce comprehensive surveillance reform law to protect the rights of citizens. A few years back, we wrote a report on surveillance in India highlighting some major issues. We also conduct Digital Security Trainings for vulnerable groups such as - journalists and minorities to spread awareness about digital security practices such as encryption over the web - emails, browsers and texting apps.

To support our work on fighting for privacy and security online, you may donate to us at - https://sflc.in/donate.

All Posts | Jun 13,2019

TRAI Consultation on OTT Regulation – Follow-up Submission on Surveillance Reform

On 20 May 2019, during TRAI’s 'Open House Discussion' in Delhi on OTT communication services, certain arguments were raised regarding national security concerns surrounding encrypted communication services, including those services that have end-to-end encryption. The prime factor in these arguments was that terrorists could use end-to-end encrypted communication services to securely communicate among themselves, and such communication cannot be intercepted in time to gather intelligence and act swiftly. It was stated that if all communication could be intercepted in real-time, then terrorist activities could be prevented.

If one places themselves in the shoes of a sovereign that has the responsibility to protect the country from external threats, the prospect of legally requiring an app or a service to hand over all data or information is alluring. After all, this has been done for more than a century with letters, telegram and telephone. Letters could be opened, and telephone and telegram networks could be tapped. Why then, one might wonder, should digital services be treated any differently?

By way of a follow-up submission to TRAI on its public consultation on a regulatory framework for OTT communication platforms, we have addressed the technical and legal concerns around mass monitoring of online communication and the need for reforming surveillance law in India.

Our submission to TRAI can be downloaded below. Our comments and counter comments to TRAI's public consultation on OTT communication services can be downloaded from - here and here, respectively.

All Posts | Apr 12,2019

A ‘Digital Rights Reform Agenda’ for India – What Have Political Parties Missed Out this Election Season?

Yesterday, India entered 7-phases of national elections spanning a little over a month. This election season, we bring to you a ‘Digital Rights Reform Agenda’ which is missing from most political parties’ promises and manifestos. We believe that these topics should be on the agenda list of all political outfits in India claiming a stake on parliament seats. A list of key digital rights issues worthy of political importance are (more…)

All Posts | Apr 04,2019

A Look at Party Manifestos for the 17th Lok Sabha Elections- Will Political Parties Defend Our Digital Freedom?

The 7-phase, 17th Lok Sabha elections will begin on April 11, 2019 and continue until May 19, 2019. Five major national parties – Indian National Congress, Bharatiya Janta Party, Communist Party of India (Marxist), Communist Party of India and All India Trinamool Congress have released their manifestos[fn]CPI (M) Election Manifesto, https://cpim.org/pressbriefs/cpim-election-manifesto-17th-lok-sabha;

CPI Election Manifesto, https://www.communistparty.in/blog/election-manifesto-of-the-communist-party-of-india-for-the-17th-lok-sabha-elections-2019;

TMC Election Manifesto, http://aitcofficial.org/wp-content/uploads/2019/03/TMC-MANIFESTO-Eng.pdf;

INC Election Manifesto, https://manifesto.inc.in/en/index.html

BJP Election Manifesto, http://www.documentcloud.org/documents/5798075-Bjp-Election-2019-Manifesto-English.html[/fn], outlining party priorities and future course of action the parties promise to take if voted to power. At of the time of publication of this post, Aam Aadmi Party has not released its manifesto. We will update this blog as and when it is published. Acknowledging the indispensable role of digital technology in society and its capacity to impact our human rights, most party manifestos have touched upon digital rights.

We studied these manifestos and have captured promises made by these five national parties on digital rights. Kindly refer to the following table for a comparison:

All Posts | Apr 01,2019

Our Comments to DPIIT on the Draft National E-commerce Policy

On 23rd February, 2019, the Department for Promotion of Industry and Internal Trade (“the DPIIT”) released the Draft National E-Commerce Policy (“the Draft Policy”) with the objective to help stakeholders fully benefit from opportunities arising from the progressive digitization of the domestic digital economy and establish a level playing field for all stakeholders in the digital economy.

Though, titled as the ‘National E-Commerce Policy’ the document addresses a wide range of subjects, such as data protection and ownership, cross-border data flow, foreign investment, tax, competition issues, intellectual property and intermediary liability, among other things. These issues affect a number of stakeholders and industries in addition to e-commerce websites and their consumers.

Our comments, inter alia, address issues with the Draft Policy like - jurisdiction of the DPIIT, data ownership and sovereignty, data localisation, intermediary liability and law enforcement access to data. Our detailed comments are as follows: