Access To Knowledge (A2K)

Draft Human DNA Profiling Bill (April 2012): High Level Concerns

elonnai — 2013-07-12T15:36:59Z

In 2007 the Draft Human DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, with the objective of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked. The February 2012 Bill was drafted by the Department of Biotechnology. Another working draft of the Bill was created in April 2012. The most recent version of the Bill seeks to create DNA databases at the state, regional, and national level.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Each database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of establishing identity in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and creating a DNA board for overseeing the carrying out of the Act. Though it is important to carefully regulate the use of DNA for criminal purposes, and such a law is needed in India, the present working draft of the Bill is lacking important safeguards and contains overreaching provisions, which could lead to violation of individual rights. The text of the 2012 draft is still being discussed and has not been finalized. Below are high level concerns that CIS has with the April 2012 draft Human DNA Profiling Bill.

Broad offences and instances of when DNA can be collected

The schedule of the Bill lists applicable instances for human DNA profiling and addition to the DNA database. Under this list, the Bill lays out nine Acts, for example the Indian Penal Code and the Protection of Civil Rights Act, and states that offences under these Acts are applicable instances of human DNA profiling. This allows the scope of the database to be expansive, as any individual who has committed an offence found under any of these Acts to be placed on the DNA database, and might include offences for which DNA evidence is not useful.

In the schedule under section C Civil disputes and other civil matters the Bill lists a number of civil disputes and civil matters for which DNA can be taken and entered onto the database. For example:

(v) Issues relating to immigration or emigration
(vi) Issues relating to establishment of individual identity
(vii) Any other civil matter as may be specified by the regulations of the Board

In these instances no crime has been committed and there is no justification for taking the DNA of the individual without their consent. In cases of civil disputes

Recommendation: Offences for which DNA can be collected must be criminal and must be specified individually by the Bill. When DNA is used in civil cases, the consent of the individual must be taken. In civil cases a DNA profile should not be stored on the database. DNA profiling and storage on a database should not be allowed in instances like v, vi, vii listed above.

Inadequate level of authorization for sharing of information

The Bill allows for the DNA Data Bank Manager to determine when it is appropriate to communicate whether the DNA profile received is already contained in the Data Bank, and any other information contained in the Data Bank in relation to the DNA profile received.

Section 35 (1): “…shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency, or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely (a) as to whether the DNA profile received is already contained in the Data Bank; and (b) any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.”

Recommendation: The Data Bank Manager should not be given the power to determine appropriate instances for the communication of information. Law enforcement agencies, DNA laboratories, etc. should be required to gain prior authorization, from the DNA Board, before requesting the disclosure of information from the DNA Data Bank Manager. Upon receiving proof of authorization, the DNA databank can share the requested information.

Inaccurate understanding of infallibility of DNA

The preamble to the Bill inaccurately states:

The Dexoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any between two individuals, living or dead without any doubt.

Recommendation: The Bill should recognize that DNA evidence is not infallible. For example, false matches can occur based on the type of profiling system used, and that error can take place in the chain of custody of the DNA sample.

The “definition” of DNA profiling is too loose in the Bill. Any technology used to create DNA profiles is subject to error. The estimate of this error should be experimentally obtained, rather than being a theoretical projection.

Inadequate access controls

The Bill only restricts access to information on the DNA database that relates to a victim or to a person who has been excluded as a suspect in relevant investigations.

Section 43: Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from a) a victim of an offence which forms or formed the object of the relevant investigation, or b) a person who has been excluded as a suspect in the relevant investigation.

Recommendation: Though it is important that access is restricted in these instances, access should also be restricted for: volunteers, missing persons, and victims. Broad access to every index in the database should not be permitted when a DNA sample for a crime is being searched for a match. Ideally, a crime scene index will be created, and samples will only be compared to that specific crime scene. The access procedure should be transparent with regular information published in an annual report, minutes of oversight meetings taken, etc.

Lack of standards and process for collection of DNA samples

In three places the Bill mentions that a procedure for the collection of DNA profiles will be established, yet no process is enumerated in the actual text of the Bill.

Section 12 (w) “The Board will have the power to… specify by regulation, the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule.

Section 66(d) “The Central Government will have the power to make Rules pertaining to… The list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule under clause (w) of section 12.
Schedule: In the title “List of applicable instances of Human DNA Profiling and Sources and Manner of Collection of Samples for DNA Profiling”. But the schedule does not detail the manner of collection of samples for DNA profiling.

Recommendation: According to the Criminal Procedure Code, section 53 and 54, DNA samples can only be collected by certified medical professionals. This must be reflected by the Bill. The Bill should also state that the collection of DNA must take place in a secure location and in a secure manner. When DNA is collected, consent must be taken, unless the individual is convicted of a crime for which DNA evidence is directly relevant or the court has ordered the collection. When DNA is collected, personal identification information should not be sent with samples to laboratories, and all transfers of data (from police station to lab) must be secure. Upon collection, information regarding the collection of information and potential use and misuse of DNA information must be provided to the individual.

Inadequate appeal process

The provisions in the Bill allow aggrieved individuals to bring complaints to the DNA Board. If the complaint is not addressed, the individual can take the complaint to the court. Though grievances can be taken to the Board and the court, it is not clear if the individual has the right to appeal the collection, analysis, sharing, and use of his/her DNA. The text of section 58 implies that the Board and the Central government will have the power to take action based on complaints. This power was not listed above in the sections where the powers of the board and the central government are defined, thus it is unclear what actions the Board or the Central Government would be able to take on complaint.

Section 58: No court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder save on a complaint made by the Central Government or its officer or Board or its officer or any other person authorized by them: Provided that nothing contained in this sub-section shall prevent an aggrieved person from approaching a court, if upon his application to the Central Government or the Board, no action is taken by them within a period of three months from the date of receipt of the application.

Recommendation: Individuals should be allowed to appeal a decision to collect DNA or share a DNA profile, and take any grievance directly to the court. If the Board or the Central Government will have a role in hearing complaints, etc. These must be enumerated in the provisions of the Act.

Inclusion of population testing

Though the main focus of the Bill is for the use of DNA in criminal and civil cases, the provisions of the Bill also allow for population testing and research to be done on collected samples.

Section 4: The Board shall consist of the following Members appointed from amongst persons of ability, integrity, and standing who have knowledge or experience in DNA profiling including.. (m) A population geneticist to be nominated by the President, Indian National Science Academy, Den Delhi-Member.

Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely, (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, or the purposes of identification research, protocol development or quality control provide that it does not contain any personally identifiable information and does not violate ethical norms.

Recommendation: Delete these provisions. If DNA testing is going to done for population analysis purposes, regulations for this must be provided for in a separate legislation, stored in separate database, informed consent taken from each participant, and an ethics board must be established. It is not sufficient or ethical to conduct population testing only on DNA samples from victims, offenders, suspects, and volunteers.

Provisions delegated to regulation that need to be incorporated into text of Bill

The Bill empowers the board to formulate regulations for, and the Central Government to make Rules to, a number of provisions that should be within the text of the Bill itself. By leaving these provisions to Regulations and Rules, the Bill is a skeleton which when enacted will only allow for DNA Labs to be certified and DNA databases to be established. Aspects that need to be included as provisions include:

Section 12: The Board shall exercise and discharge the following functions for the purposes of this Act namely

Section 12(j) – authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.
Section 12(p) – making specific recommendations to (ii) ensure the accuracy, security, and confidentiality of DNA information, (iii) ensure the timely removal and destruction of obsolete, expunged or inaccurate DNA information (iv) take any other necessary steps required to be taken to protect privacy.
Section 12(w) – Specifying, by regulation, the list of applicable instances of human DNA profiling and the sources a manner of collection of samples in addition to the lists contained in the Schedule.
Section 12(u) – establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies.
Section 12(x) – Enumerating the guidelines for storage of biological substances and their destruction.

Section 65(1) The Central Government may, by notification, make rules for carrying out the purposes of this Act

Section 65 (c) – The officials who are authorized to receive the communication pertaining to information as to whether a person’s DNA profile is contained in the offenders’ index under sub-section (2) of section 35
Section 65 (d) – The manner in which the DNA profile of a person from the offenders’ index shall be expunged under sub-section (2) of section 37
Section 65 (e) – The manner in which the DNA profile of a person from the offender’s index shall be expunged under sub-section (3) of section 37
Section 65 (h) – The manner in which access to the information in the DNA data Bank shall be restricted under section 43
Section 65 (zg) – Authorization of other persons, if any, for collection of non-intimate forensic procedures under Part II of the Schedule.

Broad Language that needs to be specified or deleted

There are a number of places in the Bill which use broad and vague language. This is problematic as it expands the potential scope of the Bill. Instances where broad language is used includes:

Preamble: There is, thus, need to regulate the use of human DNA Profiles through an Act passed by the Parliament only for Lawful purposes of establishing identity in a criminal or civil proceeding and for other specified purposes.

Section 12: The Board may make regulations for (j) authorizing procedures for communications of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.
Section 12: The Board may make regulations for (y) undertaking any other activity which in the opinion of the Board advances the purposes of this Act.
Section 12: The Board may make regulations for (z) performing such other functions as may be assigned to it by the Central Government from time to time.
Section 32: The indices maintained under sub-section (4) shall include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 15 of the Act and of records relating thereto, in accordance with the standards as may be specified by the regulations made by the Board.
Section 35 (1) On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Data Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank and shall communication, for purposes of the investigation or prosecution in a criminal offence, the following information…(a) as to whether the DNA profile received is already contained in the Data Bank and (b) any information other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. (2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.
Section 39: All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule. Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part 1 of the Schedule for other purposes as may be specified by the regulations made by the board.
Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely (g) for any other purposes, as may be prescribed.
Schedule, C Civil disputes and other civil matters vii) any other civil matter as may be specified y the regulations made by the Board.

Recommendation: All broad and vague language should be deleted and replaced with specific language.

Jurisdiction

Section 1(2) It extends to the whole of India.

Section 2(f) “Crime scene index” means an index of DNA profiles derived from forensic material found (i) at any place (whether within or outside of India) where a specified offence was, or is reasonably suspected of having been, committed.

The validity of DNA profiles found outside of India is unclear as the Act only extends to the whole of India.

Inconsistent provisions

The Bill contains provisions that are inconsistent including:

Preamble … from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto.
Section 32 (1) The Central Government shall, by notification establish a National DNA Data Bank and as many Regional DNA Data Banks there under for every State or a group of States, as necessary. (2) Every State Government may, by notification establish a State DNA Data Bank which shall share the information with the National DNA Data Bank. The National DNA Data Bank shall receive DNA data from State DNA Data Banks…

Recommendation: The introduction to the Bill states that only a National DNA Data Bank will be established, yet in the provisions of the Bill it states that Regional and State level DNA databanks will also be established. It should be clarified in the introduction to the Bill that state level, regional level, and a national level DNA database will be created.

Inadequate qualifications of DNA Data Bank Manager

Section 33: “The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member –Secretary of the Board. The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics.”

Recommendation: This is not sufficient qualifications. The DNA Data Bank Manager needs to have experience and expertise handling, working with, and managing DNA for forensic purposes.

Lack of restrictions on labs seeking certification

According to section 16(2), before withdrawing approval granted to a DNA laboratory...the Board will give time to the laboratory...for taking necessary steps to comply with such directions...and conditions.”
Recommendation: This section should specify that during the time period of gaining certification, the DNA laboratory is not allowed to process DNA.

Incomplete terms for use of DNA in courts

Section 45 of the Bill allows any individual undergoing a sentence of imprisonment or under sentence of death to apply to the court which convicted him for an order for DNA testing. The Bill lists seven conditions that must be met for this DNA evidence to be accepted and used in court.
Recommendation: This section speaks only to the use of DNA in courts upon request by a convicted individual. This section should lay down standards for all instances of use of DNA in courts. Included in this, the provision should clarify that when DNA is used, corroborating evidence will be required in courts, and if confirmatory samples will be taken from defendants. Individuals should also have the right to have a second sample taken and re-analyzed as a check, and individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.

Inadequate privacy protections

Besides section 38 which requires that all DNA profiles, samples, and records are kept confidential, the Bill leaves all other privacy protections to be recommended by the DNA profiling Board.

Section 12(o) The Board shall exercise and discharge the following functions…“Making recommendation for provision of privacy protection laws, regulations and practices relating to access to, or use of, store DNA samples or DNA analyses with a view to ensure that such protections are sufficient.”

Recommendation: Basic privacy protections such as access, use, and storage of DNA samples should be written into the provisions of the Bill and not left as recommendations for the Board to make.

Missing Provisions

Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is legally accessed or shared. Notification to the individual would be appropriate in section 36, which allows for the sharing of DNA profiles with foreign states, and section 35, which allows for the sharing of information with a court, tribunal, law enforcement agency, or DNA laboratory. As part of the notification, an individual should be given the right to appeal the decision.
Consent: There are no provisions which speak to consent being taken from individuals whose DNA is collected. Consent must be taken from volunteers, missing persons (or their families), victims, and suspects. DNA can be taken compulsorily from offenders after they have been convicted. If an individual refuses to provide a DNA sample, a judge can override the decisions and order that a DNA sample be taken. In all cases that DNA is collected without consent, it must be clear that DNA evidence is directly relevant to the case.
Right to request deletion of DNA profile from database: There are no provisions which give volunteers (children volunteers when they become adults), victims, and missing persons the right to request that their profile be deleted from the DNA database. This could be provided in section 37 which speaks to the expunction of records of acquitted convicts.
Right of individuals to bring a private cause of action: There are no provisions which give the individual the right to bring a privacy cause of action for the unlawful storage of private information in the national, regional, or state DNA database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database.
Right to review one's personal data: There are no provisions that allow an individual to review his/her information contained on the state, regional, or national database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database.
Independence of DNA laboratories and DNA banks from the police: There are no provisions which ensure that DNA laboratories and DNA data banks remain independent from the police. This is an important check in ensuring against the tampering of DNA evidence.
Established profiling standard: The Bill does not mandate the use of one single profiling standard. This is important in order to minimize false matches occurring by chance and to ensure consistency across DNA testing and profiling.
Destruction of DNA samples: There are no provisions mandating that original samples of DNA be deleted. DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them – allowing for sufficient time for quality assurance (six months). Furthermore, only a barcode and no identifying details should be sent to labs with samples for analysis.

For more details visit https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012

Draft Circular on Digital Lending – Transparency in Aggregation of Loan Products from Multiple Lenders

garima — 2024-07-03T16:40:51Z

CIS is grateful for the opportunity to submit comments on the “Draft Circular on Digital Lending: Transparency in Aggregation of Loan Products from Multiple Lenders” to the Reserve Bank of India. We welcome the opportunity provided to comment on the guidelines, and we hope that the final guidelines will consider the interests of all the stakeholders to ensure that it protects the privacy and digital rights of all consumers, including marginalised and vulnerable users, while encouraging innovation and improved service delivery in the fintech ecosystem. Our comments look at two concerns addressed by the draft guidelines, i.e. reducing information asymmetry and market fairness. In addition to this we share comments around a third concern that requires additional scrutiny, i.e. data privacy and security.

Edited and reviewed by Amrita Sengupta

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on the internet and digital technologies from policy and academic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around the internet, technology and society in India, and elsewhere.

CIS is grateful for the opportunity to submit comments on the “Draft Circular on Digital Lending: Transparency in Aggregation of Loan Products from Multiple Lenders” to the Reserve Bank of India. Over the last twelve years, CIS has worked extensively on research around privacy, online safety, cross border flows of data, security, and innovation. We welcome the opportunity provided to comment on the guidelines, and we hope that the final guidelines will consider the interests of all the stakeholders to ensure that it protects the privacy and digital rights of all consumers, including marginalised and vulnerable users, while encouraging innovation and improved service delivery in the fintech ecosystem.

Introduction

The draft circular on ‘Transparency in Aggregation of Loan Products from Multiple Lenders’ is a much needed and timely document that builds on the Guidelines on Digital Lending. Both documents have maintained the principles of customer centricity and transparency at their core. Reducing information asymmetry and deceptive patterns in the digital lending ecosystem is of utmost importance, given the adverse effects experienced by borrowers. Digital lending is one of the fastest-growing fintech segments in India,^{^[1]} having grown exponentially from nine billion U.S. dollars in 2012 to nearly 150 billion dollars by 2020, and is estimated to reach 515 billion USD by 2030.^{^[2]} At the same time, accessing digital credit through digital lending applications has been found to be associated with a high risk to financial and psychological health due to a host of practices that lead to overindebtedness.^{^[3]} These include post contract exploitation through hidden transaction fees, abusive debt collection practices, privacy violations and fluctuations in interest rates. Both illegal/fraudulent and licensed lending service providers have been employing aggressive marketing and debt collection tactics^{^[4]} that exacerbate the risks of all the above harms.^{^[5]} With additional safeguards in place, the guidelines can provide a suitable framework to ensure borrowers have the opportunity and information needed to make an informed decision while accessing intermediated credit, and reduce harmful financial and health related consequences.

In this submission, we seek to provide some comments on the broader issues the guidelines address. Our comments recommend additional safeguards, keeping in mind the gamut of services provided by lending service providers (LSPs). We will frame our comment around two main concerns addressed by the draft guidelines: 1) reducing information asymmetry 2) market fairness. In addition to this we will share comments around a third concern that requires additional scrutiny, i.e. 3) data privacy and security.

Reducing Information Asymmetry

The guidelines aim to define responsibilities of LSPs in maintaining transparency to ensure borrowers are aware of the identity of the regulated entity (RE) providing the loan, and make informed decisions based on consistent information to weigh their options.

Comments: Guideline iii suggests that the digital view should include information that helps the borrower to compare various loan offers. This includes “the name(s) of the regulated entity (RE) extending the loan offer, amount and tenor of loan, the Annual Percentage Rate (APR) and other key terms and conditions” alongside a link to the key facts statement (KFS). The earlier ‘Guidelines on Digital Lending’ specifies that APR should be an all-inclusive cost including margin, credit costs, operating costs, verification charges, processing fees etc. only excluding penalties, and late payment charges.

Recommendations: All users of digital lending services may not be aware that APR is inclusive of all non-contingent charges. Requiring digital loan aggregators to provide messages/notifications boosting consumer awareness of regulations and their rights can help reduce violations. We also recommend that this information is made available in various languages such that a wide range of users are able to access this information. Further we recommend that accountability be laid on the LSPs to adhere to an inclusive platform design that allows for easy access to this information.

Market Fairness

Guidelines ii-iv also serve to outline practices to curb anti-competitive placement of digital loan products through regulating use of dark patterns and increasing transparency.

Comments: Section ii mandates that LSPs must disclose the approach utilised to determine the willingness of lenders to offer a loan. Whether this estimation includes factors associated with the customer profile like age, income and occupation etc. should be clearly disclosed as well.

Recommendations: Alongside the predictive estimate of the lender’s willingness, to improve transparency loan aggregators may be asked to share an overall rate of rejection or approval as well within the digital view.

While the ‘Guidelines on Digital Lending’^{^[6]} clearly state that LSPs must charge any fees from the REs and not the borrowers, further clarification should be provided on whether LSPs can charge fees for loan aggregation services themselves, i.e. for providing information of available loan products.

Privacy and Data Security

The earlier ‘Guidelines on Digital Lending’^{^[7]} require LSPs to only store minimal contact data regarding the customer and provide consumers the ability to seek their data being removed, i.e. the right to be forgotten by the provider, once they are no longer seeking their services. Personal financial information is not to be stored by LSPs. It is the responsibility of REs to ensure that LSPs do not store extraneous customer data, and to stipulate clear policy guidelines regarding the storage and use of customer data.

Comments: It is important to ascertain the nature of anonymised and personally identifiable customer data that may be currently utilised by LSPs or processed on their platforms, in the course of providing a range of services within the digital credit ecosystem to borrowers and lenders.

Certain functions that loan aggregators perform may expand their role beyond a simple intermediary. LSPs also provide services assessing borrower’s creditworthiness, payment services, and agent-led debt collection services for lenders. Some LSPs may be involved in more than one stage of the loan process which may make them privy to additional personal information about a borrower. There may be cases in which a consumer registers on an LSP’s platform without going ahead with any loan applications. It is unclear who is responsible for maintaining data security and privacy or providing grievance redressal at these times.

Section ii allows them to provide estimates of lenders’ willingness to borrowers. Some LSPs connecting REs with borrowers may also provide services using alternative and even non-financial data to assess the creditworthiness of thin-file credit seekers. Whether there are any restrictions on the use of AI tools in these processes, and the handling of customer data should also be clarified or limited. The right to be forgotten may be difficult to enforce with the use of certain machine learning and other artificial intelligence models. As innovation in credit scoring mechanisms continues, it is also important to bring such financial service providers under the ambit of guidelines for digital lending platforms.

Recommendations: The burden of maintaining privacy and data security should fall on aggregators of loan products in addition to regulated entities as well. Include guidelines limiting the use of PII (and PFI if applicable) for purposes other than connecting borrowers to a loan provider without consumer consent. Informed and explicit consumer consent should be sought for any additional purposes like marketing, market research, product development, cross-selling, delivery of other financial and commercial services, including providing access to other loan products in the future.

Often consumers are required to register on a platform by providing contact details and other personal information. An initial digital view of loan products available could be displayed for all users without registering to help borrowers determine whether they would like to register for the LSP’s services. This can help reduce the amount of consumer contact information and other personally identifiable information (PII) that is collected by LSPs.

Emerging Risks

Emerging consumer risks within the digital lending ecosystem expose borrowers to additional risks like over-indebtedness and risks arising from fraud, data misuse, lack of transparency and inadequate redress mechanisms.^{^[8]} These draft guidelines clearly layout mechanisms to reduce risks arising from lack of transparency. Similar efforts need to be put behind reduction of data misuse by delimiting the time period and – and the risk for overindebtedness

One of the biggest sources of consumer risk has been at the debt recovery stage. Aggressive debt collection practices have had deleterious effects on consumers’ mental health, social standing and even lead some to consider suicide. Extant guidelines assume a recovery agent will be contacting the consumer.^{^[9]} LSPs may also set up automated payments and use digital communication like app notifications, messages and automated calls in the debt recovery process as well. The impact of repeated notifications and automated debt payments also needs to be considered in future iterations of guidelines addressing risk in the digital lending ecosystem.

^{^[1]} “Funding distribution of FinTech companies in India in second quarter of 2023, by segment”, Statista, accessed 30 May 2024, https://www.statista.com/statistics/1241994/india-fintech-companies-share-by-segment/

^{^[2]} Anushka Sengupta, “India’s digital lending market likely to grow $515 bn by 2030: Report”, Economic Times, 17 June 2023, https://bfsi.economictimes.indiatimes.com/news/fintech/indias-digital-lending-market-likely-to-grow-515-bn-by-2030-report/101057337

^{^[3]} “Mobile Instant Credit: Impacts, Challenges, and Lessons for Consumer Protection”, Center for Effective Global Action, September 2023, https://cega.berkeley.edu/wp-content/uploads/2023/09/FSP_Digital_Credit_Research_test.pdf

^{^[4]} Jinit Parmar, “Ruthless Recovery Agents, Aggressive Loan Outreach Put the Spotlight on Bajaj Finance”, Moneycontrol, 18 April 2023, https://www.moneycontrol.com/news/business/ruthless-recovery-agents-aggressive-loan-outreach-put-spotlight-on-bajaj-finance-10423961.html

^{^[5]} Prudhviraj Rupavath, “Suicide Deaths Mount after Unregulated Lending Apps Resort to Exploitative Recovery Practices”, Newsclick, 26 December 2020 https://www.newsclick.in/Suicide-Deaths-Mount-Unregulated-Lending-Apps-Resort-Exploitative-Recovery-Practices

Priti Gupta and Ben Morris, “India's loan scams leave victims scared for their lives”, BBC, 7 June 2022, https://www.bbc.com/news/business-61564038

^{^[6]} Section 4.1, Guidelines on Digital Lending, 2022.

^{^[7]} Section 11, Guidelines on Digital Lending, 2022.

^{^[8]} “The Evolution of the Nature and Scale of DFS Consumer Risks: A Review of Evidence”, CGAP, February 2022, https://www.cgap.org/sites/default/files/publications/slidedeck/2022_02_Slide_Deck_DFS_Consumer_Risks.pdf

^{^[9]} Section 2, Outsourcing of Financial Services - Responsibilities of regulated entities employing Recovery Agents, 2022.

For more details visit https://cis-india.org/internet-governance/blog/draft-circular-on-digital-lending-2013-transparency-in-aggregation-of-loan-products-from-multiple-lenders

Draft bill proposes Rs 1 crore fine, 3 year jail for data privacy violation

Admin — 2018-06-29T16:48:48Z

The move comes at a time when user data of Indians is under threat from social media firms accused of data mining and sharing information with private companies for advertising and marketing purposes. There has also been a growing concern over Aadhaar.

The article by Vidhi Choudhury was published in the Hindustan Times on June 8, 2018. Sunil Abraham was quoted.

Even as a 10-member government panel is due to submit its recommendations for a new data privacy bill, a group of lawyers on Friday uploaded a model citizens’ code, which they said could give the panel pointers to what India’s final privacy law should be.

The Internet Freedom Foundation (IFF) launched its community project, ‘Save our Privacy’, in what it described as a bid to safeguard individuals’ right to privacy. This model code, titled ‘Indian Privacy Code, 2018’, has been drafted by lawyers such Gautam Bhatia, Apar Gupta and Raman Jit Singh Chima, among others.

Many of these lawyers made a joint submission to the Justice BN Srikrishna Committee in the past. On Friday, they sent him an email with the copy of the code with its seven core principles. The core principles follow what IFF calls a “rights-based approach to protect people from harmful use of their personal data”.

“In a world where personal data has power, people need to be put in charge of their own lives,” said New Delhi-based lawyer Apar Gupta.

The draft bill sets a penalty of up to Rs 1 crore for the violation of privacy of citizens and a prison sentence of up to three years. It also provides for a penalty of up to Rs 10 crore to anyone found to be performing surveillance unlawfully, with a prison term of up to five years.

The move comes at a time when user data of Indians is under potential threat from social media companies that have been accused of data mining and sharing user information with private firms for advertising and marketing purposes.

There has also been a growing concern in India over the validity of the Aadhaar law. A Constitution bench of the Supreme Court has finished hearing a slew of petitions against the unique identity number and has reserved its judgment.

On 31 July, the government constituted the panel headed by Justice Srikrishna to study various issues relating to data protection and suggest a draft data protection bill.

IFF said in a statement that it had concerns over the “composition, lack of diversity and transparency” of the committee. It also said it was concerned about the lack of urgency India had shown about making a privacy law, and that its civil society project was important to build awareness on privacy and data protection in India.

“The Indian Privacy Code, 2018 ensures that right to privacy does not undermine the Right to Information Act. All the other existing laws including the Telegraph Act and the Aadhaar Act should be subject to this law,” Chima said.

“We hope the Justice BN Srikrishna Committee considers and adopts the language we propose,” he added.

According to a senior official at the home ministry who spoke on the condition of anonymity, the privacy bill hasn’t come up for discussion yet. “In any case, the said bill will be taken up by the IT ministry first. The IT ministry will be responsible for piloting the proposed bill on privacy and MHA will, in the later stages, give its opinion on security issues related to the proposed bill,” he said.

A government official on condition of anonymity said that its for the Justice Srikirshna Committee to look at the model privacy code launched today and decide what they want to use from it.

When contacted, Ajay Sawhney, secretary for ministry of electronics and technology said: “The Justice Srikrishna Committee will submit its report shortly.”

“The reason civil society is doing this is because the government is not sharing their draft bills,” said Sunil Abraham, founder of think tank Centre for Internet and Society (CIS). In 2013, CIS had also published a citizen’s draft privacy protection bill.

(With inputs from Azaan Javaid)

For more details visit https://cis-india.org/internet-governance/hindustan-times-june-8-2018-vidhi-choudhary-draft-bill-proposes-rs-1-crore-fine-3-year-jail-for-data-privacy-violation

Dr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (Delhi, April 07)

saikat — 2017-04-04T12:06:26Z

We are proud to announce that Dr. Madan M. Oberoi will be the speaker at the inaugural #FirstFriday@cis_india event at the Delhi office. These events, held on the first Friday of each month, will facilitate open and in-depth discussion and learning on topics crucial to our understanding of internet and society. The event will comprise of the speaker's presentation followed by an open discussion. If you are joining us, please RSVP at the soonest as we have only limited space in our office.

RSVP

Dr. Madan M. Oberoi

Dr. Madan M. Oberoi is an Indian Police Service (IPS) officer of 1992 batch. He is a Fulbright Scholar in the area of "Cyber Security" from University of Washington. He also holds a PhD in the area of cybercrime from Indian Institute of Technology (IIT), Delhi. He also holds a Master’s Degree in ‘Management and Systems’ from IIT Delhi and another Master’s Degree in Police Management.

Till January 2017, he was deployed as Director Cybercrime in INTERPOL in Singapore with global jurisdiction. As part of this, he supervised ‘Cyber Fusion Centre’, ‘Cyber Investigation Support’, ‘Cyber Strategy’ and ‘Cyber Training’ ‘Cyber Research Lab”, “Digital Forensics Lab’ and ‘Innovation Centre’ units of INTERPOL.

Dr. Oberoi has worked as Inspector General of Police, Deputy Inspector General of Police and as Superintendent of Police with Central Bureau of Investigation (CBI), where he has headed the Cyber-Crime Cell. He has also worked in Delhi Police and in his last posting he was heading Delhi Police’s Special Cell, which is responsible for Anti-Terror Operations.

Dr. Oberoi has served in two UN Peace Keeping Missions. He was head of the Management Information Unit of UN Mission in Bosnia and Herzegovina at Mission HQ in Sarajevo. He has also served as Head of Data Centre in Mission HQ of UN Mission in Kosovo at Pristina.

For more details visit https://cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07

DoT Reportedly Orders Blocking of 32 Websites Including GitHub, Archive.org, SourceForge

praskrishna — 2015-01-02T14:51:39Z

Many users on Twitter are claiming that several websites, including many software development resources such as GitHub and SourceForge, along with research resources like the Internet Archive have all been blocked on order of the Department of Telecom.

The story was published in NDTV on December 31, 2014. Pranesh Prakash gave his inputs.

A letter circulating online shows a list of 32 URLs that ISPs have reportedly been ordered to block, with most of these URLs being entire websites, instead of specific webpages that's usually been the case with such blocks in the past.

We tried to verify the users' claims, but on both our office broadband network, and also on Airtel and Vodafone 3G networks, all the sites were opening properly at the time of writing. Interestingly, many of the sites failed the load at the first try, but simply hitting refresh once solved the problem.

This does not mean that blocking is not happening - it is possible that the order has been sent recently, and will take some time to be fully implemented. Here is the email which purportedly shows the list of the 32 blocked URLs, as posted by Pranesh Prakash, Policy Director of the Center for Inernet and Society:

No information is available at present to confirm if blocking is truly happening, or why, but we are trying to ascertain the exact details and will update this story with the information as soon as possible.

However, there is some partial confirmation because both Pastebin and the Internet Archive have tweeted about blocking from India.

Such blocks in the past have been due to John Doe orders but the fact it is targeting software development sites like Github and Sourceforge is strange - the John Doe orders have specifically been used to block piracy of films, and blocking off sites that have no connection to movies makes no sense.

Arvind Gupta, the National Head of the BJP IT cell also took to Twitter, stating that these websites were being blocked for security reasons, based on the advice of the Anti-Terrorism Squad. According to Gupta's Tweets, the sites were being unblocked as soon as they removed "objectionable materials", allegedly related to ISIS.

It's extremely unusual that a government decision is being communicated by a political party official - if the Department of Telecom is blocking sites, then it should be the one to communicate and clarify these events. However, so far, it has not issued any statements, and neither has the IT Ministry.

For more details visit https://cis-india.org/internet-governance/news/ndtv-december-31-2014-dot-reportedly-orders-blocking-of-32-websites-including-github-archiveorg-sourceforge

DoT Blocks Domain Sites — But Reasons and Authority Unclear

smita — 2012-11-21T10:03:39Z

Earlier this year, ISPs such as Airtel and MTNL blocked a number of domain sites including BuyDomains, Fabulous Domains and Sedo.co.uk. Whereas the Indian Government and courts have previously issued orders blocking websites, these actions have generally been attributed to issues such as posting of inflammatory content or piracy of copyrighted material. However, the reasoning behind blocking domain marketplaces such as the above mentioned sites is not clear.

These websites offer users various tools to buy and sell domain names and simplify the purchasing process. Users on India Broad Band forum and websites like Medianama reported that these domain sites were not accessible and the following message was displayed instead — "This website/URL has been blocked until further notice either pursuant to Court orders or on the Directions issued by the Department of Telecommunications".

.In Registry’s Anti-Abuse Policy

If the issue at hand is one of abusive registrations, it would fall under the .IN Domain Anti-abuse Policy adopted by the National Internet Exchange of India (NIXI) and the .in registry. This policy states that NIXI will have the right to "deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status" if necessary. This raises a question as to why the Department of Telecommunications (DoT) would issue directions to block these domain marketplaces instead of cancelling their registration or placing it on hold under the policies adopted by NIXI.

A second, more important question would be whether the DoT has the power to block websites or take action under NIXI’s anti-abuse policy. NIXI and the .in registry both work under the aegis of the Department of Electronics and Information Technology. In addition, the Information Technology Act, 2000 ("the IT Act") is the only legislation that provides the authority to block a website and this authority is bestowed upon the Secretary, Department of Information Technology.

Information Technology Act

Section 69-A of the IT Act authorizes the central government to issue directions/orders to block public access to any information generated, transmitted, received, stored or hosted in any computer resource i.e., block websites. Such orders can be issued if the authorized officer finds that it is necessary to do so in the India’s sovereign and national interests or in the interest of public order. These interests include defence, security of the state, friendly relations with foreign neighbours and preventing incitement to the commission of an offence.

The procedures and safeguards that are to be followed before issuing an order to block a website are detailed in the Information Technology (Procedure and Safeguards for blocking for access of information by public) Rules, 2009 ("the rules"). The rules provide that upon receiving a complaint, the concerned organization for the blocking of access to information shall examine the complaint to ensure that there is a need to take action under the reasons mentioned above. If such action is found necessary, a request if forwarded and a committee established as per the rules reviews any requests made to block access to any information. During this review, there is also provision for a notice and reply procedure. This allows for the person controlling the online publication of such information to appear before the committee and respond to the request or make any clarifications regarding the information.

The recommendations of the committee are then sent to the Secretary of the Department of Information Technology who further directs an agency of the government or the intermediary to block the relevant content/website. The rules also provide procedures for blocking access in case of an emergency and in cases where court orders directing the blocking of information have been issued.

Whereas the ideas of sovereign interest and public order are admittedly very broad, there is no clear explanation as to what actions of domain sites/marketplaces such as BuyDomain and sedo.co.uk would be considered to impinge upon either. Neither is there any information available regarding why the DoT considers this to be the case.

For more details visit https://cis-india.org/internet-governance/blog/dot-blocks-domain-sites

Dot Bharat domain to roll out on August 21

praskrishna — 2014-09-08T07:08:32Z

Web addresses are set to get multilingual in India. Soon you will be able to type in addresses in a web browser in the Devnagri script – with “dot bharat” standing in for the currently common “dot in” domain to begin with. The roll-out of the same begins on August 21.

This was originally published by IANS and mirrored in Firstpost on August 19, 2014. Sunil Abraham gave his inputs.

In the 90-day “sunrise period” of the roll-out those with registered trademarks will be able to register domain names in languages that use the Devnagri script, such as Hindi, Marathi, Boro, Dogri etc. After the sunrise period, it will be thrown open to regular users of the internet.

The National Internet Exchange of India (NIXI), an autonomous non-profit organisation, is responsible for peering of ISPs and routing the domestic traffic within the country. The NIXI and the government’s Centre for Development of Advanced Computing (C-DAC) have worked on enabling this country code top level domain (ccTLD) of dot bharat. They say more such domains in different scripts and languages will eventually follow.

Currently, one can find content in various languages online. However, the URLs or web addresses are in English. With this rollout, even URLs would be in Hindi or Marathi. “Once the sunrise period runs smoothly, we will introduce other languages in other scripts such as Bengali, Punjabi, Kannada, Telugu etc. There is no timeline set for it yet, but we hope there will be enough pressure with the adoption of the Devnagri domains to implement it soon,” says Mahesh Kulkarni, program coordinator at the C-DAC, heading the language technology group.

A few government websites too will be a part of the launch next week by the union minister of communications and information technology, Ravi Shankar Prasad. “For example, the pmindia dot gov dot in will be pradhanmantri dot sarkar dot bharat,” says Dr Govind, CEO of NIXI.

While some quarters have welcomed the introduction of the new domain, others are doubtful of its success given the low internet penetration and low literacy rate in the country. A June 2014 report from research firm eMarketer, India had the third largest online user-base globally after China and the US but had the lowest internet penetration growth in Asia Pacific at 17.4%. Osama Manzar, who heads the Digital Empowerment Foundation, suggests getting more people and public institutions online rolling out local language domain names.

“This is not a bad move, but I doubt and wonder if it will encourage people to buy domain names in Indian languages. Is it in sync with the national digital infrastructure? It is important that the government encourage every department and village panchayat to get online with a website along with this,” says Manzar.

Sahitya Akademi-winning Hindi writer Uday Prakash finds the Devnagri domain a welcome move, but stresses on the importance of making quality content in regional languages available online. “It’s a good step and will help those who are not comfortable with English. However, the problem remains that most of the content online is in English. If I search for Robin Williams in English, I will find hundreds of webpages. But if I google the same name in Devnagri, I’ll hardly find anything,” says Prakash.

On the other hand, there is also the view that the move towards a multilingual web need not follow a set path. “If a poor person buys a mobile phone before he build a toilet, who are we to judge? It is a market phenomenon. Like a jigsaw, some pieces of the puzzle may be worked out in advance. There are things like Indic input keyboards, text to speech and speech to text that need to be in place before an Indic language speaker can have the same experience as an English language user of the internet,” says Sunil Abraham, executive director of Bangalore-based research organization Center for Internet and Society.

In October 2013, the Internet Corporation for Assigned Names and Numbers (ICANN) delegated generic top level domains in Arabic, Chinese and Cyrillic scripts. This was under the Internationalized Domain Name (IDN) fast track process of the ICANN, which began in 2009, inviting requests from countries for territory names in scripts other than Latin. Meanwhile domestically, the union government has made a push for the use of local languages.

For more details visit https://cis-india.org/a2k/news/tech-first-post-dot-bharat-domain-to-roll-out-on-august-21

Don’t SLAPP free speech

sunil — 2013-02-28T11:22:09Z

IIPM is proving adept at the tactical use of lawsuits to stifle criticism, despite safeguards. THE DEPARTMENT of Telecommunications, on 14 February, issued orders to block certain web pages critical of the Indian Institute of Planning and Management (IIPM).

Sunil Abraham's column with inputs from Snehashish Ghosh was published in Tehelka on February 3, 2013 (Issue 9 Volume 10)

Despite our best efforts, we have not managed to get a copy of the court order. Meanwhile, there has been a lot of speculation among Internet policy experts on Twitter. What is the title of the case? Which judge issued the order? Who is the affected party? Why have mainstream media houses like Outlook not been served notice by the court? Is the infamous Section 66A of the IT Act to be blamed? That is highly unlikely. News reports suggest that a lower court in Gwalior has issued an ad interim injunction in a defamation suit. Most experts agree that this is a SLAPP (Strategic Litigation Against Public Participation) suit, where a company uses the cost of mounting a legal defence to silence critics.

Bullies with deep pockets use the law in very creative ways, such as forum shopping, forum shifting and the use of proxies. Forum shopping can be best understood through the example of mining giant Fomento suing Goan blogger Sebastian Rodrigues for $1 billion at the Kolkata High Court, even though Goa would have been a more logical location. Though IIPM lost an earlier case against Careers360 before the Uttaranchal High Court, the offending URLs from that case are included in the latest block order, exemplifying successful forum shifting. The doctrine of ‘res subjudice’ does not permit courts to proceed in a matter which is “directly and substantially” similar to a previous suit between the same parties. Proxies are usually employed to circumvent this procedural doctrine.

Article 19(2) of our Constitution empowers the State to create laws that place eight types (depending on how you count) of reasonable restrictions on the freedom of speech and expression. One of these reasonable restrictions is defamation. Tort law on defamation in India has been mostly borrowed from common law principles developed in the UK, which include a series of exceptions where the law cannot be used. In the present context, the exceptions important for the IIPM case include: fair and bona fide comment and matter of public interest. In addition, Section 499 of the Indian Penal Code provides for 10 exceptions to defamation. The exceptions relevant to this case are: “first: imputation of truth which public good requires to be made or published”, “ninth: imputation made in good faith by person for protection of his or other’s interests” and “tenth: caution intended for good of person to whom conveyed or for public good”. The criminal law on defamation in India is based on robust legal principles, but for the sake of public interest it’d be best to do away with such a law as it has far-reaching, chilling effects on free speech.

On interim injunctions in defamation suits, the Delhi High Court set an important precedent protecting free speech in 2011. While applying the English principle — the Bonnard Rule — the court in Tata Sons Pvt Ltd versus Greenpeace International held that a higher standard should be adhered to while granting an interim injunction in a defamation suit, because such an injunction might impinge upon freedom of expression and thus potentially be in violation of the Indian Constitution. This century-old rule states that “until it is clear that an alleged libel is untrue… the importance of leaving free speech unfetter – ed is a strong reason in cases of libel for dealing most cautiously and warily with the granting of interim injunctions…”

In the same case, the Court rejected the argument that since it was published online and thus had wider reach and greater permanence, an injunction should be granted. It observed that “publication is a comprehensive term, embracing all forms and mediums — including the Internet”, thus ruling out special treatment for the Inter net in cases of defamation. That is good news for free speech online in India. Now let’s stick to it.

For more details visit https://cis-india.org/internet-governance/blog/tehelka-sunil-abraham-feb-3-2013-dont-slap-free-speech

Don't Do Nothing. Take a Stand on Net Neutrality.

vishnu — 2015-05-08T14:11:23Z

Are you wondering what Net Neutrality is, and why the term has suddenly got so much attention in India among the Netizens? Do you need to be concerned about Net Neutrality? We will try to address these in this short post on Net Neutrality.

The blog post was published by NDTV on April 13, 2015.

First things first. Net Neutrality (or Network Neutrality) is a globally-accepted principle of keeping the Internet freedom intact. Now you may wonder who is threatening Internet freedom, or how that is even possible. Well, it is.

By who? Your Internet Service Provider (ISP). Some also use the term MISP, which means Mobile Internet Service Provider. How can they do it? By simply not treating the data on the Internet equally. Let's make it even simpler with an example. Imagine your cable network provider promises you access to ATV, BTV, CTV and DTV (of course we know you get 300+ channels!) and takes a monthly subscription fee. Now you have a favourite show on DTV that you have been watching for a year. Suddenly your cable network provider comes to some business arrangement with ATV (let's call it sharing revenues!) and starts tweaking his signal. So your DTV signal becomes faint and you keep getting frozen frames and breaking sounds, whereas the audio video quality of ATV is superb. Not only that, your channel numbers are automatically reset, and the channel number on which you used to watch DTV now is configured to ATV.

The same thing, when it happens in the Internet context, is called breaking Net Neutrality. That is, the ISP starts discriminating which App you can use better, which sites will stream video faster, and so on and so forth. So by breaking Net Neutrality, the ISPs, by joining hands with some big companies (content providers) will build walled Internet gardens within which your experience of the world wide web will be limited. The <www> will no more be "world wide web" but will be "walled within my web"!

Is this bad? Well, most of the Internet fraternity that believes in the unending freedom the Internet provides thinks so. For budding App makers, e-biz players, etc. it is quite a jolt. A large corporate player like Facebook can easily team up with ISPs and rob the level playing field to all these budding players. Because the ISPs can potentially discriminate against the budding players or newcomers, there is a fair chance that you are curtailing innovation and new entrepreneurship on the Internet. Well "make in India" may still happen, but with limited large players who could potentially cannibalize the Internet!

If you are a simple consumer of the Internet and not bothered about the business dynamics, the violation of net neutrality will affect you too. Definitely not in terms of increased Internet data pack prices. In fact, there is a fair chance that you will be given freebies like "Buy this Internet Data Pack and you will get 3 months free of Facebook usage". However, in the bargain, over the long run, we all will lose out on something precious that money cannot always buy, something that is considered inherent to the Internet ... the FREEDOM to choose and the FREEDOM to express.

Let's look at the other side of the coin. Why is it that the ISPs want to do this? They have realized that some data providers (those who build Apps, websites, etc.) are making quite a big buck and they want a share of that profit, because they need to meet their large infrastructural costs that they have incurred in setting up towers, cables, etc. They are bleeding, they say, and need to find sustainable business models. They do not want to burden the consumer by increasing the data charges and this is an ingenious way of making their business sustainable. Win-win scenario, only at the cost of Freedom. To hell with Freedom, we give you Internet for FREE!

To deal with this issue effectively, Telecom Regulatory Authority of India (TRAI) has put out a consultation paper called Regulatory Framework for Over-the-top (OTT) services for feedback from stakeholders. It's available here. If you use the Internet in India (either on mobile or on a system) then you too are a stakeholder. We hope that this post will help you to participate in the consultation process.

For more details visit https://cis-india.org/internet-governance/blog/ndtv-t-vishnu-vardhan-dont-do-nothing-take-a-stand-on-net-neutrality

Don't dive headlong into money-making schemes on the internet

praskrishna — 2017-02-07T15:02:24Z

If you do fall victim to fraud, file your complaint at RBI's Sachet web site.

The article by Sanjay Kumar Singh was published in the Business Standard on February 7, 2017. Udbhav Tiwari was quoted.

By now you have surely read the news about a Noida-based company called Ablaze Info Solutions, which is said to have defrauded about 700,000 people of Rs 3,700 crore. In this scheme, participants first had to pay a substantial subscription fee to join it, after which they were compensated for clicking on links. There were also incentives for bringing in other members, which made it akin to a multi-level marketing (MLM) scheme. Experts advise that investors should do the due diligence before putting their money in such schemes. According to cyber experts, this scheme took off because the activity it was pursuing was a legitimate one per se. There is an entire industry on the Internet, wherein you can earn money by clicking on links: This improves the traffic on websites and allows them to demand higher advertising rates. Many websites outsource the task of improving traffic to third parties, which in turn recruit people in countries like India for the task. You can also earn money through activities like filling up forms, answering surveys, etc.

The mistake participants made in this case was to join the scheme without exploring other options. "Many players would have offered a similar level of compensation without demanding a subscription fee. Moreover, the very fact that the company was demanding a substantial subscription fee should have made people suspicious," says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru. Before participating in such money-making schemes, spend time doing a detailed background check of the company's credentials, especially if the promised returns are realistic or not. "If the return offered by the company is high compared to the market rates of return, or the company is new, you should be extra cautious. Check various blogs and forums on the internet for possible complaints against the company and its key stakeholders," says Mukul Shrivastava, partner, fraud investigation and dispute services, EY India.

If you join such a programme, be warned the moment the company defaults on payments, delays them, or avoids your queries. Stop all interactions with it and lodge a complaint with the police. If the company had used forged documents, especially the ones claiming that the scheme had the approval of a regulator like Sebi, submit them.

You can also file a complaint at Sachet, a website set up by the Reserve Bank of India (see box). Another option is to contact the Serious Fraud Investigation Office (SFIO) under the Ministry of Corporate Affairs. As the police take up a case usually when many complaints pour in against an entity, motivate other victims to complain, too. The state fights the case on your behalf. Your task after complaining is to cooperate with the investigation and depose in court. Nowadays victims can be compensated under the Criminal Procedure Code as well. They also have the option to file a civil suit for recovering their money.

Finally, there is a need for new laws to tackle online frauds. "There is a gap both in terms of legislation and effective enforcement. We only have a central 1978 Act for Prize Chits and allied rules in states, which need to be updated," says Nishant Joshi, partner, Shardul Amarchand Mangaldas.

Word box
Turn to Sachet

RBI has launched a website, sachet.rbi.org.in, where you can complain if you have been cheated by an entity that has illegally collected money from you
The website also provides information on legitimate entities that are authorised to collect money
Many regulators and enforcement agencies take up the complaints filed on this site
Investors don’t have to know the regulator under whose jurisdiction the company they want to complain against falls
You will get an email informing you about the regulator/entity that will take up your case

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet

Don't blindly forward WhatsApp messages. You could be sued

Admin — 2018-05-31T23:49:19Z

Never before in Bengaluru has the Internet and social media taken such a vicious and violent turn as it did last week.

The article by Rajitha Menon and Surupasree Sarmmah was published in the Deccan Herald on May 29, 2018.

A fake Whatsapp message that went viral has led to the death of a man in Chamarajpet. But Bengaluru is not alone. In the recent past many have been lynched in Andhra Pradesh, Telangana, Tamil Nadu, Uttarakhand, Jharkhand and Hyderabad over rumours and fake videos.

In tech-savvy Bengaluru, a 26-year old man was beaten to death in Chamarajpet by a mob that mistook him for a kidnapper. "The big problem is that for a large part of India, WhatsApp is the first exposure to the Internet. What they see there becomes news; people don't do a critical analysis of what comes their way," says Swaraj Barooah, senior programme manager, Centre for Internet & Society, Bengaluru.

What are the legal implications of forwarding fake WhatsApp news? "It's a grey area in terms of current regulation," he says.

However, he advises caution: don't circulate messages you can't vouch for.

MT Nanaiah, senior advocate says, "If a message is intended to harm a person's reputation, it might come under the purview of the Indian Penal Code Section 499 A, which defines defamation and Section 500, which defines the punishment."

Defamation can attract a punishment of up to two years in jail and a fine. Victims of fake forwards can also sue for damage, he says.

In Varanasi, district officials are holding WhatsApp admins responsible for fake news, and issued guidelines.

"I think the courts have been doing a flip-flop on this. I am not sure but the legal validity is weak to hold admins responsible for what happens in the group," notes Barooah.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-rajitha-menon-surupasree-sarmmah-dont-blindly-forward-whatsapp-messages-you-could-be-sued

Doing Standpoint Theory

Ambika Tandon and Aayush Rathi — 2019-09-19T14:22:48Z

Feminist research methodology has evolved from different epistemologies, with several different schools of thought. Some of the more popular ones are feminist standpoint theory, feminist empiricism, and feminist relativism.

The article by Ambika Tandon and Aayush Rathi was published by GenderIT.org on September 1, 2019.

Standpoint theory holds the experiences of the marginalised as the source of ‘truth’ about structures of oppression, which is silenced by traditional objectivist research methods as they produce knowledge from the standpoint of voices in positions of power2. Feminist empiricism does not eschew traditional modes of knowledge production, but emphasises diversity of research participants for feminist (and therefore also rigorous) knowledge production3. Relativists have critiqued standpoint theory for its tendency to essentialise the experience of marginalised groups, and subsume them into one homogenous voice to achieve the goal of ‘emancipatory’ research4. Relativists instead focus on multiple standpoints, which could be Dalit women, lesbian women, or women with disabilities5. We will be discussing the practical applicability of these epistemologies to research practices in the field of technology and gender.

As part of the Feminist Internet Research Network, the Centre for Internet and Society is undertaking research on the digital mediation of domestic and care work in India. The project aims to assess shifts in the sector, including conditions of work, brought on by the entry of digital platforms. Our starting point for designing a methodology for the research was standpoint theory, which we thought to be the best fit as the goal of the project was to disrupt dominant narratives of women’s labour in relation to platformisation. In the context of dalit feminis, Rege warns that standpoint research risks producing a narrow frame of identity politics, although it is critical to pay attention to lived experience and the “naming of difference” between dalit women and savarna women6. She asserts that neither ‘women’ nor ‘dalit women’ is a homogenous category. While feminist researchers from outside these categories cannot claim to “speak for” those within, they can “reinvent” themselves as dalit feminists and ally themselves with their politics.

In order to address this risk of appropriating the voices of domestic workers (“speaking for”), we chose to directly work with a domestic workers’ union in Bengaluru called Stree Jagruti Smiti. Bengaluru is one of the two cities we are conducting research in (the other being Delhi, with very few registered unions). This is meant to radically destabilise power hierarchies and material relations within the research process, as benefits of participatory research tend to accumulate with the researchers rather than participants7.

Along with amplifying the voices of workers, a central objective of our project is to question the techno-solutionism that has accompanied the entry of digital platforms into the domestic work sector, which is unorganised and unregulated. To do so, we included companies and state labour departments as participants whose standpoint is to be interrogated. By juxtaposing the standpoints of stakeholders that have differential access to power and resources, the researcher is able to surface various conflicts and intersections in dominant and alternative narratives. This form of research also brings with it unique challenges, as researchers could find themselves mediating between the different stakeholders, while constantly choosing to privilege the standpoint of the least powerful - in this case the workers. Self-reflexivity then becomes necessary to ensure that the project does not slip into an absolutely relativist position, rather using the narratives of workers to challenge those of governments and private actors. This can also be done by ensuring that workers have agency to shape the agenda of researchers, thereby producing research which is instrumental in supporting grassroots campaigns and movements.

Self-reflexivity then becomes necessary to ensure that the project does not slip into an absolutely relativist position, rather using the narratives of workers to challenge those of governments and private actors.

Feminist participatory research itself, despite its many promises, is not a linear pathway to empowerment for participants8. At the very outset of the project, we were constantly asked the question by domestic workers and unions – why should we participate in this project? Researchers, in their experience, acquire information from the community throughout the process of data collection by positioning themselves as allies. However, as all such engagements are bound to limited timelines and budgets, researchers are then often absent at critical junctures where the community may need external support. We were also told that all too often, the output of the research itself does not make its way back to the participants, making it a one-way process of knowledge extraction. Being mindful of these experiences, we have integrated a feedback loop into our research design, which will allow us to design outputs that are accessible and useful to collectives of domestic workers.

Not only domestic workers and their organisations, many corporations operating these online portals and platforms often questioned the benefits of participating in the project. However, the manner of articulation differed. While attempting to reject the hierarchical nature of the researcher/participant relationship, we increasingly became aware that the underlying power equation was not a monolith. Rather, it varied across stakeholder groups and was explicitly contingent on the socially constructed positionalities already existing outside of the space of the interview. Companies, governments and workers all exemplified varying degrees of engagement with, knowledge of, and contributions to research. Interviews with workers and unions, and even some bootstrapped (i.e. without much external funding) , socially-minded companies, were often cathartic with an expectation of some benefits in return for opening themselves up to researchers. This was quite different for governments and larger companies, as conversations typically adhered to the patriarchal and classed notions of professionalism in sanitised, formal spaces9 and the strict dichotomy between public and personal spaces. Their contribution seemingly required lesser affective engagement from the interviewee, thereby resulting in lesser investment in the outcome of the research itself.

The cathartic nature of interviews also speak to the impossibility of the distanced, Platonic, school of research. We were often asked politically charged questions, our advice solicited and information sought. Workers and representatives from platform companies alike would question our motivations with the research and challenge us by inquiring about the benefits accruing to us. Again, both set of stakeholders would often ask differently about how other platforms were; workers already registered on a platform would wonder if another platform would be ‘better’ and representatives of platform companies would be curious about competition. This is perhaps a consequence of attempting to design a study that is of use and of interest to the workers we have been reaching out to.10 At times, we found ourselves at a place in the conversation where we were compelled to respond to political positions for the conversation to continue. There were interviews where notions of caste hierarchies (within oppressed classes) as a justification/complaint for engaging/having to engage in certain tasks would surface. Despite being beholden to a feminist consciousness that disregards the idea of the interviewer as neutral, we often found ourselves only hesitantly forthcoming. At times, it was to keep the interview broadly focused around the research subject, at others it was due to our own ignorance about the research artefact (in this instance, platforms mediating domestic work services). This underscores the challenges of seeing the interview as a value ridden space, where the contradictions between the interview as a data collection method and as a consciousness raising emerged - how could we share information about the artefact we were in the process of collecting data about?

We were often asked politically charged questions, our advice solicited and information sought.

The fostering of ‘rapport’11 has made its may into method, almost unknowingly. Often, respondents across stakeholder groups started from an initial place of hesitation, sometimes even suspicion. Several structural issues could be at work here - our inability in being able to accurately describe research itself, the class differences and at times, ideological ones as well. While with most participants, rapport was eventually established, its establishment was a laboured process. Especially given that we were using one-off, in-depth interviews as our method, securing an interview was contingent on the establishment of rapport. This isn’t to suggest that feminist research mandatorily requires the ‘doing of rapport’12, but that when it does, it’s a fortunate outcome and that feminist researchers engage with it more critically.

Building rapport creates an impression of having minimised the exploitation of the participant, however the underlying politics and pressures of building rapport need to be interrogated. Rapport, like research itself, is at times a performance; rapport is often not naturally occuring. Rather, rapport may also be built to conceal the very structural factors preventing it. For instance, during instances of ideological differences during the interview, we were at times complicit through our silence. This may have been to further a certain notion of ‘objectivity’ itself whereby the building and maintenance of rapport is essential to surfacing a participant’s real views. This then raises the questions: What are the ethical questions that the suppression of certain viewpoints and reactions pose? How does the building, maintenance and continuance of rapport inform the research findings? Rapport, then, comes in all shapes and sizes and its manifold forms implicate the research process differently. Another critical question to be addressed is - why does some rapport take less work than others? With platform companies, building rapport came by easier than it did with workers both on and off platforms. If understood as removing degrees of distance between the researcher and participants, several factors could play into the effort required to build rapport. For instance, language was a critical determinant of the ease of relationship-building. Being more fluent in English than in colloquial Hindi enabled clearer articulation of the research. Further, familiarity with the research process was, as expected, mediated along class lines. This influenced the manner in which we articulated research outcomes and objectives to workers with complete unfamiliarity with the meaning of research. Among workers, this unfamiliarity often resulted in distrust, which required the underlying politics of the research to be more critically articulated.

By and large, the feminist engagement with research methods has been quite successful in its resistance and transformation of traditional forms. Since Oakley’s conception of the interview as a deeply subjective space13 and Harding’s dialectical conception of masculinist science through its history14, the application of feminist critical theory has increasingly subverted assumptions around the averseness of research to political motivations. At the same time, it has made knowledge-production occur in a more equitable space. It is in this context that standpoint theory has had wide purchase, but challenges persist in its application. As the foregoing discussion outlines, we have been able to achieve some of the goals of feminist standpoint research while missing out on others. We also found the ‘multiple standpoints’ approach of relativists to be useful in a project involving multiple stakeholders - thereby also avoiding the risk of essentialisation of the identities of domestic workers. However, unlike the tendency of relativists to focus on each perspective as ‘equally valid truth’, we are choosing to focus on the conflicts and intersections between emerging discourses. Through this hybrid theoretical framework, we are seeking to make knowledge production more equitable. At the same time, the discussion around rapport shows that this may nevertheless happen in a limited fashion. Feminist research may never be fully non-extractive. The reflexivity exercised and choices made during the course of the research are key.

Unlike the tendency of relativists to focus on each perspective as ‘equally valid truth’, we are choosing to focus on the conflicts and intersections between emerging discourses.

The names of the authors are in alphabetical order.

Harding, S. (2003) The Feminist Standpoint Theory Reader: Intellectual and Political Controversies, Routledge.

M. Wickramasinghe, Feminist Research Methodology: Making meaning out of meaning-making, Zubaan, 2014

Pease, D. (2000) Researching profeminist men's narratives: participatory methodologies in a postmodern frame. In B. Fawcett, D. Featherstone, J. Fook ll)'ld A. Rossiter (eds) Restarching and Practising in Social Work: Postmodern Feminist Perspectives (London: Routledge).

Stanley, L. and Wise, S. (1983) Breaking Out: Feminist Consciousness and Feminist Research (London: Routledge and Kegan Paul).

Rege, S. 1998. ” Dalit Women Talk Differently: A critique of ‘Difference’ and Towards a Dalit Feminist Standpoint.” Economic and Political Weekly, Vol. 33, No.44, pp 39-48.

Heeks, R. and Shekhar, S. (2018) An Applied Data Justice Framework: Analysing Datafication and Marginalised Communities in Cities of the Global South. Working Paper Series, Centre for Development Informatics, University of Manchester.

Stone, E. and Priestley, M. (1996) Parasites, pawn and partners: disability research and the role of nondisabled researchers. British Journal of Sociology, 47(4), 699-716.

Evans, L. (2010). Professionalism, professionality and the development of education professionals. Br. J. Educ. Stud. 56, 20–38. doi:10.1111/j.1467-8527.2007.00392.x

Webb C. Feminist methodology in nursing research. J Adv Nurs. 1984 May;9(3):249-56.

Berger, R. (2015). Now I see it, now I don’t: researcher’s position and reflexivity in qualitative research. Qual. Res. 15, 219–234. doi:10.1177/1468794112468475; Pitts, M. J., and Miller-Day, M. (2007). Upward turning points and positive rapport development across time in researcher-participant relationships. Qual. Res. 7, 177–201. doi:10.1177/1468794107071409

Dunscombe, J., and Jessop, J. (2002). “Doing rapport, and the ethics of ’faking friendship’,” in Ethics in Qualitative Research, eds T. Miller, M. Birch, M. Mauthner, and J. Jessop (London: SAGE), 108–121.

Oakley, A. (1981). “Interviewing women: a contradiction in terms?” in Doing Feminist Research, ed. H. Roberts (London: Routledge and Kegan Paul), 30–61.

Harding, S. (1986). The Science Question in Feminism. Ithaca: Cornell University Press.

For more details visit https://cis-india.org/internet-governance/blog/ambika-tandon-and-aayush-rathi-gender-it-september-1-2019-doing-standpoint-theory

Does this click with you?

praskrishna — 2015-09-27T10:07:00Z

While the web caters to customers who purchase basic lifestyle products, the app is ideal to make impulsive shopping decisions.

The article by Parshathy J. Nath was published in the Hindu on September 1, 2015. Sunil Abraham was quoted.

Netizens were caught by surprise when online retail giant Flipkart announced that they were going the app-only way. Some grumbled and a few rejoiced. There were debates on its pros and cons. However, a few days ago, Flipkart revoked the decision because it wanted to assess the impact of this move on sales in big-ticket categories. But the debate continues.

Bangalore-based techie Diljeet Kaur feels the app makes shopping a lot easier. “I shop on the app for everything — from mobile chargers, laptop, mobile covers and kitchen appliances to books and even water bottles. In case I am not happy, I click on the return option. They call up immediately, pick up the item within 48 hours and refund the amount to my account. What more can one ask for?”

Rachna Binani, who owns a toy store in Madurai, also says shopping has become faster with the app. “A mobile phone is with you for 18 hours a day. But, you can’t lug a laptop around everywhere you go.” Prasannan B., an HR General Manager in Madurai, agrees. “A year ago, I would not have chosen a mobile app over a website, because it was not as advanced. But, now things have changed.”

But, some prefer the website to the app. Like Paulami Guha Biswas, an avid online book shopper from Hyderabad, who says, “Browsing becomes difficult when you are shopping through an app. On a website, you can open multiple tabs and compare prices and discount rates in peace. The screen is also bigger.”

While the web caters to customers who purchase basic lifestyle products, the app is ideal to make impulsive shopping decisions. Says Jaishree S. Santhosh, CEO of a Coimbatore-based educational institution, “I prefer to do random window shopping through a website and stick to apps when it comes to my regular Flipkart and Amazon shopping. Because when I use apps, I need to log in and share my personal information. I would prefer to do that only with two or three sites and not every virtual shopping platform.”

However, apps are redefining our shopping culture and experience. With efficient data-tracking systems, these apps record the customer’s buys. “The app keeps throwing images of products that interest you, based on your purchase history. This can be a little creepy at times,” says Jaishree. “It seems like it can read your mind. I do not like it getting too personal with me. Moreover, it tempts me to buy things that I otherwise would not have thought of buying.”

The personalised shopping experience can be both a boon and bane. According to Sunil Abraham, Executive Director of the Centre for Internet and Society, a Bangalore-based research organisation, “It is a terrible development from the perspective of the online user’s rights. Apps violate user privacy. Moreover, they waste your phone’s memory, storage and battery.”

Even though mobiles and apps are popular among the youth, young entrepreneurs from the online world are still hesitant to venture into the app domain. Nilisha Bhimani, a 28-year-old online entrepreneur who runs www.stayfabulous.com, says she cannot even imagine making her portal app-only. “Mine is a fashion portal. And with fashion shopping, one would want to open multiple windows and compare products. It is difficult to do this on our phones.”

However, Nilisha thinks that it is a good move from Flipkart to have sparked off this debate. “It sounds like a well-thought-out strategy. More so, since surveys point out that there are increasingly more people doing mobile transactions.”

According to an article published in Business Insider on August 24, a study conducted by Internet & Mobile Association of India and KPMG found out that India is projected to have 236 million mobile Internet users by 2016. Flipkart’s move could be a response to the large influx of smart phones into the Indian mobile market, feels Ashish Jhalani, founder of eTailing India, an e-commerce knowledge platform and advisory. “We will be the second-largest smartphone market in the world soon, but that does not mean we are ready for an app-only strategy. Our consumer base is still getting used to shopping online and to ask them to use only one interface to shop is a little premature. I believe, in the long term, this strategy will work, but there is still some time for that.”

And, how will elders in the society, who also constitute a large section of online customers, cope with change? Suchi Dalmia, a business woman from Coimbatore, says that even though her mother shops online, she is still not comfortable with it. “And on top of it, if we open up an app-only shopping system, it is going to hit her hard. A retail giant like Flipkart stands the risk of losing a big chunk of their clientele with this move.”

(With inputs from Soma Basu, Shilpa Sebastian R. and Nikhil Varma)

For more details visit https://cis-india.org/internet-governance/news/the-hindu-september-1-2015-parshathy-nath-does-this-click-with-you

Does the UID Reflect India?

elonnai — 2012-03-22T05:45:32Z

On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events.

Introduction

Scientifically speaking, we are each unique. We have unique bodies and minds, and these give rise to unique understandings, interactions, and perceptions. Despite being unique, we can be put into different categories and classes, one of which is a culture. A culture is defined by its values, which are reflected in its legal system. Consequently legal systems are always changing – bills are constantly being amended, passed, and retracted in order to make the governing legal structure reflect the ethos of that society. Thus, when analyzing a piece of legislation it is important to ask if that bill is meaningful in a way that reflects the ideas, values, attitudes, and expectations that a society has. This is the question that Usha Ramanathan, Mathew Thomas, and others in the Campaign for No UID have been asking about the UID project, and urged the public to ask the same question in the press conference and public meeting held on the 17th of December. According to the Campaign for No UID, the project and Bill fail to reflect and meet the current needs that exist in India. The UID Bill, the proposed legislation for the project, authorizes the creation of a centralized database of unique identification numbers that are to be issued to every resident of India. The numbers will act as identity. Recently, the Bill was sent to the Parliamentary Standing Committee on Finance, and is scheduled to be enacted in early 2011. The UID project is attempting to create a technological solution to the identification problem in India. It is well-known that India faces challenges in identifying its citizens and residents. Individuals either have no identification – restricting their access to society and benefits -- or, in some cases, they have multiple identities, therefore taking advantage of society at the expense of others, or a person does not have any identification – therefore escaping civil duties. The confusing identity system that exists in India has many negative drawbacks including the facilitation of corruption, illegal immigration, and possible security threats. The UID project attempts to provide a system of identity that is based on individuals’ biometrics, and that places the whole of India on a grid through the issuance of 12 digit Aadhaar numbers. The Campaign for NO UID does not deny the need for an efficient identity system, is not against technology, and does not deny that the current identity system has problems. Instead, it believes that the project does not adequately address the issues at hand, while at the same time creating a real prospect of harmful ramifications.

Benefits for the Poor

Though the UID project only gives identity to an individual, it has been envisioned as a means of ensuring the delivery of benefits to the poor. According to the World Bank, within India 41% of the population lives below the poverty line, and targeting the need to ensure benefits for the poor is an appropriate vision. Furthermore, as reflected in the Right to Food Act, there is a cultural understanding and expectation that the State needs to work to bring benefits to the poor. The point that Ms. Ramanathan draws attention to, though, is that the goal of bringing benefits to the poor is just a vision. The project and the Bill are not structured in a way that guarantee benefits to the poor. Instead, by trying to include the perception of this benefit, the language of the Bill has become too broad. The wide-sweeping language allows room for abuse of how information that is collected will be used.

Appropriate Methodology

Ms. Ramanathan also questions the methodology of the UID project. The collection of biometrics is not an absolute insurer of identity, in the way that DNA would be. A person’s biometrics are in fact very public. They are left on anything one touches, and can easily be reproduced for use by others. Identity theft is thus easily accomplished if biometrics are the only safeguard. Realistically, the vast majority of India’s population would not know what to do or how to seek redress if identities were stolen – indeed, many would not even be aware of the fact that their identity had been stolen. Thus, the project establishes a hierarchy of vulnerability. Those who understand and have access to technology and the legal system are better able to protect their identity (or abuse another’s), and the rest of the population is at the mercy of the people who possess that knowledge and those connections.

Legal Questions

Ms. Ramanathan also brought up a few legal issues with the UID Bill. Most importantly she pointed out that the UID project is not legal, yet enrollment of individuals has been taking place. Not only is this action undemocratic, but it is presumptuous of the UIDAI to assume that their project will have legal validity. Another legal issue raised by Ms. Ramanathan was in concern with the compulsory nature of the Aadhaar number. Legally the UID Bill does not make the Aadhaar number compulsory. Instead, the project is structured in such a way that the UID number is socially compulsory. Ms. Ramanathan argues that this is unfair of the UIDAI. If the number were to be truly voluntary, the UID would need to include clauses that prohibit the denial of goods, services, entitlements and benefits for lack of a UID number. An individual would need to be able to access benefits with alternative forms of identification before the Aadhaar number would be truly voluntary.

Does India Comprehend what the UID Could Bring?

Another fear voiced by Mrs. Ramanathan in her presentation was the level of public comprehension. Even though the project will touch the lives of every human being who comes to India, the majority of the Indian population has not thought through why they support or do not support the project, and most do not comprehend the dangerous implications of the UID project. Connections are not being made and clearly publicized about how the project could be used in the future. For example, once everyone has a set of personal data that is uploaded on a centralized database, there is a new concern over that data. What is happening to it, who is using it, what is it being used for, who is seeing it, who is analyzing it, what happens if that data is lost? One of the serious implications of the project is its’ threat to anonymity. Anonymity results when the personal identity, or personally identifiable information of a person is not known. Anonymity already exists today in Indian society by default.. This will change, though, with the UID. One’s body will become a traceable marker that will be readily identifiable to law enforcement and other agencies. By issuing numbers to each person, that will be used for every transaction – it will be possible to create a map of the population and tag information about individuals in a way that changes the relationship between the state and the people. Though it is true India could benefit from a lesser degree of anonymity. For instance corruption might be easier to control. The Bill takes no steps, though, to ensure under what conditions anonymity will be preserved. Thus, the project has the potential to be widely misused for intensive surveillance and the policing of populations – not just for illegal activity but for disfavored or unpopular activity as well.

Conclusion

One way to avoid the misuse of data is through the adherence to privacy standards such as how data should be processed, transferred etc. India does not of yet have such a privacy law, and such principles are not reflected in the text of the Bill itself. The fact that the UID bill and project bring into focus principles that are not yet fully reflected in the social and legal framework of society can be problematic. On one hand this Bill can push India to adopt those principles, in which case a data protection and privacy bill must be enacted, and awareness must be raised. On the other hand, the Bill can simply overshadow the populace, allowing significant violations of privacy and anonymity to take place with no assurance of redress. As Ms. Ramanathan noted, even though the project is not reflective of Indian society, the way in which the project is being marketed is. The project has been tied to the image of Nandan Nilekani, and the message is clear: the project must be good. The Campaign for No UID is asking the public to look beyond the face of the project, and consider whether or not this is the India they imagine.

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india

Does the Safe-Harbor Program Adequately Address Third Parties Online?

rebecca — 2011-08-02T07:19:34Z

While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online. As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach. While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem. First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices. Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1]. The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU. After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly.

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU. Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2]. Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce.

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally. In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites.

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed. These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement. The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected. The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused. Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate. The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social networking services have become increasingly clear and straightforward since their inception. Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used. The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services. For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members. In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs. This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites. Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program. The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites. This had included, for example, the movie rentals a user had made through the Blockbuster website.

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information. The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information. Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues. Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program. For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies. Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources. Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”? The right to review information held by a social networking site is an important one that should be upheld. This is most notable as supplementary information from outside social networking services is employed to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program. It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere to the Safe Harbor Program. However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party. Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles. Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program. This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC. The safe harbor website also explicitly notes that the program does not apply to third parties. Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook. The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”. Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information. Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”. Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles. In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector. However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate. However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles. Therefore, it remains questionable as to where responsibility for third parties exactly lies. When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed is worrisome. Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do. However, in practice, this has yet to become the case. A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5]. For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”.

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6]. After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites. This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles.

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”. This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service. Electronic Arts also maintains similar provisions for data retention in its privacy policy. Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held. This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games. It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program.

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model. Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications. This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches. The same is likely to be true for governments, too. As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7].

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate. While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook. This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern. If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively. Imposing more stringent responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties. However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body. If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically opt out of this practice.

[7]See Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .

For more details visit https://cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online