Access To Knowledge (A2K)

CoWIN Breach: What Makes India's Health Data an Easy Target for Bad Actors?

Shweta Mohandas and Pallavi Bedi — 2023-07-04T09:39:03Z

Recent health data policies have failed to even mention the CoWIN platform.

The article was originally published in the Quint on 19 June 2023.

Last week, it was reported that due to an alleged breach of the CoWIN platform, details such as Aadhaar and passport numbers of Indians were made public via a Telegram bot.

While Minister of State for Information Technology Rajeev Chandrashekar put out information acknowledging that there was some form of a data breach, there is no information on how the breach took place or when a past breach may have taken place.

This data leak is yet another example of our health records being exposed in the recent past – during the pandemic, there were reports of COVID-19 test results being leaked online. The leaked information included patients’ full names, dates of birth, testing dates, and names of centres in which the tests were held.

In December last year, five servers of the All India Institute of Medical Science (AIIMS) in Delhi were under a cyberattack, leaving sensitive personal data of around 3-4 crore patients compromised.

In such cases, the Indian Computer Emergency Response Team (CERT-In) is the agency responsible for looking into the vulnerabilities that may have led to them. However, till date, CERT-In has not made its technical findings into such attacks publicly available.

The COVID-19 Pandemic Created Opportunity

The pandemic saw a number of digitisation policies being rolled out in the health sector; the most notable one being the National Digital Health Mission (or NDHM, later re-branded as the Ayushman Bharat Digital Mission).

Mobile phone apps and web portals launched by the central and state governments during the pandemic are also examples of this health digitisation push. The rollout of the COVID-19 vaccinations also saw the deployment of the CoWIN platform.

Initially, it was mandatory for individuals to register on CoWIN to get an appointment for vaccination, and there was no option for walk-in-registration or to book an appointment. But, the Centre subsequently modified this rule and walk-in appointments and registrations on CoWIN became permissible from June 2021.

However, a study conducted by the Centre for Internet and Society (CIS) found that states such as Jharkhand and Chhattisgarh, which have low internet penetration, permitted on-site registration for vaccinations from the beginning.

The rollout of the NDHM also saw Health IDs being generated for citizens.

In several reported cases across states, this rollout happened during the COVID-19 vaccination process – without the informed consent of the concerned person.

The beneficiaries who have had their Health IDs created through the vaccination process had not been informed about the creation of such an ID or their right to opt out of the digital health ecosystem.

A Web of Health Data Policies

Even before the pandemic, India was working towards a Health ID and a health data management system.

The components of the umbrella National Digital Health Ecosystem (NDHE) are the National Digital Health Blueprint published in 2019 (NDHB) and the NDHM.

The Blueprint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs. Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.

The National Health Authority (NHA), established in 2018, has been given the responsibility of implementing the National Digital Health Mission.

2018 also saw the Digital Information Security in Healthcare Act (DISHA), which was to regulate the generation, collection, access, storage, transmission, and use of Digital Health Data ("DHD") and associated personal data.

However, since its call for public consultation, no progress has been made on this front.

In addition to documents that chalk out the functioning and the ecosystem of a digitised healthcare system, the NHA has released policy documents such as:

the Health Data Management Policy (which was revised three times; the latest version released in April 2022)
the Health Data Retention Policy (released in April 2021)
Consultation paper on the Unified Health Interface (UHI) (released in December 2022)

Along with these policies, in 2022, the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) – India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines, published in August 2022, did not even refer to the draft National Digital Health Data Management Policy (published in April 2022).

Interestingly, the recent health data policies do not mention CoWIN. Failing to cross-reference or mention preceding policies creates a lack of clarity on which documents are being used as guidelines by healthcare providers.

Can a Data Protection Bill Be the Solution?

The draft Data Protection Bill, 2021, defined health data as “…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.”

However, this definition as well as the definition of sensitive personal data was removed from the current version of the Bill (Digital Personal Data Protection Bill, 2022).

Omitting these definitions from the Bill removes a set of data which, if collected, warrants increased responsibility and increased liability. Handling of health data, financial data, government identifiers, etc, need to come with a higher level of responsibility as they are a list of sensitive details of a person.

The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused.

While the current version of the draft DPDP Bill states that the data fiduciary shall notify the data principal of any breach, the draft Bill also states that the Data Protection Board “may” direct the data fiduciary to adopt measures that remedy the breach or mitigate harm caused to the data principal.

The Bill also prescribes penalties of upto Rs 250 crore if the data fiduciary fails to take reasonable security safeguards to prevent a personal data breach, and a penalty of upto Rs 200 crore if the fiduciary fails to notify the data protection board and the data principal of such breach.

While these steps, if implemented through legislation, would make organisations processing data take their data security more seriously, the removal of sensitive personal data from the definition of the Bill, would mean that data fiduciaries processing health data will not have to take additional steps other than reasonable security safeguards.

The absence of a clear indication of security standards will affect data principals and fiduciaries.

Looking to bring more efficiency to governance systems, the Centre launched the Digital India Mission in 2015. The press release by the central government reporting the approval of the programme by the Cabinet of Ministers speaks of ‘cradle to grave’ digital identity as one of its vision areas.

The ambitious Universal Health ID and health data management policies are an example of this digitisation mission.

However breaches like this are reminders that without proper data security measures, and a system for having a person responsible for data security, the data is always vulnerable to an attack.

While the UK and Australia have also seen massive data breaches in the past, India is at the start of its health data digitisation journey and has the ability to set up strong security measures, employ experienced professionals, and establish legal resources to ensure that data breaches are minimised and swift action can be taken in case of a breach.

The first step to understand the vulnerabilities would be to present the CERT-In reports of this breach, and guide other institutions to check for the same so that they are better prepared for future breaches and attacks.

For more details visit https://cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution

Court’s approval needed to tap phones: Panel

praskrishna — 2012-10-22T07:02:34Z

Investigators can monitor a person for 15-20 days on executive orders in case of emergencies, suggests panel.

Surabhi Agarwal's article was published in LiveMint on October 18, 2012. Sunil Abraham is quoted.

Government agencies need judicial permission before intercepting any communication or starting surveillance of any individual, a panel on the proposed privacy law suggested on Thursday.

If there is any urgency, investigators can tap phones or monitor a person’s movements for 15-20 days on executive orders but will then have to approach the courts to continue, the committee led by retired Delhi high court judge Ajit P. Shah recommended.

“Phone tapping under the present regime is done under executive permission whereas in other countries it is done only with the permission of the courts,” Shah said.

Security agencies currently require permission from home secretaries, either at the Centre or the states, to set up wiretaps or monitor emails. An oversight group of the cabinet, law and telecom secretaries at the Centre reviews all such authorizations.

	The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies. Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles. The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies.

Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles.

The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The Shah panel has recommended appointing privacy commissioners and a system under which organizations will have to develop privacy standards that will be approved by a commissioner as a means of self-regulation.

Sectoral industry associations would form a code of conduct for companies that will comply with law as they will be approved by the privacy commissioner, according to Kamlesh Bajaj, chief executive officer of Data Security Council of India, one of the members of the committee. “These associations could also act as alternative dispute-resolution mechanisms,” Bajaj said.

The committee’s other recommendations include giving individuals a choice to provide personal information, collection of only critical personal information, use of data only for the purpose for which it has been collected, and a penalty for violations.

“Without a comprehensive horizontal regulatory framework and the office of the regulator both private and public entities in India have been trampling on the rights of citizens without complying to any of the international best practices when it comes to protecting the right to privacy,” said Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore-based advocacy group. After the privacy law is enacted and the office of a privacy commissioner is created, people will be able to seek redressal against these erring pubic and private entities if their rights are violated, he added.

The government has been looking to enact a privacy law to ensure data collected by various programmes such as the National Population Register, Unique Identification Authority of India and National Intelligence Grid was not misused. It was expected to scotch criticism of these programmes by privacy and Internet activists. It later expanded the scope of the proposed legislation after catching flak for a leak of tapped conversations between corporate lobbyist Niira Radia, industrialists and journalists.

The government now aims to uphold the right of all Indians against any misuse of personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication. That means it effectively covers everything from the misuse of data collected by the government to spam.

However, there could be opposition from law enforcement agencies if the privacy law mandates that prior permission of the courts will be required before intercepting communication.

If judges begin taking a call on interception requests, there could be chances of leakage, “since there are so many judges at so many levels”, said Rumel Dahiya, deputy director general at Institute of Defence Studies and Analyses, a New delhi-based think tank. “The government carries out surveillance to gain fool-proof intelligence. That purpose will be defeated.”

Last week, Prime Minister Manmohan Singh said a fine balance needs to be maintained between the right to information and the right to privacy.

The Shah committee included representatives from the private sector, the department of information technology, ministry of home affairs, department of telecommunication, the law ministry and the department of personnel and training.

Kirthi V. Rao contributed to this story.

For more details visit https://cis-india.org/news/livemint-october-18-2012-surabhi-agarwal-courts-approval-needed-to-tap-phones

Counter-proposal by the Centre for Internet and Society: Draft Information Technology (Intermediary Due Diligence and Information Removal) Rules, 2012

pranesh — 2016-04-24T11:48:49Z

Any restriction on freedom of speech should embody and be guided by the following principles, as identified by the UN Special Rapporteur on Freedom of Opinion and Expression

For more details visit https://cis-india.org/internet-governance/counter-proposal-by-cis-draft-it-intermediary-due-diligence-and-information-removal-rules-2012.pdf

Counter-proposal by the Centre for Internet and Society: Draft Information Technology (Intermediary Due Diligence and Information Removal) Rules, 2012

pranesh — 2016-04-24T11:56:49Z

Any restriction on freedom of speech should embody and be guided by the following principles, as identified by the UN Special Rapporteur on Freedom of Opinion and Expression.

For more details visit https://cis-india.org/internet-governance/counter-proposal-by-cis-draft-it-intermediary-due-diligence-and-information-removal-rules-2012.odt

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit https://cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon

Counter Comments on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

amber — 2017-11-23T14:29:06Z

The Centre for Internet & Society (CIS) has commented on the Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in three main parts. The first part 'Preliminary' introduces the document. The second part 'About CIS' is an overview of the organization. The third part contains the 'Counter Comments' on the Consultation Paper taking into account the submission made by other stakeholders.

Download the full submission here

For more details visit https://cis-india.org/internet-governance/blog/counter-comments-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector

Could better DNA testing facilities in India have saved the Talwars?

praskrishna — 2012-10-11T09:44:30Z

Over the last decade, the use of DNA tests to solve crimes has seen a significant rise in crime investigation in India. But forensic experts warn that the absence of standard practices, quality checks and regulation has resulted in irresponsible and inaccurate application of the technology.

This article by Pallavi Polanki was originally published in FirstPost on October 11, 2012. CIS press statement is mentioned.

The use of outdated technology and lack of expertise to competently collect and analyse DNA samples from the crime scene has compromised investigation and led to instances where courts have rejected DNA evidence as being unreliable or inconclusive.

Says GV Rao, DNA analyst and formerly chief staff scientist at the Hyderabad-based Centre For DNA Fingerprinting and Diagnostics (CDFD), “Today we are very much behind the rest of the World in upgradation of technology as required…Further, the backlog of cases is quite large in each of the DNA labs in India and not much is being done about it. Still we have not obtained or adopted the DNA techniques to identify difficult samples. The recent example of Bhanwari Devi case, where the CBI had to send the victim’s bones to FBI, USA for identification to get it identified. This is a sad reflection of the present status of DNA technology in India.”

Most recently, the demand for more advanced DNA tests to be conducted was unsuccessfully made by dentist couple Rajesh and Nupur Talwar, who have been charged with the murder of their teenage daughter Aarushi and domestic help Hemraj.

Perhaps, no other case has so fully exposed the pathetic state of the crime-scene investigation in India. With most of the crucial evidence either destroyed or contaminated due to shoddy police work, the prosecution’s case has come to depend entirely on circumstantial evidence, without a shred of material evidence to support it.

The police force’s lack of expertise to collect DNA evidence was flagged recently by senior scientist at the All India Institute of Medical Sciences (AIIMS) Anupama Raina at a public meeting by the Bangalore-based Centre for Internet and Society on the DNA profiling Bill, in the Capital.

Raina, speaking at the meeting, emphasized the usefulness of the technology but cautioned that the police were still perfecting the use of DNA samples for forensic purposes.

Elaborating on the inadequate training to cops on collecting DNA evidence, Rao said, “In India, there are no special crime case investigators. We have a law and order police station for each area and from bandobast duty to control crowds. It is a tall order expecting them to collect samples. In some states there are special teams which collect samples for DNA testing and then hand it over to the police….Till date none of the DNA labs have made any sample collection kits made available to police stations or other agencies.”

And what after the samples reach the DNA labs?

Painting a rather bleak picture of existing conditions under which many of the DNA labs are operating, Rao says “There is lack of standards, guidelines, accreditation, proficiency testing of the DNA labs and its experts. Each DNA lab is issuing DNA reports in its own style. Each DNA lab is again following different procedures for conducting the test. ”

“No proper records of the tests conducted are being maintained for production in a court of law for its inspection. DNA experts are not being tested for their proficiency in their expertise by a third party and presently they are getting away with such minimal expertise,” he said.

Will the new draft DNA Profiling Bill fix the problems that beset the use of DNA evidence for forensic purposes in India? And what is the context to the draft DNA profiling bill?

“India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.” (Read the full press statement by CIS here)

Raina endorsed the passing of the bill but with necessary safe-guards. The Bill has raised a degree of alarm for its sweeping proposals to collect DNA profiles and create DNA databases – a move experts believe violates the privacy of citizens.

Helen Wallace, director of GeneWatch UK (a not-for-profit group that monitors developments in genetic technologies from a public interest perspective), who participated in the public meeting on the DNA profiling bill, underlined the absence of a clear purpose for the DNA profiling system as proposed by the bill and its lack of clarity on the collection policy that wishes to profile not just those involved in criminal cases but also civil cases.

Jeremy Gruber, president and executive director of the US-based Council for Responsible Genetics, also warned against the bill’s blind faith in DNA results as the gospel truth and ignoring very real possibilities of false matches, cross-contamination and laboratory errors.

Expressing his disappointment with the draft bill, Rao said, “Unfortunately this bill does not provide for standardization, quality control and regulation except for collection of DNA samples of everybody involved in all civil and criminal cases, including suspects… We need standards, protocols, guidelines, amendments to IPC and CrPC for effective implementation of DNA testing.”

For more details visit https://cis-india.org/news/first-post-pallavi-polanki-oct-11-2012-could-better-dna-testing-facilities-in-india-have-saved-the-talwars

Cos spying on competitors, staff: Study

praskrishna — 2012-06-20T08:46:38Z

Most companies are spying on their competitors and their own employees, according to a recent survey conducted by the Associated Chambers of Commerce and Industry of India (Assocham).

The Statesman published this article on June 19, 2012. Sunil Abraham is quoted in it.

The survey's results raise questions about whether employees have enough privacy in the workplace. Rubbishing the survey's findings, head of the Indian Council of Corporate Investigators, Mr Kunwar Vikram Singh, said businesses are not spying but verifying facts.

The Assocham survey said almost 1,200 of 1,500 executives surveyed admitted to hiring people to spy on their employees and monitor their lifestyles. They said they watch former employees, too, especially those who had been laid off or kicked out for fraud.

In the survey, which was done between January and May this year in Ahmedabad, Bangalore, Chennai, the Delhi-National Capital Region and Mumbai, about 900 top industry officials said they carry out corporate espionage, bug the offices of their rivals and plant moles in other companies. About a quarter of respondents said they have hired computer experts to hack networks and track e-mails of their rivals.

Many more respondents — 1,110 of those questioned — said they use social media sites to track their rival companies and employees. “Most of the companies have mentioned their sensitive details including their data, plans, clients’ details, products and other confidential and trade-related secrets on their page and unknowingly share the same in the social media circuit,” said Mr DS Rawat, national secretary-general of Assocham, “which is why it is the most favoured spying activity being carried out by the companies.”

The practice of companies pilfering trade secrets and ideas may be bad for the country's business environment, said Mr Rawat. It “might dampen the spirit of innovation in the long-run,” he said.

The Indian Council of Corporate Investigators’ Mr Singh, however, disputed Assocham's picture of rampant corporate espionage. “I totally deny that corporates are spying on their employees,” he said. “It is not spying. It is verification of facts.”

Mr Singh said that when companies look into their employees or other companies, for example, before they enter into joint ventures, they are just carrying out “due diligence”. He said they legally gather information needed for companies to survive. He also denied there were any privacy issues.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, though, said there are growing concerns about privacy in the workplace, including about intense video surveillance. “Managers started to object to this,” he said. “What they started saying was it really undermines the morale of these locations ... friends and relatives would ask, 'In spite of you being so educated, it's funny your companies don't trust you at all.'”

Companies need to develop more nuanced ways to deal with these problems — perhaps something more similar to the military's multiple levels of clearance — and different ways for people to acquire and lose trust, Mr Abraham said.

Whether or not surveillance is legal, depends on the type, Mr Abraham said. There is some private information a person will expect to remain private, and some information that is expected to be public — like Twitter feeds.

There is no law against monitoring this second type, known as “clear view surveillance”, he said, and blanket legislation could clash with freedom of expression. He said an ideal law for this should include a “proportional relation to power” clause, which would limit the legal ability of the powerful to monitor, but allow individual citizens more leeway.

For more details visit https://cis-india.org/news/co-spying-on-competitors-staff

Corporate push to Modi’s Rs.4.5-billion digital dream

praskrishna — 2015-07-16T02:26:24Z

Prime Minister Narendra Modi’s Rs. 4.5-billion digital dream seems to find favour with the corporate world, which calls it a “very progressive step” and “massive tech push”.

The article by Rakesh Kumar was published in the Statesman on July 13, 2015. Sumandro Chattapadhyay was quoted.

Modi shared his dreams at the recent Digital India Week in the capital and the event saw big names from the business world—Reliance Industries Ltd chairman Mukesh Ambani, Tata group chairman Cyrus Mistry, Wipro Ltd chairman Azim Premji, among others—supporting the initiative.

Showing its faith in Modi’s dream, Reliance Industries is all set to invest over Rs.2.5 lakh crore in the initiative that would focus on cloud computing and mobile applications, empowering every citizen with access to digital services, knowledge and information.

The initiative could boost the IT sector, which according to NASSCOM witnesses a robust growth in 2015, with the calculated revenue for FY 2015 at $147 billion, and a growth of 13 per cent from the corresponding period 2014.

“From an IT perspective, this is a sincere approach to problem solving with growth, realism and long-term transformation at the core,” said Manish Sharma, president, Consumer Electronics and Appliances Manufacturers Association (CEAMA) and managing director, Panasonic India, in an exclusive interview to thestatesman.com.

“Empowering citizens with the use of IT, we believe Digital India is a massive tech push to provide electronic governance and universal phone connectivity across the country,” he added.

CEAMA and Panasonic are willing to contribute to Digital India through technological expertise and commitment.

The Indian information Technology (IT) industry is reportedly pegged at $118-billion and DS Rawat, secretary general, ASSOCHAM, feels the Digital India initiative could be a “game-changer”.

Commenting on PM’s pledge to bring Internet connectivity to all Indians, Rawat told thestatesman.com: “The initiative is possible, provided the implementation of the schemes is done in a mission mode.”

“The business and industry will be the major beneficiary in terms of quality of governance, which is possible through digital initiative. Besides, the industry itself has to prepare to deal with new emerging business models such as e-commerce,” he added.

Modi, at the Digital India launch, said that “e-governance will be quickly changed into m-governance, and ‘M’ does not mean Modi governance, it means mobile governance.”

Both, big corporate houses and small players hailed the PM’s remark.

“It is good initiative for the railway sector in terms of passenger amenities, online procurement and technological up gradation,” said Amit Goel of Aggarwal Engineers in an interview to thestatesman.com.

The company is active in the railway sector.

When asked how Digital India initiative would help small companies, Goel said: “It will help us in many ways. By adopting e-governance, small companies can check and bid for the online procurement and will be able to interact with the concerned department through digital technology.”

Anil Valluri of NetApp India said: “Digital India is one of the most significant transformations the country will witness by eventually connecting over a billion people of India, with technology as its focal point.”

When it comes to IT transformation, cyber security emerges as a vital issue.

Sumandro Chattapadhyay, Research Director, The Centre for Internet and Society (CIS), described the issue of digital security as the key to the “operationalisation and sustainability of the Digital India initiative”. “We expect the government not only to build administrative structures for ensuring cyber-security of the information systems, but also enable legal frameworks for protecting citizens from unlawful and unforeseen abuses of their digital identities as well as their digital assets.” Having said that, he praised the PM’s move, saying it will bring together various existing and new initiatives for building “network infrastructures for expanded public access, electronic governance systems for effective delivery of services, under the national policy umbrella of 'Digital India’”.

Rajiv Kapur, managing director, Broadcom India, pointed out another benefit of the ubiquitous broadband sector, which according to a report, faces certain challenges such as low rural penetration, stagnant data usage over the years and limited broadband services.

“It will help bring parity between the rural and urban India,” he said and added: “Today, we need solutions that allow the majority of rural Indian population to continue to stay at their homes, and not migrate to cities.”

In a knowledge economy, the biggest difference that will make an impact is education.

"Healthcare is another area where having connectivity can make big difference in quality of life," he said.

“E-delivery of governance and services is important for the efficient use of government resources, and allows for collaborative, transparent and more efficient governance," the Broadcom managing director added.

For more details visit https://cis-india.org/internet-governance/news/the-statesman-rakesh-kumar-july-13-2015-corporate-push-modis-billion-digital-dream

Core Concepts and Processes

Shruti Trikanand and Amber Sinha — 2019-10-17T16:06:54Z

When we embarked on this research project, we began with the primary questions of what constitutes a digital identity system. In the last few years, with the rise in national digital identity projects, there has been significant academic and media attention to the idea, benefits and risks of a digital identity system.

However, there have been relatively few attempts to critically look at what makes an identity system digital, and what are its defining elements and characteristics. Through a preliminary study of existing identity systems, we have arrived at these core set of concepts and processes that mark a digital identity system. In arriving at this list, we have relied upon and referred to the works by Dave Birch et al, World Bank’s ID4D initiative, Mawaki Chango, Kaliya Young and Kayode Ezike.

By publishing this, we hope to arrive at a shared vocabulary to discuss and critically analyse digital identity systems, both within our team and in engagements with other stakeholders. This illustrated and interactive glossary can serve as an easy reference for anyone seeking an introduction to the core aspects of digital identity. Even though this is essentially a list of definitions with examples, it does not follow an alphabetical order like most glossaries, but the logical flow of concepts as they build upon each other in a working identity system. We have paid special emphasis to the core processes of Identification and Authentication, elucidating them through diagrams.

Click to read more

Credentials:

Research by Shruti Trikanad and Amber Sinha
Conceptualization by Pooja Saxena and Amber Sinha
Illustrations by Akash Sheshadri and Pooja Saxena

For more details visit https://cis-india.org/internet-governance/digital-identity/shruti-trikanand-and-amber-sinha-september-13-2019-core-concepts-processes

Cordon tightens: Rajya Sabha nod to harsh IT rules

praskrishna — 2012-05-24T08:49:10Z

Sunil Abraham and Pranesh Prakash are quoted in this article by Anil Sharma & Aishhwariya Subramanian published in Daily News & Analysis on May 18, 2012.

The draconian intermediaries rules of the Information Technology Act that allows the government to aggressively police the internet and social networking sites such as Facebook and Twitter will continue for some more time as a motion to annul them in the Rajya Sabha was defeated by the treasury benches on Thursday.

The rules that came into effect last year almost became annulled after a determined push from MPs cutting across party lines in the Rajya Sabha on Thursday. However, the government barely managed to scrape through but union communications and IT minister Kapil Sibal conceded that there were problems and promised to call for a meeting to address the concerns of the MPs.

CPI(M) Rajya Sabha member from Kerala P Rajeeve had moved a statutory motion demanding that these rules be annulled as they violated the constitutionally guaranteed right to freedom of expression. Rajeeve received enthusiastic support from the leader of the opposition in the Rajya Sabha, Arun Jaitley, who made a detailed argument against the existing rules. An impressed Jaitley commended Rajeeve for involving Parliament in the process of framing the rules. Jaitley also slammed the government for trying to police the internet but stressed that like other media this could not be controlled. "In fact, if the internet had been there at that time even the Emergency would have been a fiasco," he said.

The members were keen that the motion be put to vote and the numbers in the Rajya Sabha were loaded against the government.

However, responding to Jaitley's suggestion, Sibal assured the house that the concerns of the members would be taken on board. "I request the members to write to me with their specific suggestions. I will take up the matter at a joint meeting with all the stakeholders and arrive at a solution," he said.

This pacified the members and the government ducked a potentially embarrassing situation.

Expressing his dissatisfaction with the minister's reply, Rajeeve stressed that just as there is a provision for withdrawing objectionable content from the internet within 36 hours, there should be scope for restoring it if the original author can justify it.

The debate was keenly followed by free speech activists who have been lobbying for months to get these draconian rules annulled. The Bangalore-based Centre for Internet & Society (CIS) also conducted a major sting operation to prove how absurd these rules are. They sent several fake "take-down notices" to several companies hosting internet sites. The companies went ahead and shut down some blogs and web sites without even bothering to check if the complaints had any merit.

"The trouble with Indian government's proposal to address issues such as network neutrality, privacy and freedom of expression, is top-down. Unlike other countries where internet policies have always been developed with consultation with other stakeholders, here the government imposes its will," said Sunil Abraham, executive director, CIS.

Netizens are concerned about India's bad track record when it comes to censorship and a policy for the internet. Delhi-based Anja Kovacks, from the Internet Democracy Project, feels that many of the concerns voiced by Indian government are justified. "Undoubtedly the internet presents a range of new challenges, in India as elsewhere, that need to be addressed. Many of the concerns the Indian government expresses are therefore also completely justified. But the ways in which it seeks to tackle these problems are not appropriate for a democratic nation." Kovacks believes that the current policy will impair the freedom of speech.

Ironically, while the UPA government is busy clamping down on domestic opinion, it is planning to take a far more liberal stand at an upcoming international conference on running the internet in Geneva later this year. "It is an ironical situation where India is not following domestically what it is proposing internationally," said Pranesh Prakash of CIS.

With the government holding on to its draconian rules, citizens using social networks like Twitter and Facebook or writing blogs will now have to worry about big brother watching over their shoulders.

For more details visit https://cis-india.org/news/rajya-sabha-nod-to-harsh-it-rules

Copyright Enforcement and Privacy in India

Prashant Iyengar — 2012-12-14T10:27:12Z

Copyright can function contradictorily, as both the vehicle for the preservation of privacy as well as its abuse, writes Prashant Iyengar. The research examines the various ways in which privacy has been implicated in the shifting terrain of copyright enforcement in India and concludes by examining the notion of the private that emerges from a tapestry view of the relevant sections of Copyright Act.

Introduction

Copyright can function contradictorily, as both the vehicle for the preservation of privacy as well as its abuse. This paper examines the various ways in which privacy has been implicated in the shifting terrain of copyright enforcement in India. Chiefly, there are three kinds of situations that we will be discussing here: The first is straightforward and deals with the physical privacy intrusion caused by the execution of search and seizure orders during the investigation of infringement. The second situation involves the violation of privacy through the misappropriation of confidential information. The last situation involves the wrongful appropriation of a person’s persona or their ‘publicity’ – the photographs of celebrities, for instance – for private gain. Instances of each of these situations, and the manner in which the courts have negotiated the privacy claims that have arisen are described in the sections that follow. In addition, Copyright law, dealing as it does mainly with offences of the nature of unauthorised publicity/publication putatively inscribes certain spaces and activities as either public or private. The concluding section of this paper examines the notion of the private that emerges from a tapestry view of various sections of the Copyright Act.

Copyright Enforcement

Context setting

Over the past several decades there has been an increasing awareness globally – and within India – of the importance of 'knowledge societies' which, in contrast to earlier industrial or agrarian societies, leverage 'information' as the key raw material and output of a range of productive activity. As one UNESCO Report puts it "Knowledge is today recognized as the object of huge economic, political and cultural stakes"[1].

In this new paradigm, investment in Information and Communications Technology (ICT), the enactment of strong Intellectual Property laws, and their strict enforcement are prescribed as imperative in facilitating the transition away from the older economic modes. The promise of the knowledge society is particularly alluring for developing countries, like India, where it is viewed as a vehicle for achieving what Ravi Sundaram has termed 'temporally-accelerative' development[2], through which we would be able to transcend our "historical disabilities", and achieve parity with the incumbent masters of the world. [3]

In their eagerness to provide the best supportive conditions to usher in this coveted knowledge society, nations have been tightening their Intellectual Property regimes – including copyright law. This has entailed a two fold expansion, firstly, in the scope of copyright to include, for instance, ‘technological protection measures’ within their ambit and secondly, in the powers of investigation, search and seizure put at the disposal enforcement agencies. In addition, as we shall see, courts in India have enthusiastically bought into this vision of a knowledge economy, and this has fuelled their eagerness to craft innovative – if legally unsound – orders which put tremendously intrusive powers in the hands of copyright owners. Taken together, these developments have taken their toll on the privacy of individuals which this section will explore in further detail. We begin with a brief description of the statutory mechanism for copyright enforcement – both civil and criminal - under the Copyright Act. We then move on to the way courts have crafted new orders that magnify the powers of copyright owners to the detriment of the privacy of individuals.

Civil and Criminal Enforcement under the Copyright Act

The Copyright Act provides for both civil and criminal remedies for infringement. Section 55 provides for civil remedies and declares that, upon infringement, "the owner of the copyright shall be entitled to all such remedies by way of injunction, damages, accounts and otherwise as are or may be conferred by law for the infringement of a right." Civil suits are instituted at the appropriate district court having jurisdiction – including where the plaintiff resides.

Similarly, Chapter XIII (Sections 63-70) provides a range of criminal penalties for infringing copyrights which are typically punishable with terms of imprisonment that “may extend up to three years” along with a fine. These offences would be taken cognizance of and tried at the court of the Metropolitan Magistrate or Judicial Magistrate of the First class [Sec 70], in the same manner as all cognizable offences[4] in India i.e., by following the procedures under the Code of Criminal Procedure, 1973. Section 64 of the Copyright Act dealing with police powers was amended in 1984 to give plenary powers to police officers, of the rank of a sub-inspector and above, to seize without warrant all infringing copies of works “if he is satisfied” that an offence of infringement under section 63, “has been, is being, or is likely to be, committed”. Prior to amendment, this power could only be exercised by a police officer when the matter had already been taken cognizance of by a Magistrate. Prima facie, this is a very sweeping power since its exercise is unsupervised by the judiciary and only depends on the “satisfaction” of a police officer. To put matters in perspective, under the Income Tax Act, dealing with the far more sensitive issue of tax evasion, a search and seizure can only be conducted based on information already in the possession of the investigating authority.[5]

In Girish Gandhi & Ors. v Union of India[6], a case before the Rajasthan High Court, the petitioner, who ran a video cassette rental business, challenged the constitutional validity of the wide powers granted to police officers under this section. Citing various instances of violations of privacy that the abuse of the section could occasion, the petitioner contended:

"The provisions of section 64 itself gives arbitrary and naked powers without any guidelines to the police officer to seize any material from the shop and thus, drag the video owners to the litigation. He has given instances in the petition that police officer usually demands for video cassettes to be given to them free of charge for viewing it at their homes and in case, on any reason either the video cassette is not available or it is not given free of charge, there is likelihood that police officer shall misuse his powers and try to seize the material for prosecution under the various provisions of the Act."

Although the High Court dismissed the petition on the grounds that it did not disclose any actual injury to the petitioner, it upheld the constitutionality of the section by reading the word "satisfaction" to mean that the "police officer will not act until and unless he has got some type of information on which information he is satisfied and his satisfaction shall be objective."

[Section 64] is also not arbitrary for the reason that guidelines and safeguards are provided under Sections 51, 52 and 52A and Section 64(2) of the Copyright Act, coupled with the fact that it is expected of the police officer that he would not act arbitrarily and his satisfaction shall always based on some material or knowledge and he shall only proceed for action under Section 64 in a bona fide manner and not for making a roving inquiry. (emphasis added)

Despite the pious hopes expressed in this decision, they do not appear to have influenced the actual behaviour of police officers. In May 2011, the Delhi High Court struck down a notification issued by the Commissioner of Police which had instructed all subordinate functionaries of the police to "attend to and provide assistance" whenever any complaint "in respect of violation of the provisions of Copyright Act, 1957" was received from three companies: Super Cassettes Industries Limited, Phonographic Performance Ltd and Indian Performance Right Society Ltd. This virtually amounted to the commandeering of the criminal enforcement system by a few private owners for their own private interests. In their suit, the petitioner — Event and Entertainment Management Association — had contended that the police machinery "cannot be made to act at the behest of certain privileged copyright owners". Striking the notification down, as unconstitutional, Justice Muralidhar of the Delhi High Court held:

"To the extent the impugned circular privileges the complaints from SCIL over other complaints from owners of copyright it is unsustainable in law for the simple reason that there has to be equal protection of the law in terms of Article 14 of the Constitution. The police are not expected to act differently depending on who the complainant is. All complaints under the Act require the same seriousness of response and the promptitude with which the police will take action, Likewise, the caution that the Police is required to exercise by making a preliminary inquiry and satisfying itself that prima facie there is an infringement of copyright will be no different as regards the complaints or information received under the Act[7]."

The Judge also issued some welcome remarks on the manner in which complaints under Section 64 were to be handled:

In order that the power to seize in terms of Section 64 of the Act is not exercised in an arbitrary and whimsical manner, it has to be hedged in with certain implied safeguards that constitute a check on such power. Consequently, prior to exercising the power of seizure under Section 64(1) of the Act the Police officer concerned has to necessarily be prima facie satisfied that there is an infringement of copyright in the manner complained of. In other words, merely on the receipt of the information or a complaint from the owner of a copyright about the infringement of the copyrighted work, the Police is not expected to straightway effect seizure. Section 52 of the Act enables the person against whom such complaint is made to show that one or more of the circumstances outlined in that provision exists and that therefore there is no infringement. During the preliminary inquiry by the Police, if such a defence is taken by the person against whom the complaint is made it will be incumbent on the Police to prima facie be satisfied that such defence is untenable before proceeding further with the seizure.(emphasis added)[8]

This decision significantly tempers the severity of possible searches and seizures conducted by the police under Copyright Law. It advances the cause of privacy by reining in the power of the state to arbitrarily intrude on citizens.

Parallel to the attempt at ‘hedging in’ of police powers in criminal enforcement by this High court, there has been a move to expand powers of investigative bodies in civil suits. The next sub-section looks at two innovations by courts – Anton Piller Orders and John Doe orders – which are mechanisms unwarranted by civil procedural law, but crafted by high courts specifically to deal with copyright investigation.

'Anton Piller' orders and 'John Doe' Orders

In addition to the extensive police powers under the Copyright Act mentioned above, plaintiffs have other, equally intrusive powers at their disposal. In the past decade it has become common for copyright owners and owners-associations to employ civil procedure to emulate the same kind of invasiveness. This is done via the mechanism of so-called ‘Anton Piller’ orders - orders obtained unilaterally ‘ex-parte’ (in the absence of the defendant) from civil courts which permit court-appointed officers, accompanied by representatives of the plaintiffs themselves, to search premises and seize evidence without prior warning to the defendant. Frequently, courts have also issued ‘John Doe’ orders[9] –orders to search and seize against unnamed/unknown defendants - which virtually translates into untrammelled powers in the hands of the plaintiffs, aided by court-appointed local commissioners, to raid any premises they set their eyes on.

Although the authority of the courts under Indian law to grant these orders is suspect[10], they have virtually been regularized in practice over the past decade through routine issual by the High Courts, especially the Delhi High Court. This has led to a widespread phenomenon of powerful copyright owning groups such as the Business Software Alliance and the Indian Performing Right Society Limited managing to successfully assume for themselves almost plenary powers of search and seizure as they go about knocking on the doors of small businesses and demanding to be allowed to audit their software. An anonymous post on the popular Indian Intellectual Property Weblog ‘Spicy IP’ graphically conveys the invasiveness inherent in the execution of these orders:

Ghost Post on IP (Software) Raids: Court Sponsored Extortion?[11]

Picture this:

You are working in your office one day, when all of a sudden, a group of people arrive unannounced brandishing a court order. The order allows them to walk into your office and conduct an audit of all your office computers to collect evidence of the use of unlicensed software in your office.

This group consists of a court-appointed commissioner, lawyers representing the plaintiff, and technical persons who will carry out the actual software audit.

Knowing that to disobey the order will amount to a contempt of court, you allow the group to carry out the audit.

The audit lasts several hours and continues well into the night. Needless to say, it is physically and emotionally draining on you as your work has come to a stand-still. Everyone around you knows there is some court proceeding going on. You have already lost face with your employees, and possibly even clients who have visited your office during the audit.

As you have several dozen computers purchased over a period of time, and the audit is conducted unannounced, you may not have the time to gather documentation and invoices demonstrating the purchase of licensed software.

While the court order allows you to back up your valuable client and business data, the plaintiff’s lawyers don’t allow you to do so, stating that documents/ data found on machines that contain any unlicensed software may not be backed up.

All computers found with copies of what the plaintiff’s lawyers are calling unlicensed software are seized and sealed. You do not have the time, presence of mind or legal representation to argue that such copies may be backup copies allowed under the law, or that therefore several, or all of the seized machines are not liable to be seized, or that such copies are actually allowed under the software license.

Even more importantly, your licensed servers are seized because they are found to contain back-up copies of software, allowed under the law, but deemed infringing by the plaintiff’s lawyers.

At the end of the audit, you are informed that your computers contain copies of unlicensed software to varying degrees. You are made to sign a report prepared by the commissioner, along with sheets that represent the software audit of each computer in your office.

Most of your computers and servers are seized and sealed. You are told that you cannot touch them till the court allows you to. You are not even allowed to separate the hard drives of those machines that contain the alleged unlicensed software, for the purpose of seizure, so as to enable you to continue using the rest of the machine, even though the court order clearly states that only storage media containing the unlicensed software is to be seized.

In a 2008 case, Autodesk Inc vs. AVT Shankardass[12], the Delhi High Court – which happens to be the most enthusiastic issuer of Anton Piller orders[13] –issued guidelines on the considerations which judges should weigh before granting such orders in software piracy cases. Worryingly, the guidelines stipulate that "The test of reasonable and credible information regarding the existence of pirated software or incriminating evidence should not be subjected to strict proof". Instead the court prescribes that "It has to be tested on the touchstone of pragmatism and the natural and normal course of conduct and practice in trade."

The Court also included a few guidelines meant to safeguard the defendant. These include the possibility of requiring the plaintiff to deposit costs in the court "so that in case pirated software or incriminating evidence is not found then the defendant can be suitably compensated for the obtrusion in his work or privacy." Although on the face of it, these guidelines threatened to open up the floodgates for the granting of Anton Pillar orders, in fact, these fears seem not to have been realized. The privacy-invasive ambitions of IP owners have been subverted by a combination of the security requirements stipulated in the Autodesk guidelines above, the judiciary’s own inefficiency/inconsistency and a greater assertiveness and defiance on the part of defendants. The following passage from the 2011 Special 301 India Country Report on Copyright Protection and Enforcement[14], prepared by the IIPA, records the industry’s frustrations in obtaining Anton Pillar orders from the courts over the past year:

Unfortunately, in 2010, such enforcement efforts have become much less effective due to judges imposing conditions on such orders.

With periodic changes to the roster of judges on the Original Side Jurisdiction of the Delhi High Court (which is done as a matter of routine and procedure where the roster changes every 6 months), BSA reports: 1) the imposition of security costs on Plaintiffs; 2) the grant of local commission orders without orders to seize and seal computer systems containing pirated/unlicensed software; 3) granting the right to Defendants to obtain back up copies of their proprietary data while at the same time ensuring that the evidence of infringement is preserved in electronic form; 4) assigning a low number of technical experts for large inspections, making carrying out orders more time-consuming and raising court commissioners’ fees; and 5) ineffective implementation and lack of deterrence from contempt proceedings against defendants who disrupt or defy Anton Pillar orders.[15]

Notwithstanding this temporary setback, Anton Piller orders and John Doe orders remain powerful weapons in the arsenal of large copyright owners who continue to use it in ways that are extremely intrusive. These orders exemplify an instance of how courts rarely reflect on the privacy implications of the orders that they themselves issue –similar action undertaken by the executive would have most likely invited the court’s consideration on whether they violate privacy.

In the next section we move on to private ‘technological’ measures of enforcing copyright which are likely to receive statutory sanction.

Technological Measures

In the light of the industry’s perception of a weakening of its enforcement options due to the judiciary’s waning enthusiasm, it remains to be seen what new manoeuvres they would make to strengthen enforcement. One foreseeable arena of conflict would be the new measures proposed to be included in the Copyright Act that criminalise the circumvention of ‘technological protection measures’ (TPMs) built into software by manufacturers. The proposed new Section 65A criminalises the circumvention of “an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act," "with the intention of infringing such rights”. This is punishable with imprisonment up to two years and a fine. However the section also creates a vast list of exceptions including research, testing, national security etc which make it a comparatively soft tool in the hands of prosecutors. Among the list of exceptions is a clause that enables the circumvention of TPMs in order to facilitate purposes that are 'not expressly prohibited' – including, conceivably, to exercise fair dealing rights under Section 52. Although this is a welcome provision, it requires, as a condition of its exercise, that the person ‘facilitating the circumvention’ maintain a record of the persons for whose benefit this has been done. This has led to apprehensions of violations of privacy especially from disability rights groups, who would potentially be the biggest users of this section as it would enable them to make electronic content more widely accessible. However, the lawful exercise of this right would mean that each instance of use of electronic content – say an e-book – by a disabled person would be recorded, which could deter them from accessing content. It would also clearly amount to a violation of their privacy compared to other analog users who are not required to similarly maintain logs each time they share books, for instance.

On the whole, despite the effect these measures have of diminishing absolute control over our electronic resources, the fact that the IIPA - which has been one the most rapid ‘defenders’ of IP - has consistently complained about their inadequacy in its Special 301 Reports[16] gives us some cause for optimism that the privacy invasions it could occasion would not be too severe.

Meanwhile, in a first of its kind, in 2005 the High Court of Andhra Pradesh permitted the prosecution, under the Copyright Act, of persons accused of having circumvented technological protection measures in mobile devices.

In Syed Asifuddin and Ors. v The State of Andhra Pradesh [17] the accused had altered the software on the mobile handsets provided by one service provider (Reliance), so that the same handset could be used to access the network of a rival provider (Tata Indicom). The Court observed that "if a person alters computer programme of another person or another computer company, the same would be infringement of the copyright." The matter was then relegated to the trial court to receive evidence on whether in fact such alteration had occurred.

This ruling, if correct, effectively negates the need for any amendment to the law since circumvention of technological measures typically involves an unauthorized alteration of copyrighted code. Of course it would always be open to the defendant to assert his fair dealing rights in defence, but that issue was not deliberated upon by the High Court in this instance.

Portents

With the terrain of copyright infringement increasingly shifting from ‘street piracy’ to online piracy, it remains to be seen how innovations in copyright enforcement impact privacy. Three events are particularly interesting in this context.

In August 2007, a techie from Bangalore was arrested on charges of having posted incendiary images of a popular folk hero on a website. He had been traced based on the IP Address details provided by a leading ISP. It later turned out that the IP address information was incorrect. By the time the error was noticed, he had already been held in jail illegally for a period of 50 days.[19] Shocking as this incident is, it offers a portent of the gravity of the possible privacy abuses that we are likely to witness in the years to come as copyright owners begin to hunt down infringers on the Internet.
In 2006, the Delhi High Court the pioneer among the Indian Judiciary in issuing John Doe orders added another feather to its cap by permitting the filing of a suit against an IP address. In a case of defamation by email from an unknown sender, a company was able to successfully file a suit against the IP address and obtain an order against the ISP to track down the user who was later impleaded as a party to the suit. This case and the growing number of John Doe orders issued, indicates that the judiciary in India has been quite willing to partner with litigants in their fishing expeditions. While it cannot be gainsaid that this has aided the legitimate interests of litigants, this has come at the price of a callous disregard for the interests of consumer privacy in India, which, as the incident described above highlights, could easily descend into a full blown human rights violation.
With the arrest in November 2010 of a four-member gang from Hyderabad for uploading media content – including popular film titles - on Bittorrent, the popular online file sharing tool, the industry has signalled its capacity and willingness to take the battle over copyright to the Internet.[20] New rules notified under the Information Technology Act make it mandatory for 'intermediaries' (ISPs) to co-operate in locating and removing ‘infringing content’ that is stored or transmitted by them.[21] This will facilitate untrammelled access to users by copyright industries.

Although it is too early to predict the future for the Internet that these developments will result in, they are definitely a source of apprehension from the perspective of privacy.

Copyright and Confidential Information

Although the protection of 'confidential information' and 'copyright' occupy distinct realms in the law[22], they converge occasionally, and copyright has been used as an instrument by people and organisations to protect their confidential information. In fact it has become quite routine for written pleadings by plaintiffs in cases to assert the omnibus infringement of their ‘copyrights, confidential information, trade secrets, trademarks designs etc’ without specifying which of the claims is urged. For instance in Mr. M. Sivasamy v M/S. Vestergaard Frandsen[23] a case before the Delhi High Court, the plaintiffs claimed that. "Defendants are violating the trade secrets, confidential information and copyrights of the plaintiffs.”; Similarly in Dietrich Engineering Consultant v Schist India & Ors , before the Bombay High Court, the plaintiffs contended"..the suit is filed to prevent unauthorized and illegal use of the plaintiffs confidential information and infringement of the 1st plaintiffs Copyright".[24]

In one of the earliest cases of this kind, Zee Telefilms Ltd. v Sundial Communications Pvt. Ltd, the Bombay High Court delivered a ruling in favour of the plaintiffs on both grounds of copyright infringement and confidential information. Here the employees of the plaintiffs – a company engaged in the business of producing television serials - had developed the concept for a program which they had registered with the Film Writers Association. Subsequently, they made a confidential pitch of the concept to the representatives of the defendants, a well known TV channel. Although initially the defendants appeared reluctant to take the concept forward, they proceeded later on, without the authorization of the plaintiffs, to produce a TV serial that closely mirrored the ideas contained in the show conceived by the plaintiff. In an action seeking to restrain the defendants from proceeding with their production, the High Court agreed with the plaintiff’s claims both on the count of copyright infringement and confidentiality. Curiously, the determination of both issues turned on the similarities between the plaintiff’s and defendant’s concepts – which is traditionally a determination relevant only to copyright cases. On the issue of confidentiality, the court held "Keeping in view numerous striking similarities in two works and in the light of the material produced on record, it is impossible to accept that the similarities in two works were mere coincidence...the plaintiffs' business prospect and their goodwill would seriously suffer if the confidential information of this kind was allowed to be used against them in competition with them by the defendants."

Although a clear line is demarcated between the claims of confidentiality and copyright in this case, this distinction is less sharp in other cases of the same nature.

In a more recent case Diljeet Titus, Advocate v Mr. Alfred A. Adebare & Ors[25] four associates of the plaintiff’s law firm quit together to start their own practice. While leaving they took documents they had drafted including agreements, due diligence reports and a list of clients along with them. The plaintiff filed a suit for injunction, asserting both that this material was confidential and that he owned the copyrights over them. The Delhi High Court agreed and issued an injunction restraining the defendants from “utilizing the material of the plaintiff forming subject matter of the suit and from disseminating or otherwise exploiting the same including the data for their own benefit.” What is interesting in this case is the conflation of confidentiality and copyright – both in the allegations of the plaintiff and the rebuttals of the defendant who sought to resist claims of confidentialty on grounds that they had themselves authored the papers in question.

Curiously, where copyright and confidentiality claims coincide, it would appear that the parameters of determining copyright infringement end up determining the issue of confidentiality as well.

In the next section we move on to the last copyright/privacy issue that we had flagged in the introduction – the invocation of copyright in aid of the ‘right to publicity’ of individuals which can be read as a kind of privacy claim.

Copyright and Publicity

Do we have a copyright over our identities – our names, our appearances, our life histories, our reputation and our bodies - so that we have an actionable interest in preventing their deployment in public without our express authorization?

This question has arisen in a limited set of cases in India that raise interesting questions. As with the confidentiality cases discussed above, the lines separating ‘defamation’ actions from ‘copyright’ claims is not brightly drawn in these cases. Neither is the line linking copyright to the protection of privacy clearly evident. All one can say with confidence is that copyright and privacy are two words tossed into the plaints by the plaintiffs while asserting their claims.

In one of the most high-profile cases of its kind, Phoolan Devi v Shekhar Kapoor[26] the Delhi High Court was faced with the question of whether ‘public figures’ are entitled to any degree of control over the representation of their lives. Here the petitioner, Phoolan Devi, a reformed bandit, had 'licensed'[27] the production of a biopic on her life to the defendant, a film director of note, who was to consult the plaintiff’s own writings and those of her authorised biographer in making the film. However, the defendant – the director of the biopic – had exceeded this mandate and also depicted incidents that emerged from various newspaper accounts – including a graphic gang rape scene where the plaintiff was the victim, and a massacre which she had allegedly orchestrated. Although generally well-known, neither of these incidents were either admitted to by the plaintiff herself or mentioned in the plaintiff’s own writings and those of her biographer. Even worse, the film had not been shown to her even several months after it had been released to national and international audiences.[28] In Arundhati Roy’s moving words the producers of the film “[R]e-invent her life. Her loves. Her rapes. They implicate her in the murder of twenty-two men that she denies having committed. Then they try to slither out of showing her the film!”[29]

One of the contentions that the petitioner’s advocate had advanced was that the defendant had no right “to mutilate or distort the facts as based upon prison diaries” and that any such distortion would fall afoul of her right under Sec 57 of the Indian Copyright Act. This section confers certain ‘special rights’ on the author including the right to claim authorship and to restrain any distortion/mutilation or modification of the work that would be prejudicial to his/her honour or reputation.[30]

These rights survive any assignment of the copyright made by the author i.e. they can e asserted by the author above any contract entered into by her with third parties such as the producer in this case. The Court framed the question it was faced with in these terms:

[T]he question before me is whether such person like the plaintiff has no right to defend when someone enlarges the terrible facts, enters the realm of her private life, depicts in graphic details rape, sexual intercourse, exhibits nudity, portrays the living person which brings shame, humiliation and memories of events which haunts and will go on haunting the plaintiff, more so the person is still living. Whether the plaintiff has no right and her life can become an excuse for film makers and audience to participate in an exercise of legitimate violence with putting all inhibitions aside.

Ultimately, the High Court sided with the petitioner and issued an injunction restraining the defendant from exhibiting his film.[31] This decision was based more on a consideration of constitutional right to privacy principles than an evaluation of the plaintiff’s case under Copyright law. However, it does provide an interesting factual matrix for the exploration of the way in which protection of copyright and privacy might overlap.

In a contrasting case before the Bombay High Court, Manisha Koirala v Shashilal Nair & Ors [32] an injunction was sought against the release of a film in which the petitioner, a noted actress, was depicted in the nude through the device of a ‘body double’. Here the plot was entirely fictional and the plaintiff, a noted actress, had agreed to perform in the film with ‘substituted shots’ during the scenes in the story that involved nudity. Subsequently, she appears to have reconsidered this decision and objected to the very inclusion of these scenes in its final version. In her petition before the court, she alleged defamation and malicious injurious falsehood, arguing that the exhibition of the film would result in a violation her right to privacy "as the objectionable shots, attempt to expose the body of a female which is suggested to be that of the plaintiff". She contended that “the right to portray her on screen can only be exercised in a manner, which is subject to the fundamental principle that such portrayal can only be with her unconditional consent." "The present rendition" of her part in the film, she alleged was “an invasion of privacy as it is embarrassing and will cause irreparable damage to her reputation which remains untarnished thereby causing irreparable loss and injury”. Although Copyright is not invoked in this case by the petitioner, there is an audible echo of some of the reputational anxieties that had animated Phoolan Devi’s case mentioned above. The difference, however, is that in this case the petitioner’s claim was not grounded in a quest for control over her biography, but over the image of her body. Unlike the previous case, here the Court was unsympathetic to the petitioner’s claims. The court treated her previous ‘consents’ as determinative of all issues and dismissed her case holding:

"The Court ...cannot be a moral guardian in this context. ..It is.. clear to my mind that once having agreed to act in the film it will be too late for the plaintiff .. to hold that a case of defamation has been made out.. To maintain a case of malicious falsehood it must be held out that the statement was false. In the instant case what is sought to be contended is that the scenes involving the film artist would result in an action of malicious injurious falsehood or malicious falsehood by associating the plaintiff's with the scenes which she had not enacted.. The plaintiff was prima facie aware as earlier held and that the scenes formed part of the story board have been enacted by a double and consequently it cannot be said that in the present case the plaintiff has been able to establish a case of malicious falsehood."[33]

One of the facts that was relevant in the court’s decision was that the defendant, as the ‘holder of the copyright in the film’, had incurred vast expenditure in publicising its release. Here, in a reversal of the Phoolan Devi case, copyright is held up as a shield against a competing privacy claim. The issue of the extent of overlap between copyright and privacy however remains unsettled in law. In April 2007, the Madras High Court granted a temporary injunction against the publishers of an unauthorised biography of former Tamil Nadu Chief Minister Jayalalitha. In her petition she alleged that the biography “had been written without any verification of facts. Such a publication would spoil her image and damage her status in politics and public life.” Her petition contended that “No one has a right to publish anything concerning personal private matters without consent, whether truthful or otherwise, whether laudatory or critical.[34]

Although it does not reference Copyright law, this case is another illustration of the enduring relevance of the question of whether we are entitled to the exclusive authorship of our private life-stories.

The Private under the Copyright Act

In its various sections, the Copyright Act inscribes certain spaces and actions as either public or private. Specified activities are labelled public even though they are conducted within the domestic confines of one’s home. Similarly, activities that infringe copyright are nevertheless immunised from prosecution due to the fact that they are conducted for a ‘private’ purpose. In this concluding section of this paper, we try to piece together a narrative of privacy and the private domain that emerges from a combined reading of various sections and decisions under the Copyright Act.

We begin, here, by collating the Copyright Act’s various articulations of the ‘public’ and ‘private’. By treating them as intertwining, mutually constitutive terms, we proceed to analyse these various articulations in the Copyright Act with a view to seeing what account of the private realm may emerge.

Public/Publish

One of the key rights that most owners of copyrights enjoy is the exclusive right to "publish" or "communicate their work to the public".

The Act defines "publication" to mean “making a work available to the public by issue of copies or by communicating the work to the public”. Significantly, in case of dispute, if the issue of copies or communication to the public is “of an insignificant nature” it is deemed not to constitute a publication [Section 6]. This signals that the notions of publicity and publication under the Copyright Act are in some senses moored to the magnitude of the receiving public. The ‘private’ then is constituted, reciprocally, as the ‘insignificant public’.

Under the Indian Copyright Act, "communication to the public" occurs when a person makes any work “available for being seen or heard or otherwise enjoyed by the public directly or by any means of display or diffusion other than by issuing copies of such work”. Such communication occurs “regardless of whether any member of the public actually sees, hears or otherwise enjoys the work so made available.”[Section 2(ff)][35]

Private

The word ‘private’ is expressly referenced in four provisions of the Copyright Act.

Section 39 declares that “the making of any sound recording or visual recording for the private use of the person making such recording, or solely for purposes of bona fide teaching or research” would not violate the broadcast reproduction right or performer's right;
Section 51 which stipulates when copyrights are infringed declares that the “imports into India, any infringing copies of the work” would constitute an infringement except if it is only a single copy of any work that is imported “for the private and domestic use of the importer”.
Section 52(1) of the Copyright Act lists certain acts as not infringing of copyright. These include:

(a) a fair dealing with a literary, dramatic, musical or artistic work, not being a computer programme, for the purposes of private use, including research. A proposed amendment to this section seeks to extend this protection to all ‘personal’ uses in addition to ‘private uses including research[36]. ‘Personal use’ has been interpreted in non-copyright contexts to include the family members of the person living with him.[37] The definition of ‘person’ under the General Clauses Act includes a “company or association or body of individuals, whether incorporated or not”. Although the case law on the point is scant[38], it would be interesting to see if ‘personal use’ can be read to include the use by companies internally, thereby casting a shroud of privacy on corporations for the purpose of copyright.
(p) the reproduction, for the purpose of research or private study or with a view to publication, of an unpublished literary, dramatic or musical work kept in a library, museum or other institution to which the public has access.

In addition to the provisions listed above, Section 52 the Act also shields certain spaces and occasions as immune from the charge of copyright infringement (although they are not specially designated as ‘private’). These include educational institutions[39], non-profit clubs, societies[40], religious institutions[41] and religious ceremonies including marriages.[42]

Perhaps the most elaborate calibration of the boundaries between the 'private' and 'public' under the Indian Ccopyright Act by the judiciary occurs in the case Garware Plastics and Polyester vs Telelink & Ors[43]., decided by the Bombay High Court in 1989. The case called for the determination of whether films transmitted via neighbourhood cable networks and viewed in the privacy of customers’ homes would constitute an unauthorised ‘communication to the public’ under the Copyright Act. Here the defendants had purchased video tapes of popular films and begun transmitting them over cable networks owned by them. For this they charged a monthly maintenance fee from their customers. Under the Copyright Act then in force, ‘communication to the public’ was defined simply as "communication to the public in whatever manner, including communication through satellite.” After an extensive review of English law on the subject, the court ruled that this did constitute an unauthorised communication to the public:

"Whether a communication is to the public or whether it is a private communication depends essentially on the persons receiving the communication. If they can be characterized as the public or a protein of the public , the communication is to the public…From the authorities the principal criteria which emerge for determining the issue are(1) the character of audience and whether it can be described as a private or domestic audience consisting of family members or members of the household, (2) whether the audience in relation to the owner of the copyright can be so considered…Applying the test of the character of the audience watching these video films , can this audience be called a Section of the public or is this audience a private or domestic audience of the defendants ? In the present case it cannot be said that the audience which watches video films shown by the defendants consists of family members and guests of the defendants. The video film may be watched by a large Section of the public in the privacy of their homes. But this does not make it a private communication so as to take it our of the definition of "broadcast" under the Copyright Act, 1957.

It is true that the network operates through the connection of a cable to all these various apartments or houses. But this cannot in any way affect the character of the audience. The viewers are not members of one family or their guests. They do not have even the homogeneity of club members of one family or their guests. They do not have even the homogeneity of a club membership.[44] (emphasis added)

A central feature emerging from this case that distinguishes public form private in Copyright law is homogeneity or affiliation: that space is marked ‘private’ where a pre-affiliated group – united either by kinship or association in pursuit of a common goal – comes together in pursuit of a non-commercial common interest. Conversely, ‘Public’ is where the unaffiliated congregate. On the face, this accords with the spirit of the various fair dealing rights under the Copyright Act which carve out immunised spaces for institutions that correspond to these definitions – educational institutions, religious institutions and ceremonies, amateur clubs etc are immune from infringement actions because, one could say, their activities are ‘private’.

In 1994 the Copyright Act was amended to fortify this conclusion by expanding the definition of ‘communication to the public’ to include ‘communication through satellite or cable or any other means of simultaneous communication to more than one household or place of residence including residential rooms of any hotel or hostel shall be deemed to be communication to the public;” (Sec 2(ff), Explanation)

Conclusion

I would like to conclude this paper with some reflections on the assertion I made in the introduction about copyright law being both an instrument for the protection and violation of privacy. From the discussion in the previous sections, it follows:

Firstly, that 'property' – as embodied by copyright law – is, at best, an unreliable guarantor of privacy. It works when bussed along with dignity claims– for instance the Phoolan Devi case where the petitioner’s suffering underlay her property claim– but fails when asserted as ‘property’ per se (as in Manisha Koirala’s case[45]). One does not (under the Indian Copyright Act, at least) have a reliable ‘property’ interest in one’s life story, bodily representation, name etc. This stands in contrast with other regimes such as the US where several states have enacted ‘Right to publicity’ statutes or have recognised publicity rights through common law processes.[46]

These rights can be read to offer people a 'property' means for protecting their privacy (by preventing unauthorised publicity) in those jurisdictions. Analogous claims are unavailable in India.

Secondly, that ‘property’ operates frequently as a license for the violation of privacy with impunity. This emerges most clearly from the cases of copyright investigation that we examined in Section 1.2 above. Pecuniary copyright interests appear to completely overwhelm any regard for competing privacy concerns.

Thirdly, that, notwithstanding the preceding two points, the copyright act does protect privacy in limited ways. Chiefly these are a) By conferring limited copyright on 'unpublished works', it enables authors to restrict their publication except on terms acceptable to them. b) The Act grants a very wide “Performer’s right” to performers and no sound or visal recording may be made of them without their express consent. No such recording can broadcast or communicated to the public without their consent. This gives a very powerful weapon of control in the hands of performers to restrict the extent to which representations of them are publicised. C) As mentioned above in the penultimate section of this paper, various fair dealing exceptions carve out spaces of privacy where infringing acts are granted immunity – for instance private uses, uses in educational institutions and libraries, etc.

Lastly, with the arena of copyright infringement shifting gradually to the internet, it is foreseeable that the IT Act will be employed with greater frequency in the coming years to do the work of copyright enforcement. The legal regime already supports this change through provisions in the IT Act which preserve all existing rights available under the Copyright Act [Section 81 (proviso) of the IT Act] and put new powers of take-down [see Intermediary Guidelines] in the hands of Copyright Owners. Thus on the one hand, copyright owners would be able to lawfully hack into potential infringers’ computers while enjoying immunity under the IT Act. On the other hand, ‘intermediaries’ would be legally bound to co-operate in copyright enforcement including, conceivably, handing over a number of personal details of those accused of copyright infringement. In other jurisdictions, such as the EU, such ‘co-operation’ is heavily policed by judicial oversight where personally identifiable information is involved[47]. Contrastingly, in India, with its diminished concerns for privacy and limited awareness of how IP address data can seriously imperil privacy, there is a very real threat that these provision will license the wholesale violation of online privacy.

Notes

[1]Anon, 2005. Towards Knowledge Societies, Paris: UNESCO. Available at: http://unesdoc.unesco.org/images/0014/001418/141843e.pdf [Accessed April 20, 2011].

[2]Sundaram says "Temporal acceleration was a significant part of the imaginary of developmentalism - this was inherent in the logic of 'catching up' with the core areas of the world economy by privileging a certain strategy of growth that actively delegitimized local and 'traditional' practices."

[3]This aspiration underlies several of the policy documents prepared in India in the last decade – Illustratively, the report submitted by the National Task Force on Information Technology (NTFIT) in 1998 captures this sentiment well: “For India, the rise of Information Technology is an opportunity to overcome historical disabilities and once again become the master of one's own national destiny. IT is a tool that will enable India to achieve the goal of becoming a strong, prosperous and self-confident nation. In doing so, IT promises to compress the time it would otherwise take for India to advance rapidly in the march of development and occupy a position of honor and pride in the comity of nations” Tiwari, Ghanshyam et al. Government of India. Central Advisory Board of Education, Ministry of Human Resource Development .Report of the Central Advisory Board of Education Committee On Universalisation of Secondary Education. New Delhi: 2005

[4]There is some ambiguity on whether offences under the Copyright Act punishable with imprisonment “which may extend to three years” are 'cognizable' or not. The Code of Criminal Procedure 1973 classifies all offences which prescribe a penalty of three years and above as cognizable and non bailable [First Schedule]. Offences which are punishable with imprisonment of less than three years are classified as ‘non-cognizable’ and ‘bailable’. In the absence of a definitive ruling from the Supreme Court on this issue, different High Courts have offered conflicting interpretations. See Singh, S. & Aprajita, 2008. Insight into the nature of offence of Copyright Infringement. Journal of Intellectual Property Rights, 13(6), pp.583-589. Available at: http://nopr.niscair.res.in/bitstream/123456789/2433/1/JIPR%2013%286%29%20583-589.pdf [Accessed May 12, 2011]. See also Agarwal, D.K., 2010. Arrest under the customs act ? Bailable or non-bailable offence. Translation Interpreting Services. Available at: http://translation-tech.com/blog/213/arrest-under-the-customs-act-bailable-or-non-bailable-offence/ [Accessed May 12, 2011]. The determination of this issue would have wide ranging implications since the police have a wider assortment of powers with respect to interrogation, arrest, search and seizure in the course of investigating cognizable offences than they have with respect to non-cognizable offences.

[5]"Where Director of Inspection or Commissioner in consequence of information in his possession, has reason to believe that any person having in possession of any money, etc.." has not disclosed it for purposes of Income Tax.

[6]AIR 1997 Raj 78 < http://indiankanoon.org/doc/661363/>

[7]Event and Entertainment Management Association v. Union of India (Delhi HC) Order dated 2nd May 2011 <http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=84697&yr=2011>. Harkauli, S., 2011. HC nullifies police circular on copyright issue. The Pioneer. Available at: http://www.dailypioneer.com/336974/HC-nullifies-police-circular-on-copyright-issue.html [Accessed May 9, 2011].

[8]Ibid

[9]As recently as April 2011, the Delhi high court restrained “cable operators nationwide from telecasting matches of the Indian Premier League (IPL) without authorization from MSM Satellite (Singapore) Pte Ltd, which owns the broadcasting rights. See Bailay, R., 2011. Cable operators can’t telecast IPL without authorization, says HC. Livemint. Available at: http://www.livemint.com/articles/2011/04/27212449/Cable-operators-can8217t-te.html?atype=tp [Accessed May 13, 2011]. For an early history of John Doe orders in India, see Krishnamurthy, N. & Anand, P., 2003. India Trade marks in a state of change. Managing Intellectual Property. Available at: http://www.managingip.com/Article/1321770/India-Trade-marks-in-a-state-of-change.html [Accessed May 13, 2011].

[10]These orders are granted by the Court supposedly under Section 75 read with Order 26 of the Code of Civil Procedure which empowers the court to appoint “Local Commissioners” to record evidence in special cases. I have stated my opinions elsewhere on why I believe these powers may not be invoked for the purpose of effecting routine searches and seizures in the manner as is currently being practiced by the higher judiciary – especially the Delhi High Court. See Iyengar, P., 2009. BSA’s response on Spicy IP – in perspective. Original Fakes. Available at: http://originalfakes.wordpress.com/2009/04/04/bsas-response-on-spicy-ip-in-perspective/ [Accessed May 10, 2011].

[11]Anon, 2009. Ghost Post on IP (Software) Raids: Court Sponsored Extortion? SPICY IP. Available at: http://spicyipindia.blogspot.com/2009/03/ghost-post-on-ip-software-raids-court.html [Accessed May 10, 2011].

[12]Autodesk Inc Vs. AVT Shankardass, Available at: http://delhicourts.nic.in/Jul08/Autodesk%20Inc%20Vs.%20AVT%20Shankardass.pdf [Accessed May 10, 2011].

[13]The 2011 Special 301 Country Report on India prepared by the IIPA specifically cites the Delhi High Court in this context, statng “The industry enjoys a very high success rate with respect to the grant of such orders at the Delhi High Court”. According to this report, the Business Software Alliance was able to obtain 34 such orders in 2009.

[14]Anon, 2011. Special 301 Report on Copyright Protection and Enforcement: 2011 India Country Report, International Intellectual Property Alliance. Available at: http://www.iipa.com/rbc/2011/2011SPEC301INDIA.pdf [Accessed May 9, 2011].

[15]Ibid at. Pp 41-42.

[16]The 2010 Special 301 Country Report lists the following defects of the proposed Section 65A: “(a) does not cover access controls and is limited only to TPMs protecting the exercise of exclusive rights; (b) covers only the “act” of circumvention and does not also cover manufacturing, trafficking in, or distributing circumvention devices or services; (c) does not define an “effective technological measure”; (d) contains an exception which would appear to permit circumvention for any purpose that would not amount to infringement under the act (thereby almost completely eviscerating any protection); (e) creates other overbroad exceptions; and (f) provides for only criminal and not civil remedies."

[17]Syed Asifuddin And Ors. v The State Of Andhra Pradesh, 2005 CriLJ 4314 (Andhra Pradesh HC ).

[18]Ibid.

[19]Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011]. See also Nanjappa, V., 2008. “I have lost everything.” Rediff.com News. Available at: http://www.rediff.com/news/2008/jan/21inter.htm [Accessed March 23, 2011].

[20]Pahwa, N., 2010. Hyderabad Police Arrests Torrent Uploaders - MediaNama. MediaNama. Available at: http://www.medianama.com/2010/11/223-hyderabad-police-arrests-torrent-uploaders/ [Accessed May 12, 2011].

[21]GSR 314(E) Dated 11 April 2011: Information Technology (Intermediaries guidelines) Rules, 2011 http://www.mit.gov.in/sites/upload_files/dit/files/GSR314E_10511(1).pdf [Accessed May 12, 2011].

[22]See Zee Telefilms Ltd. v Sundial Communications Pvt. Ltd., 2003 (5) BomCR 404 (Bombay High Court 2003).

[23]Mr. M. Sivasamy v M/S. Vestergaard Frandsen (Delhi High court 2009).< http://indiankanoon.org/doc/916718/>

[24]Dietrich Engineering Consultant v Schist India & Ors (Bombay High Court, 2009) < http://indiankanoon.org/doc/1634545/>

[25]Mr. Diljeet Titus, Advocate vs Mr. Alfred A. Adebare And Ors, 130 DLT 330 (Delhi High Court 2006).

[26]Phoolan Devi v Shekhar Kapoor And Ors. (1994). DLT (Vol. 57 (1995), p. 154). Retrieved from http://indiankanoon.org/doc/793946/

[27]The conditions under which this license were obtained speak eloquently to the ills of the current copyright system. According to Phoolan Devi’s lawyer, the noted advocate Indira Jaisingh, the contract was signed by Phoolan Devi while she was behind prison bars. She did not speak or understand Hindi or English and only spoke in a local dialect. The copyright contract was written entirely in English and gave her a paltry sum or Rs. 2 lakh – which was a pittance considering the budget and projected returns from the film. Jaisingh, I., 2001. Supreme Court lawyer Indira Jaisingh pays tribute to Phoolan Devi. Available at: http://www.rediff.com/news/2001/jul/26spec.htm [Accessed June 10, 2011]. Arundhati Roy’s two superb critiques of the film and its director movingly capture why this is not a simple case of copyright assignment. See Roy, A., 1994. The Great Indian Rape Trick - I. Sawnet. Available at: http://www.sawnet.org/books/writing/roy_bq1.html [Accessed June 10, 2011].; Roy, A., 1994. The Great Indian Rape Trick - II. Sawnet. Available at: http://www.sawnet.org/books/writing/roy_bq2.html [Accessed June 10, 2011].

[28]Ibid, Roy, A., 1994. The Great Indian Rape Trick - I.

[29]Ibid, Roy, A., 1994. The Great Indian Rape Trick - II

[30]Section 57 of the Act reads “Author’s Special Rights: ‘Independently of the author's copyright and even after the assignment either wholly or partially of the said copyright, the author of a work shall have the right-

(a) to claim authorship of the work; and
(b) to restrain or claim damages in respect of any distortion, mutilation, modification or other act in relation to the said work which is done before the expiration of the term of copyright if such distortion, mutilation, modification or other act would be prejudicial to his honour or reputation:”

[31]The case was later settled out of court with Phoolan Devi being able to secure a substantially higher compensation. Ultimately, the case was not about the depiction of rape generally, but primarily about Phoolan Devi’s sovereign right to decide the terms on which her own life would be represented.

[32]Manisha Koirala v Shashilal Nair & Ors. (2002). BomCR (Vol. 2003 (2), p. 136). Retrieved from http://indiankanoon.org/doc/1913646/

[33]Ibid

[34]Anon, 2011. High Court Grants Injunction Till June 7 Against Publishing Book on Jayalalithaa. The Hindu, p.01. Available at: http://www.hindu.com/2011/04/27/stories/2011042762360100.htm [Accessed May 12, 2011].

[35]For a more dispersed account on the concept of the ‘public’ under Indian law, See Iyengar, P, ‘Where the private and the public collide’, iCommons Lab Report, September- October 2007, pp. 7-8, Icommons.org, < http://archive.icommons.org/articles/what-is-public> last visited May 2011

[36]Copyright (Amendment) Bill 2010 http://prsindia.org/uploads/media/Copyright%20Act/Copyright%20Bill%202010.pdf

[37]See Sivasubramania Iyer v. S.H. Krishnaswamy AIR 1981 Ker 57 , a case under Kerala Buildings (Lease & Rent Control) Act 1965.

[38]Goods purchased for the private use of a corporation would be goods purchased for the ”personal use” of the corporation. 158 IC 703.

[39]52(1)(g), (h) and (i)

[40]52(1)(k) and (l)

[41]52(1)(l)

[42]52(1)(za)

[43]AIR 1989 Bom 331, 1989 (2) BomCR 433, (1989) 91 BOMLR 139 <http://indiankanoon.org/doc/858705/>

[44]Ibid.

[45]At first glance this distinction may seem facile since even Manisha Koirala invoked ‘reputational harm’ as a prop to buttress her property claim. However, I believe this case was complicated by the fact that the court had to consider whether the display of someone else’s body could have implicated Manisha Koirala’s privacy/dignity. Koirala was, in effect, arguing that she had absolute ‘proprietorial’ control over all representations of her body – a property argument which the court was unwilling to concede.

[46]See Footnote 90 and accompanying text in Samuelson, P., 2000. Privacy as Intellectual Property? SSRN eLibrary; Stanford Law Review. Available at: http://ssrn.com/paper=239412 [Accessed on June 14, 2011].

[47]Lebatard, F.-R., Copyright Enforcement and the Protection of Privacy in France. Translegal. Available at: http://www.translegal.com/feature-articles/copyright-enforcement-and-the-protection-of-privacy-in-france [Accessed June 14, 2011].

For more details visit https://cis-india.org/internet-governance/blog/privacy/copyright-enforcement

Cool Jobs | Parmesh Shahani, Head, Godrej India Culture Lab

praskrishna — 2013-01-17T05:55:47Z

The man behind Mumbai’s most original ideas space on being a cross-pollinator

The following interview was published in LiveMint on January 4, 2013.

The Vikhroli catalyst

Parmesh Shahani, a former editorial director of Verve magazine, thought up the Godrej India Culture Lab, a cultural ideas platform, after becoming a TED Fellow in 2009, realizing then that Mumbai, or India, has no space that encourages cross-pollination of ideas around contemporary society, anthropology and culture.

Shahani, the author of Gay Bombay: Globalization, Love And (Be)Longing in Contemporary India, has earlier managed research for Massachusetts Institute of Technology (MIT) think tank related to media convergence.

Ever since Godrej’s Nisa Godrej took up his idea, the Godrej India Culture Lab has hosted a conference called Urban (Re)imagination—which it launched in 2011—talks by Japanese architect Tadao Ando, and MIT economist Abhijit Banerjee, film screenings and book readings on themes as diverse as Calcutta jazz and jugaad. Shahani says he works on weekends and looks forward to Monday mornings. Edited excerpts from an interview:

What exactly does your work involve?
My work involves identifying interesting people and ideas and then connecting them to each other—either through public talks, conferences, salons or other means of interaction. There are certain themes I am interested in exploring, such as what it means to be modern and Indian today, what it means to be young or urban, and to be connected through technology. My work often feeds directly into the larger Godrej group efforts. We have a campaign called Godrej LOUD—Live Out Ur Dreams—on MBA campuses across India with excellent results.

What is the best part of your job?

It doesn’t feel like a job. It feels like a calling, a mission, and is an incredible adventure. Each day is different—and fun. It enables me to use all the different aspects of my mind, and tap into my global networks to focus on how we are looking at the changes taking place in contemporary India. I love meeting other people who are on the same mission—the people at Gateway House, India’s first foreign policy think tank, or the Centre for Internet and Society in Bangalore, or people like Rikin Gandhi from Digital Green that trains farmers to use cameras to record their best practices and share it with each other.

What are your challenges and what more do you want to bring into the Lab?

At this moment we are more of a sandbox and catalyst. I’d like us to start producing original research soon by having full-time experts on board. We have recorded videos of all our talks of the past two years; they will go up on our website, which is under development. Finally, I’d like to attract more audiences to our events and efforts. We’ve already put our Godrej campus at Vikhroli, Mumbai, on the cultural map of the city.

What has been your favourite project here?

My favourite project has got to be the recent Museum of Memories that I curated in an abandoned 60,000 sq. ft Godrej warehouse on 15 December 2012, in collaboration with other city organizations like Junoon, Visual Disobedience, Brown Paper Bag, as well as loads of performers, artists and musicians from the city. It was a pop-up one-day only event with performances, music, theatre, tea, yoga, live art, graffiti, videos, dance, robots, alternate reality games, and more. The event bridged different spaces and it will remain very special.

For more details visit https://cis-india.org/news/livemint-january-4-2013-sanjukta-sharma-cool-jobs

Cookies, not the monster you may think

Sweta Akundi — 2019-04-12T01:10:07Z

Follow the crumbs to a better understanding of data protection and privacy.

The article by Sweta Akundi was published in the Hindu on April 8, 2019. Pranav Manjesh Bidare was quoted.

You’re window-shopping at an electronics store, looking at headphones. The sales assistant offers some help, but you politely decline. “I’m just looking,” you respond. A month later, you come back, and the sales assistant not only remembers you, but also directs you to the latest headphones they have. Creepy? Perhaps, but it’s a regular occurrence on e-commerce websites such as Amazon.

Enter cookies: small text files placed either temporarily or permanently by websites on your hard drive, which are used to monitor your activities online. Those annoying banners that pop up while you are opening a new website, telling you that this site uses cookies? You click okay in a huff because, let’s face it, you’re a busy wo/man? Essentially, you’ve given the websites permission to place cookies on your computer.

“HTTP cookies track user activities, save passwords, and authenticate sensitive information. For example, let’s say you make a purchase with your debit card. When you enter the OTP, you are notified to not refresh the page. That happens because when you enter sensitive information, an authentication cookie is created and stored. It helps the server verifying your transaction make sure that it is just you who is logged in, and not any other person who could try to access your data,” explains Pranav Manjesh Bidare, policy officer at Bengaluru-based The Centre for Internet & Society.

These cookies can be placed by either first-party (the website you are primarily accessing) or third parties (any website that places content onto the primary website). YouTube embeds, sponsored ads, social media links all fall under the latter category. They send you independent cookies which, too, can track your activities.

How safe is it?

“Cookies are vulnerable to interception by a malicious actor. When the cookie is being transmitted to and from your computer, there is a possibility of information like your browsing history, shopping trends, and authentication data being stolen from it,” says Pranav. “However, most of it is taken care of by the HTTPS protocol, which ensures a secure connection between servers and your computer.” Once the cookies are on your device, they can be safeguarded using proper anti-virus. “However there could also be cases where someone impersonates a website and accesses your cookies. That’s something the HTTPS protocol can’t solve alone.” You could manually delete cookies, or pay more attention to what you’re agreeing to share, when you enter a website. Moreover, the constant cookie consent pop-ups do get on the nerves.

That said, the European Union is amending its privacy laws; under the new regulations, if such a draft is passed, users will be given the option of a blanket refusal of cookies, or of just third-party ones, presented in an easy-to-understand layout. However, cookies deemed to be ‘non-intrusive’ will not be subject to restrictions under the regulation.

If there’s anything we have learnt from the Facebook and Cambridge Analytica fiasco, it’s that we need to have a better understanding of what privacy and data on the Internet means.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-sweta-akundi-april-8-2019-microchips-cookies-and-the-internet-privacy-authentication

Control Shift?

pranesh — 2011-08-02T07:22:12Z

The USA has ceded control of the Internet over to Icann, but only partially. (This post appeared as an article in Down to Earth, in the issue dated November 15, 2009.)

After dominating operations of the Internet for decades Washington has said it will relinquish some control. On September 30, the US department of commerce decided to cede some of its powers to the Internet Corporation for Assigned Names and Numbers (ICANN), the body which manages the net’s phone book—the Internet’s Domain Naming System (dns).

The system deals with online addresses: human understandable names (like google.com) are made to work with computer understandable names (81.198.166.2, for example). Managing this is critical because while Madras can be a city in both Tamil Nadu and Oregon, everyone wishing to go to madras.com must be pointed to the same place. For the Internet to work, everyone in the world must use the same telephone directory.

The Internet is not a single network of computers, but an interconnected set of networks. What does it mean, then, to control the Internet? For those wishing to access YouTube in late February 2008, it seemed as though it was controlled by Pakistan Telecom—the agency had accidentally blocked access to YouTube to the entire world for almost a day. For Guangzhou residents, it seems the censor-happy Chinese government controls the Internet. And for a brief while in January 1998, it seemed the net was controlled by one Jon Postel.

Postel was one of the architects of the Internet involved from the times of the net’s predecessor arpanet project, which the US department of defence funded as an attack-resilient computer network. He was heading the Internet Assigned Numbers Authority (iana), an informal body in de facto charge of technical aspects of the Internet, including the domain network system. But iana had no legal sanction. It was contracted by the department to perform its services. The US government retained control of the root servers that directed Internet traffic to the right locations.

On January 28, 1998, Postel got eight of the 12 root servers transferred to iana control. This was when the defence department was ceding its powers to the commerce department. Postal soon received a telephone call from a furious Ira Magaziner, Bill Clinton’s senior science adviser, who instructed him to undo the transfer. Within a week, the commerce department issued a declaration of its control over the dns root servers—it was now in a position to direct Internet traffic all over the world.

Soon after, the US government set up ICANN as a private non-profit corporation to manage the core components of the Internet. A contract from the department of commerce gave the organization in California the authority to conduct its operations. iana and other bodies (such as the regional Internet registries) now function under ICANN.

Right from the outset, ICANN has been criticized as unaccountable, opaque and controlled by vested interests, especially big corporations which manipulated the domain name dispute resolution system to favour trademarks. Its lack of democratic functioning, commercial focus and poor-tolerance of dissent have made ICANN everyone’s target, from those who believe in a libertarian Internet as a place of freedom and self-regulation, to those (the European Union, for instance) who believe the critical components of the Internet should not be in the sole control of the US government.

The department of commerce has from time to time renewed its agreement with ICANN, and the latest such renewal comes in the form of the affirmation of commitments (AoC). Through the AoC, the US government has sought to minimize its role. Instead of being the overseer of ICANN's working, it now holds only one permanent seat in the multi-stakeholder review panel that ICANN will itself have to constitute. But two days after the AoC, ICANN snubbed a coalition of civil society voices calling for representation; the root zone file remains in US control. It is too early to judge the AoC; it will have to be judged by how it is actualized.

For more details visit https://cis-india.org/internet-governance/blog/icann-control-shift