Monthly Archives: February 2014

US Government Seeks An Order From FISA Court For Extended Storage Of Telephone Metadata And Call Records

US Government Seeks An Order From FISA Court For Extended Storage Of Telephone Metadata And Call RecordsPrivacy protection in the information era has posed many novel challenges before the governments around the world. Till now governments around the world have conveniently ignored civil liberties protection in cyberspace. They simply presumed that there is nothing like privacy in the cyberspace. They have also felt no need to reconcile national security aspects with civil liberties protection.

However, developments at the United Nations (UN) levels have proved that civil liberties in cyberspace cannot be brushed away so lightly. The United Nations (UN) Third Committee recently approved text titled Right to Privacy in the Digital Age and this has put some pressure upon governments around the world to respect civil liberties in cyberspace. Further, the blatant and unconstitutional e-surveillance and eavesdropping exercises by intelligence agencies like National Security Agency (NSA) and Government Communications Headquarters (GCHQ) has also evoked sharp criticism from civil liberty activities and general public at large.

This has led to a change of policy regarding e-surveillance in U.S. Recently; Massachusetts Supreme Judicial Court ruled that phone users have reasonable expectation of privacy. Similarly, the White House is considering the options to restructure NSA’s phone surveillance program.

In a related development, the U.S. Government has moved the Foreign Intelligence Surveillance Court (FISA Court) under the Foreign Intelligence Surveillance Act, 1978 (FISA Act) to amend the primary order No. BR 14:01. In Re Application of the Federal Bureau of Investigation for an Order Requiring Extended Storage of Telephone Metadata and Call Records (PDF) the U.S. Government has sought permission form the FISA Court to allow it to preserve and store certain call data records or telephone metadata (BR Metadata) beyond the initial period of five years.

The Government has assured that such extended retention would be managed under strict conditions and for the limited purpose of allowing the Government to comply with its preservation obligations arising due to civil lawsuits field against it. These lawsuits have challenged the legality of the NSA’s Section 215 bulk telephony metadata collection program. The Government maintains that while the Court’s Primary Order requires destruction of the BR Metadata after 5 years yet the Government is required to retain such data beyond 5 years due to its preservation obligations due to the pending suits.

The parties that have filed the suits have confirmed that they have no objection of the entire database is deleted as per the original order. They are maintaining that this is just an excuse to keep the data for a longer period than authorised by the FISA Court.

GCHQ And NSA Intercepted And Stored Webcam Images Of Millions Of Innocent Internet Users

GCHQ And NSA Intercepted And Stored Webcam Images Of Millions Of Innocent Internet UsersInterception and storing of communications and data of terrorists and hard core criminals is a common practice around the world. However, interception and storing of innocent Internet surfers is something that is very hard to justify. It is still a mystery why intelligence and security agencies around the world pay so much attention to illegal and unconstitutional e-surveillance and eavesdropping activities and projects.

It has been reported that Britain’s surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of Internet users not suspected of any wrongdoing. This goes against the stand of UK’s and US’s intelligence agencies that they conduct e-surveillance against criminals and terrorists alone.

In one six-month period in 2008 alone, GCHQ collected webcam imagery, including substantial quantities of sexually explicit communications, from more than 1.8 million Yahoo user accounts globally. Yahoo reacted furiously to the webcam interception when approached by the Guardian and it denied any prior knowledge of the program, accusing the agencies of “a whole new level of violation of our users’ privacy”.

Rather than collecting webcam chats in their entirety, the e-surveillance program saved one image every five minutes from the users’ feeds, partly to comply with human rights legislation, and also to avoid overloading GCHQ’s servers. The documents describe these users as “unselected”, intelligence agency parlance for bulk rather than targeted collection.

GCHQ did make efforts to limit analysts’ ability to see webcam images, restricting bulk searches to metadata only. However, analysts were shown the faces of people with similar usernames to surveillance targets, potentially dragging in large numbers of innocent people. One document tells agency staff they were allowed to display “webcam images associated with similar Yahoo identifiers to your known target”.

Microsoft, the maker of Xbox, faced a privacy backlash last year when details emerged that the camera bundled with its new console, the Xbox One, would be always-on by default. It seems users have to be more cautious with their webcams as episodes like these are not rare to find these days.

White House Has Limited And Difficult Options To Restructure National Security Agency’s Phone Surveillance Program

White House Has Limited And Difficult Options To Restructure National Security Agency's Phone Surveillance ProgramNational Security Agency (NSA) of United States (U.S.) is facing increased allegations of illegal and unconstitutional e-surveillance of U.S. and foreign nationals. The methods used by NSA to do e-surveillance range from traditional telephone taping to use of radio wave and malware. On the judicial side, gag orders are frequently used by Federal Bureau of Investigation (FBI) and other agencies of U.S. to prohibit disclosure of details about National Security Letters (NSLs) that are very frequently issued in U.S.

Clearly privacy rights in the information era are very difficult to protect in these circumstances. Similarly, civil liberties protection in cyberspace is need of the hour that is neglected by countries across the world with great impunity. When U.S. companies agitated and showed their displeasure with the existing system, the Department of Justice (DOJ) announced new reporting methods for national security orders.

The White House was forced to interfere in this situation that has crossed all the limits of constitutionality. President Barack Obama in January asked U.S. intelligence agencies and the attorney general to report by March 28 on alternatives for revamping the program in a way that would take it out of the NSA’s hands. Under the current program, the NSA collects millions of U.S. phone records from three phone companies, which former officials have identified as AT&T Inc., Verizon Communications Inc. and Sprint Corp. Obama administration officials have sought to preserve the collection of phone records in a way that raises fewer concerns about privacy.

The White House has been provided four options for restructuring the NSA’s phone-surveillance program. The Office of Director of National Intelligence and the Justice Department have provided these options ahead of scheduled deadline.

One way of doing that would have the phone companies retain the data, officials said. The NSA would then tell the companies when it needs searches of call records concerning specific phone numbers the agency believes are connected to terrorism. The companies would provide the results to the NSA. Under this model, the NSA would only collect the data that comes in response to the search, rather than millions of unrelated American phone records.

Several lawmakers have proposed legislation on Capitol Hill that would take this approach. But telecommunications companies oppose this option. Phone companies likely would demand liability protection and possibly other conditions to avoid outside demands for data—for instance, for run-of-the-mill legal cases such as divorce proceedings. Already, some criminal defendants have sought access to the NSA records, claiming the data could help show their innocence.

The phone-company option is also opposed by the chairman of the House intelligence committee, Rep. Mike Rogers (R., Mich.), who told The Wall Street Journal this week that the proposal doesn’t have enough support for committee approval and a House floor vote.

The second option suggests that a government agency other than the NSA can hold the data. Candidates for this option could include the FBI. It has also been suggested that the custody of the program may be given to the Foreign Intelligence Surveillance Court (FISA), which oversees the phone-data and other NSA surveillance programs. However, the FISA Court is not willing to shoulder the additional responsibilities that are full of controversies.

A third option would be for an entity outside the phone companies or the government to hold the data.  This approach has been criticised by privacy groups who say such a third party would just become an extension of the NSA and would provide no additional privacy benefit.

It seems none of the three options for relocating the data has been able to gain a consensus. If the above three options are not accepted, this would leave the only possible option to be explored. In such a scenario the fourth option is to abolishing the program altogether, which would be a setback for intelligence agencies and other backers of the surveillance effort.

If the fourth option is exercise, the investigative capabilities of the law enforcement agencies and other agencies of U.S. would be required to be significantly enhanced to meet the demands of modern day crimes. U.S. agencies must understand that e-surveillance is not a substitute for effective cyber skills and investigation capabilities.

Massachusetts Supreme Judicial Court Rules That Phone Users Have Reasonable Expectation Of Privacy

Massachusetts Supreme Judicial Court Rules That Phone Users Have Reasonable Expectation Of PrivacyRecently the Massachusetts Supreme Judicial Court decided upon the issue of reasonable expectation of privacy of a phone user in the case of Commonwealth v. Shabazz Augustine No. SJC-11482 (PDF). Even the New Jersey’s highest court came to a similar conclusion last year when it ruled that people have a constitutional right to privacy in cell-phone location information.

The issues of privacy violation through use of technology were discussed many decades back in the United States (U.S.) at the federal level. The cases of Katz v. United States, 389 U.S. 347 (1967) (PDF) and Smith v. Maryland – 442 U.S. 735 (1979) (PDF) are few of such legal decisions that have been given by U.S. Supreme Court in this field. These decisions are binding upon all the states of the U.S.

As far as India is concerned, the cell site data location laws in India and privacy issues are still ignored by Indian law makers. The cell site location based e-surveillance in India is rampant without any regulatory checks and judicial scrutiny. We have no dedicated data protection and privacy rights laws in India.  Even the Parliamentary Committee slammed Indian government for poor privacy laws in India.

In the Shabazz’s case, the Court has held that generally the Massachusetts law enforcement agencies may not track a suspect’s physical movements using cellphone data without getting a warrant. The Court held that people have a reasonable expectation that their phones won’t be used by the government to keep periodic tabs on their general whereabouts.

“Even though restricted to telephone calls sent and received (answered or unanswered), the tracking of the defendant’s movements in the urban Boston area for two weeks was more than sufficient to intrude upon the defendant’s expectation of privacy,” the majority opinion said.

Until the ruling, law enforcement in the state could obtain a suspect’s phone location records by showing a court that they’re relevant and material to an ongoing probe, the standard required under federal law. That’s a lower bar than a warrant, which requires police to demonstrate that they have probable cause to believe the suspect committed or is about to commit a crime.

Orin Kerr observes that the question before the court was whether the searches were consistent with the state’s Constitution and not the U.S. Constitution. “This means that the decision is binding on Massachusetts state law enforcement,” writes Mr. Kerr, “but it does not apply to federal law enforcement (whether in Massachusetts or outside it).”

On the federal side, a divided Fifth U.S. Circuit Court of Appeals panel in Louisiana ruled in July that the government may compel a cell-phone company to turn over 60 days worth of cell phone location data without establishing probable cause. The cellphone tracking issue is also pending in the Fourth and 11th Circuits, according to Matthew Segal, legal director of the ACLU Foundation of Massachusetts in Boston.

However, the tracking of an accused through cellphone would be very soon an academic discussion only as U.S. agencies are using much more sophisticated and undetectable methods to do e-surveillance. For instance, National Security Agency (NSA) of U.S has been using radio waves and malware to indulge in covert eavesdropping and e-surveillance.

Similarly, the Federal Bureau of Investigation (FBI) has been issuing the national security letters (NSLs) for long by showing national security requirements. FBI is maintaining that not only the contents of these NSLs but also the mere fact of its receipt must be kept secret by the recipient of such NSLs. It is only now that the Department of Justice (DOJ) of U.S. has announced new reporting methods for National Security Orders.

The way things are taking a shape, cell phone data location would be a method and technology of the past.

AIIMS Bhubaneswar Will Launch Electronic Health Card

AIIMS Bhubaneswar Will Launch Electronic Health CardMedical services and technology are increasingly been used together to provided effective and time bound services. While this is a welcome move yet regulatory compliances cannot be kept at bay while providing such services.

In the Indian context, regulatory compliances are frequently ignored and violated. Whether it is online pharmacies, e-health, m-health, telemedicine, mobile medical devices and applications, etc, medicine field related stakeholders are openly flouting the applicable norms and regulations.

Although we have no law on the lines of United State’s Health Insurance Portability and Accountability Act of 1996 yet there are numerous statutory provisions that must be complied with. These include privacy law compliances, data protection requirements (PDF), cloud computing compliances, encryption related compliances, cyber law due diligence (PDF), etc.

It has been reported that All India Institute of Medical Sciences (AIIMS) Bhubaneswar will launch electronic health card, a smartcard-based automated system to store and manage medical records of patients receiving treatment in the institution. The project entails simplification of process for both the hospital administration as well as the patients by creating computerised medical database. While this is a welcome move yet techno legal compliances seem to have been ignored. Even there are no hints of ensuring an effective and techno legal cyber security for such e-health records database.

The proposed card will store individual patient records right from registration, primary consultation, diagnosis, pathological and other diagnostic tests and medicines prescribed during every visit to the hospital. This data is personal sensitive information that has to be protected both legally and technologically. But there seems to be no sign of the same so far.

The e-health card would be introduced in a phase-wise manner starting off with the students, faculty members, AIIMS staff and patients suffering from chronic illnesses that require frequent visits and follow-ups before making it available to the general public. Initially around 10,000 to 20,000 such cards would be issued. The smartcard is also planned to be made part of the integrated hospital information management system (HMIS) network being implemented across the six new AIIMS in the country.  This would enable seamless consultation and treatment of patients between the institutions.

We at Perry4Law welcome these reformative and pro health initiatives of AIIMS and Indian government. However, we also strongly recommend that techno legal issues of e-health records must also be ensure before hand before this much needed project is implemented. These types of projects have serious privacy, data protection and cyber security implications and the same must be kept in mind while launching the project. Fortunately, these aspects seem to be within the knowledge of AIIMS and we can expect their due implementation in the future as well.

Parliamentary Committee Slams Indian Government For Poor Privacy Laws In India

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLB Privacy Rights in India are in really bad shape. This is more so when it comes to cyberspace as Civil Liberties Protection in Cyberspace is still an unachievable dream for Indian Citizens. We have no dedicated Data Protection Laws in India (PDF) and both Privacy and Data Protection aspects are at the mercy of those who are well committed to violate the same.

For instance, India has launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

We at Perry4Law have been stressing for years that India needs a Dedicated, Holistic and Comprehensive Privacy Legal Framework. However, Indian Government has been “Deliberately Postponing” formulation and implementation of a good Privacy Law in India. A dedicated Privacy Law is urgently required as emerging fields/areas like E-Commerce, Online Pharmacies, Mobile Application Development, Cloud Computing, Encryption Laws, Website Development, M-Health, Telemedicine, E-Mail Policies, Online Payment Service Providers, Mobile Payment, Payment Gateway and Pos Terminal Service Providers, etc would absolutely rely upon such a Privacy Law.

Even the Parliamentary Standing Committee on Information Technology in its report titled “Cyber-Crime, Cyber Security and Right to Privacy”, which was submitted on February 10, has slammed Indian Government for not coming up with a Dedicated Privacy Legislation.

“The Committee are extremely unhappy to note that the government is yet to institute a legal framework on privacy”, the report states. The 88-page report also shows that the members of Parliament are both aware and concerned about issues of privacy, noting that, “balancing cyber security and right to privacy is extremely complex.” However, CERT-IN’s efforts regarding strengthening India’s cyber security have been appreciated by the Committee.

Surprisingly, various Government Officials and Bureaucrats tried to convince the Committee that the scanty provisions under the Information Technology Act, 2000 are enough to protect Privacy and Data Protection Rights in India. They also tried to convince the Committee that the present IT Act, 2000 is equipped to deal with the growing incidences of Cyber Crimes in and Cyber Attacks against India and Indian Citizens. However, I personally believe that the Cyber Law of India and the Indian Telegraph Act, 1885 deserve an “Urgent Repeal”. If the Base Laws themselves are “Illegal and Unconstitutional”, deriving Privacy Rights Protection out of them is a fatal mistake. This also means that a Comprehensive and Holistic Privacy Law must be separately enacted by Indian Government.

Fortunately, the Committee has rightly rejected the Government?s contention that the IT Act was sufficient to protect the Privacy of Citizens and Human Rights. The Privacy Rights in India in the Information Era cannot be protected in the manner suggested by Indian government and its officials. Rather, these methods are used to “Subvert’ Privacy Rights in India and this is exactly what is happening in India.

In India, Phone Tapping and Interceptions are done without a Court Warrant and by Executive Branch of the Constitution of India. Phone Tapping in India is “Unconstitutional” and the Parliament of India has not thought it fit to enact a “Constitutionally Sound Law” for Phone Tappings and Lawful Interceptions. India’s stand is also violating United Nation’s Resolution on Right to Privacy in the Digital Age.

The Committee has recommended that, “The Department of Electronics and Information Technology (DeitY) in coordination with Department of Personnel and Training, multidisciplinary professionals/experts should come out with a comprehensive and people-friendly policy that may protect the privacy of citizens and is also fool-proof from security point-of-view”.

I personally believe that this is high time for Indian Government to enact a Techno Legal Privacy Law of India as soon as possible.