Pathways to Higher Education

Atmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants

ankan — 2021-06-03T12:53:57Z

With the onset of the national lockdown on 24th March 2020 in response to the outbreak of COVID-19, the fate of millions of migrant workers was left uncertain. In addition, lack of enumeration and registration of migrant workers became a major obstacle for all State Governments and the Central Government to channelize relief and welfare measures.

A majority of workers were dependent on relief provided by NGOs, Civil Society Organizations and individuals or credit via kinship networks. With mounting domestic and international pressures, various relief and welfare schemes were rolled out but they were too little, too late and more often than not characterised by poor implementation.

The aim of this report is to qualitatively assess health conditions of migrant workers and access to welfare during the first COVID-19 lockdown. The primary focus is on the host states of Tamil Nadu, Maharashtra and Haryana. 20 in-depth interviews were conducted remotely with migrant workers working in various sectors. Their access to welfare schemes of the Central Government as well as of their host states was ascertained. Emphasis was also laid on their access to healthcare facilities in relation to COVID-19 and non-COVID-19 ailments.

The findings of the report showcase a dismal state of affairs. No one in our sample group received any kind of dry ration or cooked food in a sustained manner and, in the rare occasions when they did, it was woefully inadequate. Of the three states considered, we found that relief distribution was the best in Tamil Nadu followed by Maharashtra and then Haryana. Even the Direct Cash Transfer Scheme of the Central Government under ‘Atmanirbhar Bharat’ did not reach the migrant workers. Moreover, the migrant workers were apprehensive to report any COVID-19 related symptom due to the draconian treatment that followed therein and the crumbling healthcare sector made it impossible to avail facilities in non-COVID-19 related issues. Lastly, a case has been made for the creation of bottom-level infrastructures to further dialogue between various stakeholders, including associations of migrant workers, for the implementation of schemes and policies which can consolidate migrant workers as a relevant political subject. As migrant workers reel from the impact of the second wave, pushing for on-ground infrastructure and supporting community-based organisations becomes even more urgent.

Click here to read the report authored by Ankan Barman and edited by Ayush Rathi. [PDF, 882 kb]

For more details visit https://cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants

Are Indian Consumer Laws Ready for the Digital Age?

vipul — 2013-08-08T11:52:40Z

The Economic and Social Council of the United Nations, recognizing the need for protection of the rights of consumers, drafted a set of model guidelines on consumer protection which were adopted by the General Assembly in 1985. The United Nations Guidelines for Consumer Protection (UNGCP) act as an international reference point of the consumer movement, however since it has been over a quarter of a century since they were first drafted, there is a strong argument for revising them to bring them in line with new developments in technology and business practices.

It is for this reason that that United Nations Conference on Trade and Development has undertaken a revision of the UNGCP. Consumers International, an international consumer rights organization has along with CIS and other groups been trying to represent the voice of consumers at the negotiations for this revision. As part of this effort, Consumers International has produced a book titled "Updating the UN Guidelines for Consumer Protection for Consumers in the Digital Age". This blog has been produced through a filteration of the essence of some of the arguments and issues addressed in that book.

In December 2012 there was a news report that pegged the market for online commerce in India at roughly USD 14 billion,[1] which is why some of the poster children of online retail in India are getting stratospheric valuations even though they are yet to show any major profits, case in point, Flipkart had a valuation of around USD 800 million[2] in 2012 and is looking for an IPO in around three to four years. Such huge numbers give a sneak peek into the size and scope of the Indian e-commerce marketplace which begs the question, if there are so many transactions occurring in the online marketplace and since a large number of those transactions are between retailers and domestic consumers, then are there any specific laws out there protecting the interests of consumers in the online world.

Apart from the Information Technology Act, 2000 and various circulars by the Reserve Bank of India regarding online banking and money transfer activities which are more generic in nature trying to secure the online space as a whole, there are no specific laws that seek to protect consumers in the online space. However, that does not necessarily mean that the consumers are left without any recourse and in this post we shall examine whether it is possible to use the Consumer Protection Act, 1986 to protect consumer rights in the online environment as well.

The Consumer Protection Act, 1986 (“COPRA”) was enacted with the purpose of empowering consumers to take on the might of large corporations and preventing unscrupulous businessmen from taking undue advantage of the weak position which consumers are inherently placed in under the archaic Indian judicial system. It set up special tribunals, simpler procedures and enacted special provisions to help consumers get a better bargaining position vis-à-vis manufacturers and retailers, etc. However, since this law was enacted more than a quarter of a century ago and it is not entirely geared towards protecting consumer rights in the digital era. However, that does not mean it is entirely toothless in the online environment although it certainly needs some major provisions to come to grasp with the special circumstances and practices of the online marketplace, as the rest of the discussion will demonstrate.

For any transaction to come under the purview of COPRA, it should have the following three essential requirements:

There should be a ‘good’ or ‘service’ sold or provided to a consumer;
Such good or service must be ‘sold’ i.e. there must be a ‘sale’;
There should be a ‘defect’ in the good or ‘deficiency’ in the service;

We will now examine different types of e-commerce transactions and discuss whether they fulfill the requirements given above and therefore are amenable to the jurisdiction of COPRA.

There should be a ‘good’ or ‘service’
This is issue is not very complicated so far as digital purchases of physical items are concerned. Since a book or a mobile phone is considered as a ‘good’ then it will always be considered as a ‘good’ irrespective of whether it has been bought from a physical shop or an online retailer. However, the question does take on an air of some complexity when dealing with digital items such as mp3 files and software programmes. The General Clauses Act, 1897 states that all property which is not immovable property is considered as movable property. Since immovable property is defined as land and things attached to the land, therefore it is pretty clear that ‘computer software’ would in all likelihood be considered as movable property. Whether such movable property can be considered as a ‘good’ or not is a question which is yet to be tested in the courts of law in India, however it must be mentioned that in the context of the Sales Tax Act, the Supreme Court of India has held canned software to be a ‘good’. Laying down a test for determining whether a property is a ‘good’ or not, the Supreme Court in that case laid down the following test:

“A 'goods' may be a tangible property or an intangible one. It would become goods provided it has the attributes thereof having regard to (a) its utility; (b) capable of being bought and sold; and (c) capable of transmitted, transferred, delivered, stored and possessed. If a software whether customized or non-customized satisfies these attributes, the same would be goods.”[3]

It must be emphasized again that the Supreme Court’s ruling was given in the context of the Sales Tax Act and it may not be accepted by a court deciding a case on COPRA. This is one issue which could and should be addressed under Indian laws to ensure that the large numbers of Indian consumers who buy items in the online marketplace are not left in a lurch and without the protection of the COPRA.

There must be a “Sale” of the good or service
Just as the previous issue, this question again can be simple when asked in relation to sale of physical goods using the internet but may not be so when talking about digital goods. When a physical item is purchased using the internet, a sale may be said to have occurred when the ownership of the good passes from the seller (online retailer) to the buyer (consumer) and the payment and delivery are complete. However, the question whether sale of software (here we are using this generic term for all sorts of computer programmes and data because the reasoning and legal analysis can be applied to both types of data) in an online environment would actually constitute a ‘sale’ requires a little more analysis. A huge problem in labeling online software purchases as a ‘sale’ is that most of these ‘sales’ are made in the form of a license. The manufacturers or retailers would argue that such an online purchase is not really a sale since the consumer usually only gets a license to use the product under strict conditions and does not buy the product as an owner, further this is really the industry standard when it comes to software purchases. The argument on the other side is that most websites advertise these products as an outside sale, for example, if you go to the Quick Heal antivirus website today and go to the page for “Home Users”[4] the page clearly shows a “Buy Now” tab and indicates the price at Rs. 1549/-. In fact in a number of cases you can actually buy the file containing the software without ever being shown the contractual terms of the agreement. These terms usually specify that you are only getting a license to use the product and may not have the right to resell or lend the product to others, rights which a traditional buyer of a product enjoys under law.

This issue was also discussed by a Full Bench of the Supreme Court of India in the case of Tata Consultancy Services v. State of Andhra Pradesh,[5] which ultimately held that the ‘sale’ of canned software (the term the court used for non customized software which is sold off the shelf) would be a sale of goods and therefore liable to be taxed under the Sales Tax Act. As is evident this decision was given in the context of the Sales Tax Act, but it could be argued that since tax statues are anyways supposed to be interpreted strictly and beneficial statutes such as the COPRA are required to be interpreted broadly, as per the accepted rules of legal interpretation, therefore it is possible that such a ‘license’ for computer software bought by an ordinary consumer could be considered as a ‘sale’ so as to bring the item within the ambit of the COPRA.

Here again we see that although there might be arguments which could be made to justify such licences for computer software as a ‘sale’, however it is still an untested issue and the COPRA certainly needs to take these issues into account if we want to protect the rights of the ever growing number of online consumers.

There should be a “defect” in the goods
If I order a pair of shoes from flpikart.com and the shoes arrive with one of the soles torn off, it’s a pretty straightforward case of there being a defect. In such a scenario unless the retailer has a specified return policy (which incidentally flipkart has) the consumer would have a right to approach the consumer forum to lodge a compliant. Similarly, if I buy a software from a manufacturer for my personal use and the file has a bug in it, it can fairly easily be considered as a defect since any fault, imperfection or shortcoming in the quality, quantity, potency, purity or standard or the good can be considered as a defect.

This is where things get a little interesting. What if we argue that stringent Digital Rights Management techniques by some online retailers are actually a defect in the goods since they do give the consumer all the rights that a buyer of goods would traditionally have. For example, if I buy an e-book with DRMs which restrict lending and on-selling, then two of my rights as a traditional book buyer are straightaway rescinded. Let us now examine the issue in the traditional context of the term ‘defect’.

If an article bought has any fault, imperfection or shortcoming in the quality, etc., then it would be considered as a defective good. For example, if a person buys a generator which is creating excessive noise, then it can be said that there is a shortcoming in the quality or the standard which is required to be maintained. A generator may supply electricity perfectly well and there may not be any fault at the time of running the machine but while operating the machine if it is creating more noise than the prescribed level, it can be said that there is a defect in the manufacture. An e-book with DRMs may also let a consumer read its contents but that may not be the only criteria to determine whether an item is defective or not. Using the traditional definition of a ‘buyer’, we can argue that a traditional buyer commonly has rights such as the right to resale, the right to make copies for personal use, the right to lend, the right to gift, etc., which may not exist in a an e-book with DRMs. Thus, an argument could be made that such measures constitute a ‘defect’ in the goods under the COPRA.

Again, this is only an argument and it is entirely possible that a court of law may reject such an argument, especially in light of the fact that the consumer has entered into a license agreement while completing the transaction which specifically grants the consumer only specific and limited rights in regard to the item being purchased. A possible counter to this argument could be that the agreement is generally long and verbose and is only presented to the consumer towards the end of the transaction when the consumer generally does not have the time to read it. Further, there is hardly ever a situation where the consumer can negotiate the terms of the contract, it is usually a standard form of contract which is heavily tilted in favour of the seller and the consumer is given no real choice in this regard. This is why in common law jurisdictions the courts have laid down certain principles or extra conditions which a standard form of contract has to abide by for it to be enforceable viz.,:

Sufficient notice: This principle requires that the major and specially the unusual terms in a contract should be displayed in a sufficiently highlighted manner so that a reasonable consumer is not likely to miss these unusual terms.[6]
Fundamental breach of contract: If the contract is so drafted that it would impose additional obligations on the consumer or restrict the liability and obligations of the seller in such a way that it would result in breaching any of the fundamental or main terms or obligations that one expects in such a contract, then such a contract may not be enforceable.[7]
Exclusion of unreasonable terms: Another type of protection that is available to consumers is the principle which seeks to exclude unreasonable terms from a contract i.e. a term which would defeat the very purpose of the contract or if it is repugnant to the public policy.[8]

Relying on the above principles of standard form contracts, it is possible to at least argue that highly strict and limiting terms which are put into a long verbose standard form contract which backs the Technology Protection Measures on a protected software may not be entirely enforceable, in which case the alleged consent of the consumer for such DRMs gets negated and the software with all its DRM limitations could be considered as ‘defective’.

Conclusion
From the discussion above it is clear that the nature of online transactions and digital goods presents certain unique problems for the legal regime which seeks to protect consumer rights. The law needs to be amended to take into account the unique circumstances of this fledging marketplace that exists online and ensure that the legal regime is fully capable of facing the challenges thrown up by e-commerce. One of the initiatives in this regard is the effort by Consumers International to include amendments in the Model United Nations Guidelines for Consumer Protection to include various provisions which deal with the online marketplace and its unique challenges as well as issues relating to access to knowledge (A2K). Perhaps it is time for the establishment in India to also take this into account and bring our quarter of a century old consumer protection legislation in line with the digital age.

[1]. http://goo.gl/Mh74vB

[2]. http://goo.gl/By5x3i

[3]. Tata Consultancy Services v. State of Andhra Pradesh, 5 November, 2004, available at http://goo.gl/Bn7KRp

[4]. http://goo.gl/lMdoI

[5].http://goo.gl/Bn7KRp

[6]. Henderson & others v. Stevenson, 1875 2 R (HL) 71, Interfoto Picture Library Ltd v. Stiletto Visual Programmes Ltd. [1988] 1 All ER 348.

[7]. Harbutt's "Plasticine" Ltd. v. Wayne Tank and Pump Co Ltd [1970] 1 QB 447.

[8]. Lily White v. R. Mannuswami, AIR 1966 Mad.13.

For more details visit https://cis-india.org/a2k/blogs/are-indian-consumers-laws-ready-for-digital-age

Arbitrary Arrests for Comment on Bal Thackeray's Death

pranesh — 2013-01-02T03:42:37Z

Two girls have been arbitrarily and unlawfully arrested for making comments about the late Shiv Sena supremo Bal Thackeray's death. Pranesh Prakash explores the legal angles to the arrests.

Facts of the case

This morning, there was a short report in the Mumbai Mirror about two girls having been arrested for comments one of them made, and the other 'liked', on Facebook about Bal Thackeray:

Police on Sunday arrested a 21-year-old girl for questioning the total shutdown in the city for Bal Thackeray’s funeral on her Facebook account. Another girl who ‘liked’ the comment was also arrested.

The duo were booked under Section 295 (a) of the IPC (for hurting religious sentiments) and Section 64 (a) of the Information Technology Act, 2000. Though the girl withdrew her comment and apologised, a mob of some 2,000 Shiv Sena workers attacked and ransacked her uncle’s orthopaedic clinic at Palghar.

“Her comment said people like Thackeray are born and die daily and one should not observe a bandh for that,” said PI Uttam Sonawane.

What provisions of law were used?

There's a small mistake in Mumbai Mirror's reportage as there is no section "64(a)"¹ in the Information Technology (IT) Act, nor a section "295(a)" in the Indian Penal Code (IPC). They must have meant section 295A of the IPC ("outraging religious feelings of any class") and section 66A of the IT Act ("sending offensive messages through communication service, etc."). (Update: The Wall Street Journal's Shreya Shah has confirmed that the second provision was section 66A of the IT Act.)

Section 295A of the IPC is cognizable and non-bailable, and hence the police have the powers to arrest a person accused of this without a warrant.² Section 66A of the IT Act is cognizable and bailable.

Update: Some news sources claim that section 505(2) of the IPC ("Statements creating or promoting enmity, hatred or ill-will between classes") has also been invoked.

Was the law misapplied?

This is clearly a case of misapplication of s.295A of the IPC.³ This provision has been frivolously used numerous times in Maharashtra. Even the banning of James Laine's book Shivaji: Hindu King in Islamic India happened under s.295A, and the ban was subsequently held to have been unlawful by both the Bombay High Court as well as the Supreme Court. Indeed, s.295A has not been applied in cases where it is more apparent, making this seem like a parody news report.

Interestingly, the question arises of the law under which the friend who 'liked' the Facebook status update was arrested. It would take a highly clever lawyer and a highly credulous judge to make 'liking' of a Facebook status update an act capable of being charged with electronically "sending ... any information that is grossly offensive or has menacing character" or "causing annoyance or inconvenience", or under any other provision of the IT Act (or, for that matter, the IPC).⁴ That 'liking' is protected speech under Article 19(1)(a) is not under question in India (unlike in the USA where that issue had to be adjudicated by a court), since unlike the wording present in the American Constitution, the Indian Constitution clearly protects the 'freedom of speech and expression', so even non-verbal expression is protection.

Role of bad law and the police

In this case the blame has to be shared between bad law (s.66A of the IT Act) and an abuse of powers by police. The police were derelict in their duty, as they failed to provide protection to the Dhada Orthopaedic Hospital, run by the uncle of the girl who made the Facebook posting. Then they added insult to injury by arresting Shaheen Dhada and the friend who 'liked' her post. This should not be written off as a harmless case of the police goofing up. Justice Katju is absolutely correct in demanding that such police officers should be punished.

Rule of law

Rule of law demands that laws are not applied in an arbitrary manner. When tens of thousands were making similar comments in print (Justice Katju's article in the Hindu, for instance), over the Internet (countless comments on Facebook, Rediff, Orkut, Twitter, etc.), and in person, how did the police single out Shaheen Dhada and her friend for arrest?⁵

This should not be seen merely as "social media regulation", but as a restriction on freedom of speech and expression by both the law and the police. Section 66A makes certain kinds of speech-activities ("causing annoyance") illegal if communicated online, but legal if that same speech-activity is published in a newspaper. Finally, this is similar to the Aseem Trivedi case where the police wrongly decided to press charges and to arrest.

This distinction is important as it being a Facebook status update should not grant Shaheen Dhada any special immunity; the fact of that particular update not being punishable under s.295 or s.66A (or any other law) should.

Section 64 of the IT Act is about "recovery of penalty" and the ability to suspend one's digital signature if one doesn't pay up a penalty that's been imposed.↩
The police generally cannot, without a warrant, arrest a person accused of a bailable offence unless it is a cognizable offence. A non-bailable offence is one for which a judicial magistrate needs to grant bail, and it isn't an automatic right to be enjoyed by paying a bond-surety amount set by the police.↩
Section 295A of the IPC has been held not to be unconstitutional. The first case to challenge the constitutionality of section 66A of the IT Act was filed recently in front of the Madurai bench the Madras High Court.)↩
One can imagine an exceptional case where such an act could potentially be defamatory, but that is clearly exceptional.↩
This is entirely apart from the question of how the Shiv Sena singled in on Shaheen Dhada's Facebook comment.↩

This blog entry has been re-posted in the following places

Outlook (November 19, 2012).
KAFILA (November 19, 2012).

For more details visit https://cis-india.org/internet-governance/blog/bal-thackeray-comment-arbitrary-arrest-295A-66A

App Developers Series: Products-Services Dichotomy & IP (Part I)

samantha — 2014-07-21T01:43:06Z

Recently, the Centre for Internet and Society (CIS) held a series of interviews in attempts to better understand the ecosystem in which India's mobile app industry is emerging, how it is governed by India's current laws, and how mobile app developers are affected as a result. The following written series maps out the given responses and presents our findings from these interviews and accompanying conversations.

This preliminary round consisted of 10 interviews with app developers and an additional 6 with other individuals from differing perspectives within the mobile app development space; these being designers, lawyers, financial and legal advisers, and developer community mobilizers. Much insight was gained on the current legal practices of app developers within their work related to intellectual property rights (IPR), licensing, infringement and ownership. Through this preliminary research exercise, such practices are found to arise out of personal business models, sentiments towards the law, and how they are situated within the ecosystem to begin with.

Question 1: “What is your IP?”

In the legal realm, mobile apps aren't simply mobile apps, but a final product composite of numerous forms of intellectual property (IP)—background processes, source code, user interface, brand, content and more. But who owns the apps that are being made? Are they protected, and if so, is this protection enforced? And how much do developers know about IP anyway?

The first of the predetermined set of interview questions begins to address these questions. Upon asking developers what it is exactly that constituted their intellectual property, the most frequent immediate responses consisted of “nothing” or one's own coding for their mobile app product. Other responses included created content, background processes, and works unpublished, as well as trademark and a pending patent. Discussions to follow often pertained to one's business model, as well as their different types of mobile app IP for clients and of their own products.

So what did these responses reveal then?

70% of app developers interviewed generally do not own the products they create, and instead assign ownership of their IP over to their clients
80% of app developers interviewed have either moved away from the services sector to create their own products or would like to
75% of app developers interviewed within services have their own mobile app products, two thirds of which are in an early product phase

Services for SMEs

Across developers carrying out app development services, clients were often said to be based all over India, as well as the US and Europe. Despite this occurring trend within our interviews sample, Business Financial Strategist and CEO of Out Sourced CFO & Business Advisory Services, Jayant Tewari stresses that out-sourced 'mobile app services' is marginal as a business model here in India. Due to the fact that “apps are reasonably small in terms of code length and complexity, the concept is more important to and deliverable by a small skilled team,” he says. For this reason, mobiles apps is relatively a small-medium enterprise (SME) space: “some SMEs have grown but the ethos and challenges faced are entirely distinct from the Large Corporate.”

Tewari's insights reflect the few of the larger mobile app enterprises that had participated within our interviews. Of all app developers interviewed, it has been found that 80% have either moved away from the services sector to create their own products or would like to. The remaining 20%, on the other hand, represent larger enterprises that have now scaled up with teams from 70 to over 200 developers—one of which focus strictly on services for social enterprises and non-profits as clients.

Tewari continues in saying that “unless you're a 1000 man enterprise, there's no economic benefit in services; as competition has driven pricing so low, everyone's struggling to deliver $12-14 per hour.”

So then, if this is the case in India's mobile app economy and off-shore app development is marginal, why have we found developers are doing it then?

Vivek Durai, formerly a lawyer and now Founder of startup, HumblePaper, implies that this business model is not by first choice: “every startup in mobile development, especially, is doing services to stay afloat and would like to move toward a product model.” Accordingly and as mentioned above, 75% of those interviewed within services had their own mobile app products, the majority of which were only in an early product phase—suggesting the inclination for app developers to gradually move away from the services sector in pursuit of their own projects, as they are able to.

Understandings of IP (and lack of)

Come the time for this transition away from services, however, app developer enterprises may be ill-equipped to sufficiently navigate this mobile app product space. Due to the fact that those within services assign ownership to their clients with the mere signing of a contract (if any), mobile app developers do not have any need to concern themselves with all the legal nuances related to ownership and licensing of IP. Put simply by Durai, “when you ask a question about IP to developers, they don't know what it means, because it doesn't have anything to do with what they're doing.”

Within the responses received, we have found that across those interviewed exist different personal understandings of the meaning of “IP.” Badrinath Kulkarni, Google Developer Group (GDG) Bangalore Coordinator, shares his concern regarding this area of greyed understanding in saying that “developers often do not know what part of their app is IP... there is a gap in understanding with respect to IP.”

For the most part, it seems, IP was considered to refer to content or code across interviews, and was even confused at one point with IPR within a response referring to an SME's trademark and pending pending. Although a subtle error, such may reflect the lack of a comprehensive understanding across individuals—even those that are applying for a patent.

For those who appeared to be better versed in matters related to IP, a recurring theme seemed to be the need for developers to broaden their understanding of what parts of their work are IP. Within a conversation with Samuel Mani, Founding Partner of Mani Chengappa & Mathur, Mani stresses that developers should recognize the value within not just the product or software itself, but the background business processes. According to Mani, the execution of the idea is the true source of innovation; how one accesses the market, and maybe who the market is as well.

IP understanding in services: irrelevant or important?

So what is the importance of having a concrete understanding of notions of intellectual property to begin with? Does it matter at all that those within development services are not as familiar with the concept since IP is irrelevant to them? Or can knowledge of IP work to one's advantage within a services agreement?

As we continue to examine the responses given across interviews pertaining to protection of one's intellectual property, perhaps these questions will answer themselves.

For more details visit https://cis-india.org/a2k/blogs/app-developers-series-services-products-dichotomy-ip-2013-part-i

Announcement of a Three-Region Research Alliance on the Appropriate Use of Digital Identity

amber — 2019-05-13T09:06:23Z

Omidyar Network has recently announced its decision to invest in establishment of a three-region research alliance — to be co-led by the Institute for Technology & Society (ITS), Brazil, the Centre for Intellectual Property and Information Technology Law (CIPIT) , Kenya, and the CIS, India — on the Appropriate Use of Digital Identity. As part of this Alliance, we at the CIS will look at the policy objectives of digital identity projects, how technological policy choices can be thought through to meet the objectives, and how legitimate uses of a digital identity framework may be evaluated.

As governments across the globe are implementing new, digital foundational identification systems or modernizing existing ID programs, there is a dire need for greater research and discussion about appropriate design choices for a digital identity framework. There is significant momentum on digital ID, especially after the adoption of UN Sustainable Development Goal 16.9, which calls for legal identity for all by 2030. Given the importance of this subject, its implications for both the development agenda as well its impact on civil, social and economic rights, there is a need for more focused research that can enable policymakers to take better decisions, guide civil society in different jurisdictions to comment on and raise questions about digital identity schemes, and provide actionable material to the industry to create identity solutions that are privacy enhancing and inclusive.

Excerpt from the blog post by Subhashish Bhadra announcing this new research alliance

...In the absence of any widely-accepted thinking on this issue, we run the risk of digital identity systems suffering from mission creep, that is being made mandatory or being used for an ever-expanding set of services. We believe this creates several risks. First, people may be excluded from services if they do not have a digital identity or because it malfunctions. Second, this approach creates a wider digital footprint that can be used to create a profile of an individual, sometimes without consent. This can increase privacy risk. Third, this approach increases the power of institutions versus individuals and can be used as rationale to intentionally deny services, especially to vulnerable or persecuted groups.

Three exceptional research groups have undertaken the effort of answering this complex and important question. Over the next six months, these think tanks will conduct independent research, as well as involve experts from across the globe. Based in South America, Africa, and Asia, these institutions represent the collective wisdom and experiences of three very distinct geographies in emerging markets. While drawing on their local context, this research effort is globally oriented. The think tanks will create a set of recommendations and tools that can be used by stakeholders to engage with digital identity systems in any part of the world...

This research will use a collaborative and iterative process. The researchers will put out some ideas every few weeks, with the objective of seeking thoughts, questions, and feedback from various stakeholders. They will participate in several digital rights and identity events across the globe over the next several months. They will also organize webinars to seek input from and present their interim findings to interested communities from across the globe. Each of these provide an opportunity for you to provide your thoughts and help this research program provide an independent, rigorous, transparent, and holistic answer to the question of when it’s appropriate for digital identity to be used. We need a diversity of viewpoints and collaborative dissent to help solve the most pressing issues of our times.

For more details visit https://cis-india.org/internet-governance/blog/appropriate-use-of-digital-identity-alliance-announcement

Analyzing the Latest List of Blocked URLs by Department of Telecommunications (IIPM Edition)

snehashish — 2013-02-17T07:35:25Z

The Department of Telecommunications (DoT) in its order dated February 14, 2013 has issued directions to the Internet Service Providers (ISPs) to block seventy eight URLs. The block order has been issued as a result of a court order. Snehashish Ghosh does a preliminary analysis of the list of websites blocked as per the DoT order.

Medianama has published the DoT order, dated February 14, 2013, on its website.

What has been blocked?

The block order contains seventy eight URLs. Seventy three URLs are related to the Indian Institute of Planning and Management (IIPM). The other five URLs contain the term “highcourt”. The order also contains links from reputed news websites and news blogs including The Indian Express, Firstpost, Outlook, Times of India, Economic Times, Kafila and Caravan Magazine, and satire news websites Faking News and Unreal Times. The order also directs blocking of a public notice issued by the University Grants Commission (UGC).

The block order does not contain links to any social media website. However, some content related to IIPM has been removed but it finds no mention in the block order. Pursuant to which order or direction such content has been removed remains unclear. For example, Google has removed search results for the terms <Fake IIPM> pursuant to Court orders and it carries the following notice:

"In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org."

Are there any mistakes in the order?

The direction issued by the DoT is once again inaccurate and mired with errors. In effect, the DoT has blocked sixty one unique URLs and the block order contains numerous repetitions. By its order the DoT has directed the ISPs to block an entire blog [http://iipmexposed.blogspot.in] along with URLs to various posts in the same blog.

Reasons for Blocking Websites

According to news reports, the main reason for blocking of websites by the DoT is a Court order issued by a Court in Gwalior. The reason for issuing such a block order might have been a court proceeding with respect to defamation and removal of defamatory content thereof. However, the reasons for blocking of domain names containing the term ‘high court’, which is not at all related to the IIPM Court case is unclear. The DoT by its order has also blocked a link in the website of a internet domain registrar which carried advertisement for the domain name [www.highcourt.com].

Are the blocks legitimate?

The block order may have been issued by the DoT under Rule 10 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

The Court order seems to be an interim injunction in a defamation suit. Generally, Courts exercise utmost caution while granting interim injunction in defamation cases. According to the Bonnard Rule (Bonnard v. Perryman, [1891] 2 Ch 269) in a defamation case, “interim injunction should not be awarded unless a defence of justification by the defendant was certain to fail at trial level.” Moreover, in the case of Woodward and Frasier, Lord Denning noted “that it would be unjust to fetter the freedom of expression, when actually a full trial had not taken place, and that if during trial it is proved that the defendant had defamed the plaintiff, then should they be liable to pay the damages.” The Delhi High Court in Tata Sons Ltd. v. Green Peace International followed the Bonnard Rule and the Lord Denning’s judgements and ruled against the award of interim injunction for removal of defamatory content and stated:

“The Court notes that the rule in Bonnard is as applicable in regulating grant of injunctions in claims against defamation, as it was when the judgment was rendered more than a century ago. This is because the Courts, the world over, have set a great value to free speech and its salutary catalyzing effect on public debate and discussion on issues that concern people at large. The issue, which the defendant’s game seeks to address, is also one of public concern. The Court cannot also sit in value judgment over the medium (of expression) chosen by the defendant since in a democracy, speech can include forms such as caricature, lampoon, mime parody and other manifestations of wit.”

Therefore, it appears that the Court order has moved away from the settled principles of law while awarding an interim injunction for blocking of content related to IIPM. It is also interesting to note that in Green Peace International, the Court also answered the question as to whether there should be different standard for posting or publication of defamatory content on the internet. It was observed by the Court that publication is a comprehensive term, ‘embracing all forms and medium – including the Internet’.

Blocking a Public Notice issued by a Statutory Body of Government of India

The block order mentions a URL which contains a public notice issued by University Grants Commission (UGC) related to the derecognition of IIPM as a University. The blocking of a public notice issued by the statutory body of the Government of India is unprecedented. A public notice issued by a statutory body is a function of the State. It can only be blocked or removed by a writ order issued by the High Court or the Supreme Court and only if it offends the Constitution. However, so far, ISPs such as BSNL have not enforced the blocking of this URL.

Implementation of the order by the ISPs

As pointed out in my previous blog post on blocking of websites, the ISPs have again failed to notify their consumers the reasons for the blocking of the URLs. This lack of transparency in the implementation of the block order has a chilling effect on freedom of speech.

For more details visit https://cis-india.org/internet-governance/blog/analyzing-latest-list-of-blocked-urls-by-dot

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

Analysis of the Copyright (Amendment) Bill, 2010

pranesh — 2011-09-21T06:01:54Z

CIS analyses the Copyright (Amendment) Bill, 2010, from a public interest perspective to sift the good from the bad, and importantly to point out what crucial amendments should be considered but have not been so far.

The full submission that CIS and 21 other civil society organizations made to the Rajya Sabha Standing Committee on HRD (which is studying the Bill) is available here. Given below is the summary of our submissions:

Existing Copyright Act

The Indian Copyright Act, 1957 has been designed from the perspective of a developing country. It has always attempted a balance between various kinds of interests. It has always sought to ensure that rights of authors of creative works is carefully promoted alongside the public interest served by wide availability and usability of that material. For instance, our Copyright Act has provisions for:

compulsory and statutory licensing: recognizing its importance in making works available, especially making them available at an affordable rate.
cover versions: recognizing that more players lead to a more vibrant music industry.
widely-worded right of fair dealing for private use: recognizing that individual use and large-scale commercial misuse are different.

These provisions of our Act have been lauded, and India has been rated as the most balanced copyright system in a global survey conducted of over 34 countries by Consumers International.

The Indian Parliament has always sought to be responsive to changing technologies by paying heed to both the democratisation of access as well as the securing of the interests of copyright holders. This approach needs to be lauded, and importantly, needs to be maintained.

Proposed Amendments

Some positive amendments

Fair Dealings, Parallel Importation, Non-commercial Rental: All works (including sound recordings and cinematograph films) are now covered the fair dealings clause (except computer programmes), and a few other exceptions; parallel importation is now clearly allowed; and non-commercial rental has become a limitation in some cases.
Persons with disabilities: There is finally an attempt at addressing the concerns of persons with disabilities. But the provisions are completely useless the way they are currently worded.
Public Libraries: They can now make electronic copies of works they own, and some other beneficial changes relating to public libraries.
Education: Some exceptions related to education have been broadened (scope of works, & scope of use).
Statutory and compulsory licensing: Some new statutory licensing provisions (including for radio broadcasting) and some streamlining of existing compulsory licensing provisions.
Copyright societies: These are now responsible to authors and not owners of works.
Open licences: Free and Open Source Software and Open Content licensing is now simpler.
Partial exemption of online intermediaries: Transient and incidental storage of copyrighted works has been excepted, mostly for the benefit of online intermediaries.
Performer’s rights: The general, and confusing, exclusive right that performers had to communicate their performance to the public has been removed, and instead only the exclusive right to communicate sound/video recordings remains.
Enforcement: Provisions on border measures have been made better, and less prone to abuse and prevention of legitimate trade.

Some negative amendments

WCT and WPPT compliance: India has not signed either of these two treaties, which impose TRIPS-plus copyright protection, but without any corresponding increase in fair dealing / fair use rights.
Increase in duration of copyright: This will significantly reduce the public domain, which India has been arguing for internationally.
Technological Protection Measures: TPMs, which have been shown to be anti-consumer in all countries in which they have been introduced, are sought to be brought into Indian law.
Version recordings: The amendments make cover version much more difficult to produce.
Moral rights: Changes have been made to author’s moral rights (and performer’s moral rights have been introduced) but these have been made without requisite safeguards.

Missed opportunities

Government-funded works: Taxpayers are still not free to use works that were paid for by them. This goes against the direction that India has elected to march towards with the Right to Information Act.
Copyright terms: The duration of all copyrights are above the minimum required by our international obligations, thus decreasing the public domain which is crucial for all scientific and cultural progress.
Criminal provisions: Our law still criminalises individual, non-commercial copyright infringement.
Libraries and archives: The exceptions for ‘public libraries’ are still too narrow in what they perceive as ‘public libraries’.
Educational exceptions: The exceptions for education still do not fully embrace distance and digital education.
Communication to the public: No clear definition is given of what constitute a ‘public’, and no distinction is drawn between commercial and non-commercial ‘public’ communication.
Internet intermediaries: More protections are required to be granted to Internet intermediaries to ensure that non-market based peer-production projects such as Wikipedia, and other forms of social media and grassroots innovation are not stifled.
Fair dealing and fair use: We would benefit greatly if, apart from the specific exceptions provided for in the Act, more general guidelines were also provided as to what do not constitute infringement. This would not take away from the existing exceptions.

For more details visit https://cis-india.org/a2k/blogs/copyright-bill-analysis

Analysis of the Copyright (Amendment) Bill 2012

pranesh — 2013-11-12T14:13:04Z

There are some welcome provisions in the Copyright (Amendment) Bill 2012, and some worrisome provisions. Pranesh Prakash examines five positive changes, four negative ones, and notes the several missed opportunities. The larger concern, though, is that many important issues have not been addressed by these amendments, and how copyright policy is made without evidence and often out of touch with contemporary realities of the digital era.

The Copyright (Amendment) Bill 2012 has been passed by both Houses of Parliament, and will become law as soon as the President gives her assent and it is published in the Gazette of India. While we celebrate the passage of some progressive amendments to the Copyright Act, 1957 — including an excellent exception for persons with disabilities — we must keep in mind that there are some regressive amendments as well. In this blog post, I will try to highlight those provisions of the amendment that have not received much public attention (unlike the issue of lyricists’ and composers’ ‘right to royalty’).

Welcome Changes

Provisions for Persons with Disabilities

India now has amongst the most progressive exception for persons with disabilities, alongside countries like Chile. Under the amendments, sections 51(1)(zb) and 31B carve out exceptions and limitations for persons with disabilities. Earlier s.52(1)(zb) dealt only with formats that were “special designed only for the use of persons suffering from visual, aural, or other disabilities”. Thanks to a campaign mounted by disability rights groups and public interest groups such as CIS, it now covers “any accessible format”. Section 52(1)(zb) allows any person to facilitate access by persons with disabilities to copyrighted works without any payment of compensation to the copyright holder, and any organization working the benefit of persons with disabilities to do so as long as it is done on a non-profit basis and with reasonable steps being taken to prevent entry of reproductions of the copyrighted work into the mainstream. Even for-profit businesses are allowed to do so if they obtain a compulsory licence on a work-by-work basis, and pay the royalties fixed by the Copyright Board. The onerousness of this provision puts its utility into question, and this won’t disappear unless the expression “work” in s.31B is read to include a class of works.

Given that the Delhi High Court has — wrongly and per incuriam, since it did not refer to s.14(a)(ii) as it was amended in 1994 — held parallel importation to be barred by the Copyright Act, it was important for Parliament to clarify that the Copyright Act in fact follows international exhaustion. Without this, even if any person can facilitate access for persons with disabilities to copyrighted works, those works are restricted to those that are circulated in India. Given that not many books are converted into accessible formats in India (not to mention the costs of doing so), and given the much larger budgets for book conversion in the developed world, this is truly restrictive.

Extension of Fair Dealing to All Works

The law earlier dealt with fair dealing rights with regard to “literary, dramatic, musical or artistic works”. Now it covers all works (except software), in effect covering sound recordings and video as well. This will help make personal copies of songs and films, to make copies for research, to use film clips in classrooms, etc.

Creative Commons, Open Licensing Get a Boost

The little-known s.21 of the Copyright Act, which deals with the right of authors to relinquish copyright, has been amended. While earlier one could only relinquish parts of one’s copyright by submitting a form to the Registrar of Copyrights, now a simple public notice suffices. Additionally, s.30 of the Act, which required licences to be in writing and signed, now only requires it to be in writing. This puts Creative Commons, the GNU Public Licence, and other open licensing models, on a much surer footing in India.

Physical Libraries Should Celebrate, Perhaps Virtual Libraries Too

Everywhere that the word “hire” occurs (except s.51, curiously), the word “commercial rental” has been substituted. This has been done, seemingly, to bring India in conformance with the WIPO Copyright Treaty (WCT) and the WIPO Performances and Phonograms Treaty (WPPT). The welcome side-effect of this is that the legality of lending by non-profit public libraries has been clarified. The amendment states:

"2(1)(fa) “commercial rental” does not include the rental, lease or lending of a lawfully acquired copy of a computer programme, sound recording, visual recording or cinematograph film for non-profit purposes by a non-profit library or non-profit educational institution."

Even after this, the overwhelming majority of the ‘video lending libraries’ that you see in Indian cities and towns continue to remain illegal.

Another welcome provision is the amended s.52(1)(n), which now allows “non-commercial public libraries” to store an electronic copy of a work if it already has a physical copy of the work. However, given that this provision says that the storage shall be “for preservation”, it seems limited. However, libraries might be able to use this — in conjunction with the fact that under s.14 of the Copyright Act lending rights of authors is limited to “commercial rental” and s.51(b) only covers lending of “infringing copies” — to argue that they can legally scan and lend electronic copies of works in the same manner that they lend physical copies. Whether this argument would succeed is unclear. Thus, India has not boldly gone where the European Commission is treading with talks of a European Digital Library Project, or where scholars in the US are headed with the Digital Public Library of America. But we might have gone there quietly. Thus, this amendment might help foster an Indian Internet Archive, or help spread the idea of the Open Library in India.

On a final note, different phrases are used to refer to libraries in the amendment. In s.2(1)(fa), it talks about "non-profit library"; in s.52(1)(n) and (o), it refers to "non-commercial public library"; and in s.52(1)(zb), it talks of "library or archives", but s.52(1)(zb) also requires that the works be made available on a "non-profit basis". The differentiation, if any, that is sought to be drawn between these is unclear.

Limited Protection to Some Internet Intermediaries

There are two new provisions, s.52(1)(b) and 52(1)(c), which provide some degree of protection to 'transient or incidental' storage of a work or performance. Section 52(1)(b) allows for "the transient or incidental storage of a work or performance purely in the technical process of electronic transmission or communication to the public", hence applying primarily to Internet Service Providers (ISPs), VPN providers, etc. Section 52(1)(c) allows for "transient or incidental storage of a work or performance for the purpose of providing electronic links, access or integration, where such links, access or integration has not been expressly prohibited by the right holder, unless the person responsible is aware or has reasonable grounds for believing that such storage is of an infringing copy". This seems to make it applicable primarily to search engines, with other kinds of online services being covered or not covered depending on one’s interpretation of the word 'incidental'.

Compulsory Licensing Now Applies to Foreign Works Also

Sections 31 ("compulsory licence in works withheld from public") and 31A ("compulsory licence in unpublished Indian works") used to apply to Indian works. Now they apply to all works, whether Indian or not (and now s.31A is about "compulsory licence in unpublished or published works", mainly orphan works). This is a welcome amendment, making foreign works capable of being licensed compulsorily in case it is published elsewhere but withheld in India. Given how onerous our compulsory licensing sections are, especially sections 32 and 32A (which deal with translations, and with literary, scientific or artistic works), it is not a surprise that they have not been used even once. However, given the modifications to s.31 and s.31A, we might just see those starting to be used by publishers, and not just radio broadcasters.

Worrisome Changes

Term of Copyright for Photographs Nearly Doubled

The term of copyright for photographs has now gone from sixty years from publication to sixty years from the death of the photographer. This would mean that copyright in a photograph clicked today (2012) by a 20 year old who dies at the 80 will only expire on January 1, 2133. This applies not only to artistic photographs, to all photographs because copyright is an opt-out system, not an opt-in system. Quite obviously, most photoshopping is illegal under copyright law.

This has two problems. First, there was no case made out for why this term needed to be increased. No socio-economic report was commissioned on the effects of such a term increase. This clause was not even examined by the Parliamentary Standing Committee. While the WCT requires a ‘life + 50′ years term for photographs, we are not signatories to the WCT, and hence have no obligation to enforce this. We are signatories to the Berne Convention and the TRIPS Agreement, which require a copyright term of 25 years for photographs. Instead, we have gone even above the WCT requirement and provide a life + 60 years term.

The second problem is that it is easier to say when a photograph was published than to say who the photographer was and when that photographer died. Even when you are the subject of a photograph, the copyright in the photograph belongs to the photographer. Unless a photograph was made under commission or the photographer assigned copyright to you, you do not own the copyright in the photographs. (Thanks to Bipin Aspatwar, for pointing out a mistake in an earlier version, with "employment" and "commission" being treated differently.) This will most definitely harm projects like Wikipedia, and other projects that aim at archiving and making historical photographs available publicly, since it is difficult to say whether the copyright in a photograph still persists.

Cover Versions Made More Difficult: Kolaveri Di Singers Remain Criminals

The present amendments have brought about the following changes, which make it more difficult to produce cover versions:

Time period after which a cover version can be made has increased from 2 years to 5 years.
Requirement of same medium as the original. So if the original is on a cassette, the cover cannot be released on a CD.
Payment has to be made in advance, and for a minimum of 50000 copies. This can be lowered by Copyright Board having regard to unpopular dialects.
While earlier it was prohibited to mislead the public (i.e., pretend the cover was the original, or endorsed by the original artists), now cover versions are not allowed to "contain the name or depict in any way any performer of an earlier sound recording of the same work or any cinematograph film in which such sound recording was incorporated".
All cover versions must state that they are cover versions.
No alterations are allowed from the original song, and alteration is qualified as ‘alteration in the literary or musical work’. So no imaginative covers in which the lyrics are changed or in which the music is reworked are allowed without the copyright owners’ permission. Only note-for-note and word-for-word covers are allowed.
Alterations were allowed if they were "reasonably necessary for the adaptation of the work" now they are only allowed if it is "technically necessary for the purpose of making of the sound recording".

This ignores present-day realities. Kolaveri Di was covered numerous times without permission, and each one of those illegal acts helped spread its popularity. The singers and producers of those unlicensed versions could be jailed under the current India Copyright Act, which allows even non-commercial copyright infringers to be put behind bars. Film producers and music companies want both the audience reach that comes from less stringent copyright laws (and things like cover versions), as well as the ability to prosecute that same behaviour at will. It is indeed ironic that T-Series, the company that broke HMV’s stranglehold over the Indian recording market thanks to cover versions, is itself one of the main movers behind ever-more stringent copyright laws.

Digital Locks Now Provided Legal Protection Without Accountability

As I have covered the issue of Technological Protection Measures (TPM) and Rights Management Information (RMI), which are ‘digital locks’ also known as Digital Rights Management (DRM), in great detail earlier, I won’t repeat the arguments at length. Very briefly:

It is unclear that anyone has been demanding the grant of legal protection to DRMs in India, and We have no obligation under any international treaties to do so. It is not clear how DRM will help authors and artists, but it is clear how it will harm users.
While the TPM and RMI provisions are much more balanced than the equivalent provisions in laws like the US’s Digital Millennium Copyright Act (DMC), that isn’t saying much. Importantly, while users are given certain rights to break the digital locks, they are helpless if they aren’t also provided the technological means of doing so. Simply put: music and movie companies have rights to place digital locks, and under some limited circumstances users have the right to break them. But if the locks are difficult to break, the users have no choice but to live with the lock, despite having a legal right.

Removal of Parallel Importation

In past blog posts I have covered why allowing parallel imports makes sense in India. And as explained above, the Delhi High Court acted per incuriam when holding that the Copyright Act does not allow parallel importation. The Copyright Act only prohibits import of infringing copies of a work, and a copy of a book that has been legally sold in a foreign country is not an “infringing copy”. The government was set to introduce a provision making it clear that parallel importation was allowed. The Parliamentary Standing Committee heard objections to this proposal from a foreign publishers’ association, but decided to recommend the retention of the clause. Still, due to pressure from a few publishing companies whose business relies on monopolies over importation of works into India, the government has decided to delete the provision. However, thankfully, the HRD Minister, Kapil Sibal, has assured both houses of Parliament that he will move a further amendment if an NCAER report he has commissioned (which will be out by August or September) recommends the introduction of parallel imports.

Expansion of Moral Rights Without Safeguards

Changes have been made to author’s moral rights (and performer’s moral rights have been introduced) but these have been made without adequate safeguards. The changes might allow the legal heir of an author, artist, etc., to object to ‘distortion, mutilation, modification, or other act’ of her ancestors work even when the ancestor might not have. By this amendment, this right continues in perpetuity, even after the original creator dies and even after the work enters into the public domain. It seems Indian policymakers had not heard of Stephen Joyce, the grandson of James Joyce, who has “brought numerous lawsuits or threats of legal action against scholars, biographers and artists attempting to quote from Joyce’s literary work or personal correspondence”. Quoting from his Wikipedia page:

In 2004, Stephen threatened legal action against the Irish government when the Rejoyce Dublin 2004 festival proposed public reading of excerpts of Ulysses on Bloomsday. In 1988 Stephen Joyce burnt a collection of letters written by Lucia Joyce, his aunt. In 1989 he forced Brenda Maddox to delete a postscript concerning Lucia from her biography Nora: The Real Life of Molly Bloom. After 1995 Stephen announced no permissions would be granted to quote from his grandfather’s work. Libraries holding letters by Joyce were unable to show them without permission. Versions of his work online were disallowed. Stephen claimed to be protecting his grandfather’s and families reputation, but would sometimes grant permission to use material in exchange for fees that were often "extortionate".

Because in countries like the UK and Canada the works of James Joyce are now in the public domain, Stephen Joyce can no longer restrict apply such conditions. However now, in India, despite James Joyce’s works being in the public domain, Stephen Joyce’s indefensible demands may well carry legal weight.

Backdoor Censorship

As noted above, the provision that safeguard Internet intermediaries (like search engines) is very limited. However, that provision has an extensive removal provision:

Provided that if the person responsible for the storage of the copy has received a written complaint from the owner of copyright in the work, complaining that such transient or incidental storage is an infringement, such person responsible for the storage shall refrain from facilitating such access for a period of twenty-one days or till he receives an order from the competent court refraining from facilitating access and in case no such order is received before the expiry of such period of twenty-one days, he may continue to provide the facility of such access;

There are two things to be noted here. First, that without proof (or negative consequences for false complaints) the service provider is mandated to prevent access to the copy for 21 day. Second, after the elapsing of 21 days, the service provider may 'put back' the content, but is not mandated to do so. This would allow people to file multiple frivolous complaints against any kind of material, even falsely (since there is no penalty for false compalaints), and keep some material permanently censored.

Missed Opportunities

Fair Dealing Guidelines, Criminal Provisions, Government Works, and Other Missed Opportunities

The following important changes should have been made by the government, but haven’t. While on some issues the Standing Committee has gone beyond the proposed amendments, it has not touched upon any of the following, which we believe are very important changes that are required to be made.

Criminal provisions: Our law still criminalises individual, non-commercial copyright infringement. This has now been extended to the proposal for circumvention of Technological Protection Measures and removal of Rights Management Information also.
Fair dealing guidelines: We would benefit greatly if, apart from the specific exceptions provided for in the Act, more general guidelines were also provided as to what do not constitute infringement. This would not take away from the existing exceptions, but would act as a more general framework for those cases which are not covered by the specific exceptions.
Government works: Taxpayers are still not free to use works that were paid for by them. This goes against the direction that India has elected to march towards with the Right to Information Act. A simple amendment of s.52(1)(q) would suffice. The amended subsection could simply allow for “the reproduction, communication to the public, or publication of any government work” as being non-infringing uses.
Copyright terms: The duration of all copyrights are above the minimum required by our international obligations, thus decreasing the public domain which is crucial for all scientific and cultural progress.
Educational exceptions: The exceptions for education still do not fully embrace distance and digital education.
Communication to the public: No clear definition is given of what constitute a ‘public’, and no distinction is drawn between commercial and non-commercial ‘public’ communication.
Internet intermediaries: More protections are required to be granted to Internet intermediaries to ensure that non-market based peer-production projects such as Wikipedia, and other forms of social media and grassroots innovation are not stifled. Importantly, after the terrible judgment passed by Justice Manmohan Singh of the Delhi High Court in the Super Cassettes v. Myspace case, any website hosting user-generated content is vulnerable to payment of hefty damages even if it removes content speedily on the basis of complaints.

Amendments Not Examined

For the sake of brevity, I have not examined the major changes that have been made with regard to copyright societies, lyricists and composers, and statutory licensing for broadcasters, all of which have received considerable attention by copyright experts elsewhere, nor have I examined many minor amendments.

A Note on the Parliamentary Process

Much of the discussions around the Copyright Act have been around the rights of composers and lyricists vis-à-vis producers. As this has been covered elsewhere, I won’t comment much on it, other than to say that it is quite unfortunate that the trees are lost for the forest. It is indeed a good thing that lyricists and composers are being provided additional protection against producers who are usually in a more advantageous bargaining position. This fact came out well in both houses of Parliament during the debate on the Copyright Bill.

However, the mechanism of providing this protection — by preventing assignment of “the right to receive royalties”, though the “right to receive royalties” is never mentioned as a separate right anywhere else in the Copyright Act — was not critically examined by any of the MPs who spoke. What about the unintended consequences of such an amendment? Might this not lead to new contracts where instead of lump-sums, lyricists and music composers might instead be asked to bear the risk of not earning anything at all unless the film is profitable? What about a situation where a producer asks a lyricist to first assign all rights (including royalty rights) to her heirs and then enters into a contract with those heirs? The law, unfortunately at times, revolves around words used by the legislature and not just the intent of the legislature. While one cannot predict which way the amendment will go, one would have expected better discussions around this in Parliament.

Much of the discussion (in both the Rajya Sabha and the Lok Sabha) was rhetoric about the wonders of famous Indian songwriters and music composers and the abject penury in which some not-so-famous ones live, and there was very little discussion about the actual merits of the content of the Bill in terms of how this problem will be overcome. A few MPs did deal with issues of substance. Some asked the HRD Minister tough questions about the Statement of Objects and Reasons noting that amendments have been brought about to comply with the WCT and WPPT which were “adopted … by consensus”, even though this is false as India is not a signatory to the WCT and WPPT. MP P. Rajeeve further raised the issue of parallel imports and that of there being no public demand for including TPM in the Act, but that being a reaction to the US’s flawed Special 301 reports. Many, however, spoke about issues such as the non-award of the Bharat Ratna to Bhupen Hazarika, about the need to tackle plagiarism, and how the real wealth of a country is not material wealth but intellectual wealth.

This preponderance of rhetoric over content is not new when it comes to copyright policy in India. In 1991, when an amendment was presented to increase term of copyright in all works by ten years (from expiring 50 years from the author’s death to 60 years post-mortem), the vast majority of the Parliamentarians who stood up to speak on the issue waxed eloquent about the greatness of Rabindranath Tagore (whose works were about to lapse into the public domain), and how we must protect his works. Little did they reflect that extending copyright — for all works, whether by Tagore or not — will not help ‘protect’ the great Bengali artist, but would only make his (and all) works costlier for 10 additional years. Good-quality and cheaper editions of Tagore’s works are more easily available post-2001 (when his copyright finally lapsed) than before, since companies like Rupa could produce cheap editions without seeking a licence from Visva Bharati. And last I checked Tagore’s works have not been sullied by them having passed into the public domain in 2001.

Further, one could find outright mistakes in the assertions of Parliamentarians. In both Houses, DMK MPs raised objections with regard to parallel importation being allowed in the Bill — only in the version of the Bill they were debating, parallel importation was not being allowed. One MP stated that “statutory licensing provisions like these are not found anywhere else in the world”. This is incorrect, given that there are extensive statutory licensing provision in countries like the United States, covering a variety of situations, from transmission of sound recordings over Internet radio to secondary transmission of the over-the-air programming.

Unfortunately, though that MP did not raise this issue, there is a larger problem that underlies copyright policymaking in India, and that is the fact that there is no impartial evidence gathered and no proper studies that are done before making of policies. We have no equivalent of the Hargreaves Report or the Gowers Report, or the studies by the Productivity Council in Australia or the New Zealand government study of parallel importation.

There was no economic analysis conducted of the effect of the increase in copyright term for photographs. We have evidence from elsewhere that copyright terms are already too long, and all increases in term are what economists refer to as deadweight losses. There is no justification whatsoever for increasing term of copyright for photographs, since India is not even a signatory to the WCT (which requires this term increase). In fact, we have lost precious negotiation space internationally since in bilateral trade agreements we have been asked to bring our laws in compliance with the WCT, and we have asked for other conditions in return. By unilaterally bringing ourselves in compliance with WCT, we have lost important bargaining power.

Users and Smaller Creators Left Out of Discussions

Thankfully, the Parliamentary Standing Committee went into these minutiae in greater detail. Though, as I have noted elsewhere, the Parliamentary Standing Committee did not invite any non-industry groups for deposition before it, other than the disability rights groups which had campaigned really hard. So while changes that would affect libraries were included, not a single librarian was called by the Standing Committee. Despite comments having been submitted to the Standing Committee on behalf of 22 civil society organizations, none of those organizations were asked to depose. Importantly, non-industry users of copyrighted materials — consumers, historians, teachers, students, documentary film-makers, RTI activists, independent publishers, and people like you and I — are not seen as legitimate interested parties in the copyright debate. This is amply clear from the the fact that only one MP each in the two houses of Parliament raised the issue of users’ rights at all.

Concluding Thoughts

What stands out most from this process of amendment of the copyright law, which has been going on since 2006, is how out-of-touch the law is with current cultural practices. Most instances of photoshopping are illegal. Goodbye Lolcats. Cover versions (for which payments have to be made) have to wait for five years. Goodbye Kolaveri Di. Do you own the jokes you e-mail to others, and have you taken licences for quoting older e-mails in your replies? Goodbye e-mail. The strict laws of copyright, with a limited set of exceptions, just do not fit the digital era where everything digital transaction results in a bytes being copied. We need to take a much more thoughtful approach to rationalizing copyright: introduction of general fair dealing guidelines, reduction of copyright term, decriminalization of non-commercial infringement, and other such measures. If we don’t take such measures soon, we will all have to be prepared to be treated as criminals for all our lives. Breaking copyright law shouldn’t be as easy as breathing, yet thanks to outdated laws, it is.

This was reposted in infojustice.org on May 25, 2012

For more details visit https://cis-india.org/a2k/blogs/analysis-copyright-amendment-bill-2012

Analysis of DIT's Response to Second RTI on Website Blocking

pranesh — 2011-12-02T09:26:11Z

In this blog post, Pranesh Prakash briefly analyses the DIT's response to an RTI request on website blocking alongside the most recent edition of Google's Transparency Report, and what it tells us about the online censorship regime in India.

What the DIT's Response Tells Us, and What It Doesn't

We at the Centre for Internet and Society had sent in a right to information request to the Department of Information Technology (DIT) asking for more information about website blocking in India. The response we got from the DIT was illuminating in many ways. The following are the noteworthy points, in brief:

Six government officials, and one politician have so far made requests for 'disabling access' to certain online content under s.69A of the Information Technology (IT) Act.
68 individual items have been requested to be blocked, those being 64 websites (domain-level blocking), 1 sub-domain, and 3 specific web pages. Seemingly, none of these requests have been accepted.
The data provided by the government seemingly conflicts with the data released by the likes of Google (via its Transparency Report).
India's law enforcement agencies are circumventing the IT Act, the Indian Penal Code (IPC), and ultimately the Constitution, by not following proper procedure for removal of online content.
Either the DIT is not providing us all the relevant information on blocking, or is not following the law.

Conflicting Data on Censorship Requests

The latest Google Transparency Report, released on October 25, 2011, shows that there were 68 written requests (imaginably taking the form of forceful requests/orders) from Indian law enforcement agencies for removal of 358 items from Google's various. If you take the figures since January 2010, it adds up to over 765.

However, the official government statistics show only eight separate requests having been made to the DIT (which, under the IT Act, is the only authority that can order the blocking of online content), adding up to a total of 64 websites (domain-level), 1 sub-domain, and 3 specific web pages. Of these only 3 are for Google's services (2 for Blogger, and 1 for YouTube).

If classified according to presumable reason for seeking of the block, that would be 61 domains hosting adult content; 1 domain (tamil.net.in), 1 sub-domain (ulaginazhagiyamuthalpenn.blogspot.com), and 2 specific pages (video of a speech by Bal Thackeray on YouTube and Wikipedia page for Sukhbir Singh Badal) for political content; 1 for religious content (a blog post titled "Insults against Islam" in Malay); and 1 domain hosting online gambling (betfair.com). It is unclear for why one of the requests was made (topix.net).¹

Content Removal vs. Content Blocking

Section 69A of the IT Act provides the Central Government the power to "direct any agency of the Government or intermediary to block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource". The only person through whom this power can be exercised is the 'Designated Officer' (currently Dr. Gulshan Rai of the DIT), who in turn has to follow the procedure laid down in the rules drafted under s.69A ("Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009", the 'Blocking Rules').

Because of this, we see everyone from the Secretary of the Public Law and Order Department of Tamil Nadu to the Joint Commissioner of Police of Mumbai and the State President of the Bharatiya Janata Minority Morcha approaching the Designated Officer for blocking of websites.

However, as the data from Google shows, there are many times more requests being sent to remove content. The only explanation for this is that an order to 'block for access... or cause to be blocked for access by the public' is taken to be different from an order for removal of content. Nothing in the IT Act, nor in the Blocking Rules actually address this issue.²

Thus, there is a possibility that the forcible removal of content is treated separately from blocking of content. That would mean that while blocking is regulated by the IT Act, forcible removal of content is not. Thus, it would seem that forcible removal of online content is happening without clear regulation or limits.³

Role of the Indian Penal Code and Code of Criminal Procedure

There are existing provisions in the Indian Penal Code that provide the government the power to censor book, pamphlets, and other material on varied grounds, including obscenity, causing of enmity between communities, etc. The police is provided powers to enforce such governmental orders. Section 95 of the Code of Criminal Procedure allows the State Government to declare (through an official notification) certain publications which seem to violate the Indian Penal Code as 'forfeited to the Government' and to issue search warrants for the same. After this the police can enforce that notification.

It is clear that this is not the case for any of the content removal requests that were sent to Google.

Police Are Defeating the Constitution and the IT Act

Therefore, it would seem that law enforcement agencies are operating outside the bounds set up under the Indian Penal Code, the Code of Criminal Procedure, as also the Information Technology Act, when they send requests for removal of content to companies like Google. While a company might comply with it because it appears to them to violate their own terms of service (which generally include a wide clause about content being in accordance with all local laws), community guidelines, etc., it would appear that it is not required under the law to do so if the order itself is not legal.

However, anecdotal evidence has it that most companies comply with such 'requests' even when they are not under any legal obligation to do so.

This way the intention of Parliament in enacting s.69A of the IT Act—to regulate government censorship of the Internet and bring it within the bounds laid down in the Constitution—is defeated.

DIT Either Evasive or Not Following Rules

The DIT did not provide answers on:

Whether any block ordered by the DIT has ever been revoked
On what basis DIT decides which intermediary (web host, ISP, etc.) to send the order of blocking to

It also provided the minutes for only one meeting⁴ of the committee that decides whether to carry out a block, when we had requested for minutes of all the meetings it has ever held. That committee (the Committee for Examination of Requests, constituted under Rule 8(4) of the Blocking Rules) has to consider every single item in every single request forwarded to the Designated Officer, and 68 items were sent to the Designated Officer in 6 requests. Quite clearly something doesn't add up. Either the Committee is not following the Blocking Rules or the DIT is not providing a full reply under the RTI Act.

A request was made to block http://www.topix.net, by the 'Commmissioner, Maharashtra State, Colaba, Mumbai—400001', presumably the Commissioner of State Intelligence Department of Maharashtra, whose office is located in Colaba. ↩
However, the Blocking Rules require the person or the hosting intermediary being contacted for a response. This provides the person/intermediary the opportunity to remove the content voluntarily or to oppose the request for blocking.

"Rule 8. Examination of request: (1) On receipt of request under rule 6, the Designated Officer shall make all reasonable efforts to identify the person or intermediary who has hosted the information or part thereof as well as the computer resource on which such information or part thereof is being hosted and where he is able to identify such person or intermediary and the computer resource hosting the information or part thereof which have been requested to be blocked for public access, he shall issue a notice by way of letters or fax or e-mail signed with electronic signatures to such person or intermediary in control of such computer resource to appear and submit their reply and clarifications if any, before the committee referred to in rule 7, at a specified date and time, which shall not be less than forty-eight hours from the time of receipt of such notice by such person or intermediary." ↩
While it is possible to imagine that the Indian Penal Code and the Code of Criminal Procedure lay down limits, it is clear from the Google Transparency Report that the requests from removal are not coming based only on court orders, but from the executive and the police. The police have no powers under the IPC or the CrPC to request removal of content without either a public notification issued by the State Government or a court order. ↩
The minutes of the meeting held on August 24, 2010, on the request for blocking of www.betfair.com were sent as 'Annexure III' of the DIT response. This request was not granted. ↩

For more details visit https://cis-india.org/internet-governance/blog/analysis-dit-response-2nd-rti-blocking

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

Analysing Latest List of Blocked Sites (Communalism & Rioting Edition)

pranesh — 2012-09-06T11:52:47Z

Pranesh Prakash does preliminary analysis on a leaked list of the websites blocked from August 18, 2012 till August 21, 2012 by the Indian government.

Note: This post will be updated as more analysis is done. Last update: 23:59 on August 22, 2012. This is being shared under a Creative Commons Attribution-NonCommercial licence.

How many items have been blocked?

There are a total of 309 specific items (those being URLs, Twitter accounts, img tags, blog posts, blogs, and a handful of websites) that have been blocked. This number is meaningless at one level, given that it doesn't differentiate between the blocking of an entire website (with dozens or hundreds of web pages) from the blocking of a single webpage. However, given that very few websites have been blocked at the domain-level, that number is still reasonably useful.

Please also note, we currently only have information related to what telecom companies and Internet Service Providers (ISPs) were asked to block till August 21, 2012. We do not have information on what individual web services have been asked to remove. That might take the total count much higher.

Why have these been blocked?

As far as I could determine, all of the blocked items have content (mostly videos and images have been targeted, but also some writings) that are related to communal issues and rioting. (Please note: I am not calling the content itself "communal" or "incitement to rioting", just that the content relates to communal issues and rioting.) This has been done in the context of the recent riots in Assam, Mumbai, UP, and the mass movement of people from Bangalore.

There were reports of parody Twitter accounts having been blocked. Preliminary analysis on the basis of available data show that parody Twitter accounts and satire sites have not been targetted solely for being satirical. For instance, very popular parody Twitter accounts, such as @DrYumYumSingh are not on any of the four orders circulated by the Department of Telecom. (I have no information on whether such parody accounts are being taken up directly with Twitter or not: just that they aren't being blocked at the ISP-level. Media reports indicate six accounts have been taken up with Twitter for being similar to the Prime Minister's Office's account.)

Are the blocks legitimate?

The goodness of the government's intentions seem, quite clearly in my estimation, to be unquestionable. Yet, even with the best intentions, there might be procedural illegalities and over-censorship.

There are circumstances in which freedom of speech and expression may legitimately be limited. The circumstances that existed in Bangalore could justifiably result in legitimate limitations on freedom of speech. For instance, I believe that temporary curbs — such as temporarily limiting SMSes & MMSes to a maximum of five each fifteen minutes for a period of two days — would have been helpful.

However it is unclear whether the government has exercised its powers responsibly in this circumstance. The blocking of many of the items on that list are legally questionable and morally indefensible, even while a some of the items ought, in my estimation, to be removed.

If the government has blocked these sites under s.69A of the Information Technology Act ("Power to Issue Directions for Blocking for Public Access of Any Information through any Computer Resource"), the persons and intermediaries hosting the content should have been notified provided 48 hours to respond (under Rule 8 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009). Even if the emergency provision (Rule 9) was used, the block issued on August 18, 2012, should have been introduced before the "Committee for Examination of Request" by August 20, 2012 (i.e., within 48 hours), and that committee should have notified the persons and intermediaries hosting the content.

Importantly, even though many of the items on that list are repugnant and do deserve (in my opinion) to be removed, ordering ISPs to block them is largely ineffectual. The people and companies hosting the material should have been asked to remove it, instead of ordering Internet service providers (ISPs) to block them. All larger sites have clear content removal policies, and encouraging communal tensions and hate speech generally wouldn't be tolerated. That this can be done without resort to the dreadful Intermediary Guidelines Rules (which were passed last year) shows that those Rules are unnecessary. It is our belief that those Rules are also unconstitutional.

Are there any egregious mistakes?

Yes, there are numerous such examples of egregious mistakes.

Most importantly, some even people and posts debunking rumours have been blocked.
Some of the Twitter accounts are of prominent people who write for the mainstream media, and who have written similar content offline. If their online content is being complained about, their offline content should be complained about too.
Quite a number of the links include articles published and reports broadcast in the mainstream media (including a Times Now report, a Telegraph picture gallery, etc.), and in print, making the blocks suspect. Only the online content seems to have been targeted for censorship.

There are numerous mistakes and inconsistencies that make blocking pointless and ineffectual.

Some of the items are not even web addresses (e.g., a few HTML img tags were included).
Some of the items they have tried to block do not even exist (e.g., one of the Wikipedia URLs).
An entire domain was blocked on Sunday, and a single post on that domain was blocked on Monday.
For some Facebook pages, the secure version (https://facebook.com/...) is listed, for others the non-secure version (http://facebook.com/...) is listed.
For some YouTube videos, the 'base' URL of YouTube videos is blocked, but for other the URL with various parameters (like the "&related=" parameter) is blocked. That means that even nominally 'blocked' videos will be freely accessible.

All in all, it is clear that the list was not compiled with sufficient care.

Despite a clear warning by the DIT that "above URLs only" should be blocked, and not "the main websites like www.facebook.com, www.youtube.com, www.twitter.com, etc.", it has been seen that some ISPs (like Airtel) have gone overboard in their blocking.

Why haven't you put up the whole list?

Given the sensitivity of the issue, we felt it would be premature to share the whole list. However, we strongly believe that transparency should be an integral part of all censorship. Hence, this analysis is an attempt to provide some much-needed transparency. We intend to make the entire list public soon, though. (Given how porous such information is, it is likely that someone else will procure the list, and release it sooner than us.)

Why can I still access many items that are supposed to be blocked?

One must keep in mind that fresh orders have been issued on a day-by-day basis, that there are numerous mistakes in the list making it difficult to apply (some of these mistakes have been mentioned above), and the fact that that this order has to be implemented by hundreds of ISPs.

Your ISP probably has not have got around to enforcing the blocks yet. At the time of this writing, most ISPs don't seem to be blocking yet. This analysis is based on the orders sent around to ISPs, and not on the basis of actual testing of how many of these have actually been blocked by Airtel, BSNL, Tata, etc.

Additionally, if you are using Twitter through a client (on your desktop, mobile, etc.) instead of the web interface, you will not notice any of the Twitter-related blocks.

So you are fine with censorship?

No. I believe that in some cases, the government has the legal authority to censor. Yet, exercising that legal authority is usually not productive, and in fact there are other, better ways of limiting the harms caused by speech and information than censorship. Limiting speech might even prove harmful in situations like these, if it ends up restricting people's ability to debunk false rumours. In a separate blog post (to be put up soon), I am examining how all of the government's responses have been flawed both legally and from the perspective of achieving the desired end.

So what should the government have done?

Given that the majority of the information it is targeting is on Facebook, Youtube, and Twitter, the government could have chosen to fight alongside those services to get content removed expeditiously, rather than fight against them. (There are some indications that the government might be working with these services, but it certainly isn't doing enough.)

For instance, it could have asked all of them to expedite their complaints mechanism for a few days, by ensuring that the complaints mechanism is run 24x7 and that they respond quickly to any complaint submitted about communal incitement, spreading of panic, etc. This does not need the passing of an order under any law, but requires good public relations skills and a desire not to treat internet services as enemies. The government could have encouraged regular users to flag false rumours and hate speech on these sites. On such occasions, social networking sites should step up and provide all lawful assistance that the government may require. They should also be more communicative in terms of the help they are providing to the government to curtail panic-inducing rumours and hate speech. (Such measures should largely be reactive, not proactive, to ensure legitimate speech doesn't get curtailed.)

The best antidote for the rumours that spread far and wide and caused a mass movement of people from Bangalore to the North-Eastern states would have been clear debunking of those rumours. Mass outreach to people in the North-East (very often the worried parents) and in Bangalore using SMSes and social media, debunking the very specific allegations and rumours that were floating around, would have been welcome. However, almost no government officials actually used social media platforms to reach out to people to debunk false information and reassure them. Even a Canadian interning in our organization got a reassuring SMS from the Canadian government.

It is indeed a pity that the government notified a social media engagement policy today, when the need for it was so very apparent all of the past week.

And what of all this talk of cybersecurity failure and cyber-wars?

Cybersecurity is indeed a cause of concern for India, but only charlatans and the ignorant would make any connection between India's cybersecurity and recent events. The role of Pakistan deserves a few words. Not many Pakistani websites / webpages have been blocked by the Indian government. Two of the Pakistani webpages that have been blocked are actually pages that debunk the fake images that have been doing the rounds in Pakistan for at least the past month. Even Indian websites like Kafila have noted these fake images long ago, and Ayesha Siddiqa wrote about this on August 5, 2012, and Yousuf Saeed wrote about it on August 13, 2012. Even while material that may have been uploaded from Pakistan, it seems highly unlikely they were targeted at an Indian audience, rather than a Pakistani or global one.

Domain	Total Number of Entries	Tuesday, August 21, 2012	Monday, August 20, 2012	Sunday, August 19, 2012	Saturday, August 18, 2012
ABC.net.au	1				1
AlJazeera.com	4		4
AllVoices.com	1				1
WN.com	1				1
AtjehCyber.net	1				1
BDCBurma.org	1	1
Bhaskar.com	1			1
Blogspot.com	4			3	1
Blogspot.in	7	1	3		3
Catholic.org	1			1
CentreRight.in	2	2
ColumnPK.com	1			1
Defence.pk	4		2	1	1
EthioMuslimsMedia.com	1				1
Facebook.com (HTTP)	75	36	7	18	14
Facebook.com (HTTPS)	27		3	23	1
Farazahmed.com	5	1			4
Firstpost.com	2		1	1
HaindavaKerelam.com	1			1
HiddenHarmonies.org	1		1
HinduJagruti.org	2		1	1
Hotklix.com	1			1
HumanRights-Iran.ir	2				2
Intichat.com	1	1
Irrawady.org	1			1
IslamabadTimesOnline.com	1				1
Issuu.com	1				1
JafriaNews.com	1				1
JihadWatch.org	2		2
KavkazCenter	1			1
MwmJawan.com	1				1
My.Opera.com	1	1
Njuice.com	1		1
OnIslam.net	1				1
PakAlertPress.com	1	1
Plus.Google.com	4				4
Reddit.com	1		1
Rina.in	1				1
SandeepWeb.com	1		1
SEAYouthSaySo.com	1				1
Sheikyermami.com	1				1
StormFront.org	1				1
Telegraph.co.uk	1				1
TheDailyNewsEgypt.com	1				1
TheFaultLines.com	1				1
ThePetitionSite.com	1	1
TheUnity.org	1				1
TimesofIndia.Indiatimes.com	1		1
TimesOfUmmah.com	1				1
Tribune.com.pk	1	1
Twitter.com (HTTP)	1			1
Twitter.com (HTTPS)	11			1	10
Twitter account	18		16	2
TwoCircles.net	2			2
Typepad.com	1		1
Vidiov.info	1		1
Wikipedia.org	3			3
Wordpress.com	8	1	3	2	2
YouTube.com	85	18	39	14	14
YouTu.be	1			1
Totals	309	65	88	80	75

The analysis has been cross-posted/quoted in the following places:

LiveMint (September 4, 2012)
The Hindu (August 26, 2012)
Wall Street Journal (August 25, 2012)
tech 2 (August 25, 2012)
China Post (August 25, 2012)
The Hindu (August 24, 2012)
LiveMint (August 24, 2012)
Global Voices (August 24, 2012)
Reuters (August 24, 2012)
Outlook (August 23, 2012)
FirstPost.India (August 23, 2012)
IBN Live (August 23, 2012)
News Click (August 23, 2012)
Medianama (August 23, 2012)
KAFILA (August 23, 2012)
CIOL (August 23, 2012)

For more details visit https://cis-india.org/internet-governance/blog/analysing-blocked-sites-riots-communalism

An Introduction to Spectrum Sharing

beli — 2014-03-20T09:34:06Z

We will look at how current technology – mainly GSM, but also CDMA and touching upon LTE - shares spectrum, how they might share spectrum, the trade-off between spectral (in this case, 'trunking') and 'economic' efficiency in the traditional, purely intra-operator shared scenario, and how it might be overcome by inter-operator sharing.

The Current Scenario – Wi-Fi, GSM and CDMA: A Primer from the Perspective of Spectrum Coordination

Sharing spectrum is not a radically new idea: it's probably being shared in many places in your living room. Your family's phones could be communicating with your laptops using Bluetooth; your Wi-Fi router is sharing Wi-Fi spectrum with your next door neighbor's. There is no central brain that tells each device how to share spectrum, but each device pair (phone+laptop, for example) has some unique identifier (a code) that enables them to hear each other over the “noise” created by the other devices, as though they were speaking different languages. Each device can access the same frequencies at the same time and place, but does not know in advance which other devices are going to use them, and as long as there aren't too many such devices close to each other, the scheme works well.

From a technological standpoint, this is one of two kinds of spectrum coordination that's currently in wide use: the second is where each device is given a narrow sliver of frequency to itself for a specified period of time.[1] This is what happens with GSM cellphone technology: the service provider's tower allocates frequency — from the pool of frequencies available — to users on a per-call basis: this is called Frequency Division Multiple Access, or FDMA. GSM further divides access between different users in the same frequency channel in the time domain with bursts of data of the order of milliseconds, something called Time Division Multiple Access or TDMA; you'd be sharing your frequency channel with up to seven other people[2] and your content would be sent in sub-millisecond bursts approximately every five milliseconds.

Code Division Multiplexing, or CDMA, Is concept that assigns a user a 'code' for the duration of her call that effectively makes interference from other users, with other codes, appear as noise. The following picture illustrates FDMA, TDMA and CDMA:[3]

The preceding discussion would suffice for a single cell tower, alone in a desert. In the real world, there's more than one tower, so we'll have to create a system so that no two adjacent towers end up allocating the same frequency at the same time. The simplest way to do that, and the only one currently used, is splitting the available spectrum such that the range of frequencies available to a tower does not intersect with that available to any of its neighbors, ever – that way, a tower can only allocate from its own set of frequencies, but it need not concern itself with what its neighbors are doing. If adjacent towers were to share spectrum, then the preceding condition only needs to apply at that exact moment in time – at that precise instant a tower should be aware of the frequencies being used by all towers that are close enough to interfere with it, and pick a frequency outside that set, which it can use for the duration of a call.

Frequency Reuse

When there weren't so many cellphones crowding up the spectrum, it did not make economic sense to invest in the extra infrastructure required to make neighboring towers 'talk' to each other with low latency, so the solution we have now, even within the towers of a single service provider, is that any tower's neighbors do not intrude upon the spectrum assigned to that particular tower — what a neighbour is in this statement is qualified below. To start with, let's look at how towers could ideally be placed. We want to place towers on the ground in some regular pattern that makes them end up equidistant from each other: there are as many ways of doing that as there are of tiling a plane, which you can think of as tiling a bathroom with regular shapes (called 'regular polygons' by the pedantic).

Starting from the simplest, we can do it with tiles shaped like triangles, squares or hexagons, and a little thought will convince you that these are the only choices. Since a tower's signal would be 'strong enough' only up to some maximum radius, we'd ideally like to tile our plane with circles, but if we settle for the next best thing, the closest shape to a circle with which to tile the plane is a hexagon, in a honeycomb pattern; if you're looking at it from above, the towers would be placed as in the diagram below.[4]

This is just a part of a much larger honeycomb on the ground; the towers go in the center of the hexagons, where the numbers are; why the numbers are as they are will become clear in a couple of lines. Let's focus at tower 1 in the center of the diagram for our example. If the signals decay slow enough — so that the signals radiated from the nearest neighbors (towers surrounding 1, i.e. 2 through 7) and the next-nearest neighbors (towers two steps away from 1, with numbers from 2 through 7), interfere significantly with tower 1 in the center, but the next-to-next-nearest neighbors (three steps away from 1) do not, then the frequency reuse pattern can be like what we see in the diagram above, with towers denoted by the same number (and only the same number) using same exclusive set of frequencies. In this example, the closest towers with the same frequency as the central tower are the 1's in the hexagons at the edge – the frequency reuse factor is 3 (see footnote). In this diagram, the ordering of the numbers makes no difference – the situation would be the same if we exchanged the position of every, say, 1 and 3.

In reality the grid of towers of a particular operator covering a city is rarely hexagonal, due to local constraints, so what needs to be taken care of is not to use the frequencies that the nearest neighbors, next-nearest neighbors and so on are using depending upon the frequency reuse factor.[5] It's clear that without the towers being able to communicate in near-real time, with and FDMA/TDMA system like GSM, this is the optimal — and, in fact, the only — way to go.

Neighbouring towers sharing spectrum

Everything changes, though, if the towers can communicate and coordinate fast enough — in theory, at least, all the service provider's towers could pick spectrum from a common pool.[6] In fact, every service providers could put their spectrum into a common pool from which frequencies can be allocated to users as before. This would increase trunking efficiency and thereby the maximum number of users per tower dictated by quality of service limits (both terms are defined in the next section), making more efficient use of the spectrum.

The Current Trade-off between Trunking and 'Economic' Efficiency: The Principal Argument for (Inter-operator) Shared Spectrum

Imagine the following scenario:

We have 5 MHz of spectrum split it into five channels of one MHz each;
Five thousand people own cell phones and each is assigned a channel so that there are a thousand cellphone users per channel;
People call infrequently: calls are randomly distributed but on average, in each channel, five people attempt to make a call every minute and each call is ten seconds long.

In this way, a lot of people can use a few channels with a reasonable hope that their calls will be connected, a phenomenon called 'trunking'. Chances are high, however, that at least one person's going to make a call before the previous caller on her channel is done, and end up being blocked. The probability that a call will go through is factored into the Quality of Service (QoS) through the Erlang B Formula; roughly speaking, the less chance there is of a caller being blocked, the higher your QoS. It's essentially a question of queuing: the same logic can be applied to beds at a hospital. The number of hospital beds in a town would be much fewer than the number of people, but it works because everyone's not sick all the time; if people are sick more often, or for longer durations, the chances that someone won't get a bed would be higher:[7]

Suppose someone own an Airtel phone and Airtel's channels are all in use, but Vodaphone has a channel free at the time. Let's look at two alternatives:

a) she's not allowed to switch, and cannot make her call;
b) she's allowed to switch to the empty channel, and her call goes through.

Clearly, the second choice is better — and it has greater trunking efficiency.

In the current scenario, service providers get exclusive rights to chunks of spectrum. Naively, the more competitors (in this case, service providers like Airtel and Vodaphone) you have in a market, the better the competition. This, unfortunately, leads to a decrease in trunking efficiency — it's inversely proportional to the number of players in the market because every chunk of frequencies split between two service providers (every successive split) increases the chances for an event such as the one described above happening. The question that logically follows is: what is the optimal number of service providers for the Indian market? This is hard to find, and differs depending on who you ask — incumbents, for instance, may quote a smaller number, whereas prospective new entrants may quote a larger one. The number is controversial within policy-making circles as well, and is being debated as this article is being written. We note in passing that the number of competitors — and thus fragmentation of spectrum — is higher in the Indian market than most others.

If spectrum were shared, however, all this would be moot. This, therefore, is the primary argument towards spectrum sharing: better trunking efficiency as well as more competition — you can , in this instance, have it both ways.

CDMA and Spectrum Sharing

GSM is a simple example, where both the difficulty and the benefits of intra-operator spectrum sharing are readily apparent. Things get more difficult conceptually if we talk about newer technologies, so we'll have to get a little deeper into the technicalities. Code Division Multiple Access, or CDMA, allows phones to communicate using the same frequencies at the same time and place, but differentiated by codes — similar to WiFi but using different encoding schemes and technology. CDMA might look (from the analogy with Wifi) to require no central planning, but quality of service guarantees require that various phones in a 'cell' coordinate, and the coordinating agent happens to be that cell's tower. Two things need to happen: one, the code allocated to each phone needs to be sufficiently different,[8] at least with respect to other nearby phones, which means the tower has to allocate codes. Additionally, the distance involved between cellphone and tower (as against laptop and router) causes the near-far problem.[9]

For synchronous CDMA, the concept analogous to frequency reuse is code reuse — a tower needs to take into account the codes being used by its nearest neighbors, next-nearest neighbors and so on, which might be easier than coordinating timing in a TDMA system. For asynchronous CDMA (the most commonly used variant), even that is not required — the low cross-correlation pseudorandom codes that are used have so many possibilities that the likelihood of a collision would be small, though other users would appear as gaussian noise, so just like GSM, the number of users is limited by QoS limits. This makes intro-operator sharing of spectrum between adjacent towers easier and asynchronous CDMA ends up with a frequency reuse factor of 1, meaning that a tower can access the same set of frequencies as its (intra-operator) neighbor, hypothetically making it easier to use in a shared-spectrum system.

LTE

LTE uses Orthogonal Frequency Division Multiplexing, or OFDM, which can be – very roughly — thought of as combining ideas used in FDMA as well as CDMA, in that information is redundantly split between several frequencies ('subcarriers' in the literature) and each frequency can have more than one channel, using an orthogonal coding schemes like (synchronous) CDMA, where, as mentioned earlier, a mobile phone can distinguish its channel by its code. As it's an FDMA system, the benefits of frequency sharing for LTE can be inferred as above for GSM.

The Regulatory Perspective

The European Commission has this to say about shared spectrum:[10] “From a regulatory point of view, band sharing can be achieved in two ways: either by the Collective Use of Spectrum (CUS), allowing spectrum to be used by more than one user simultaneously without a license; or using Licensed Shared Access (LSA), under which users have individual rights to access a shared spectrum band”.

CUS is how unlicensed spectrum like Wi-Fi is currently used, which does not require a central 'brain' allocating spectrum to users. It requires no setup or organization before or during use. LSA is what shared spectrum would have to be like when used by service providers: it requires setup and organization but could offer better efficiency and quality of service because the central 'brain' — in this case the CPU at the cellphone tower — can figure out the most efficient way to allocate spectrum to users, just like a city's traffic lights coordinate the flow of traffic to prevent jams, and for that multiple towers — or multiple transmitters on a single tower — would have to coordinate somehow. In other words, you don't require approval before setting up your Wi-Fi router in your living room, but (depending upon the router, how many neighbors have routers, how close they are, and how far you are from your router) your connection might get dropped; this kind of thing is okay because there usually aren't that many people with routers living that close to each other, though that's fast changing. The 2.4 GHz Wi-Fi band is further crowded in by other microwave radio technologies, like Bluetooth and microwave ovens. Cellphones are a different thing altogether, because you wouldn't want your cellphone to stop working in the middle of a crowded bus if you're late en route to meeting someone at a coffee shop, or if you're being mugged and need to call the police. Therefore it is the service providers' and regulatory agencies' responsibility to provide a high (minimum) quality of service. This classification is symbolized by the following diagram:[11]

CUS falls on the left, being contention-based – that is, different user devices (eg, laptops) could contend with each other for the attention of the base station (eg, Wi-Fi router — random access, CSMA), whereas LSA is conflict-free (which would be the case if the router decides, period). The potential for conflict exists in CUS, there being multiple devices asking for spectrum, whereas for LSA, a central authority decides which device to allocate spectrum to at any particular point in space and time. CUS isn't total chaos, however: it would now be appropriate — taking a leaf from ex-FCC chief technology officer Jon M. Peha – to introduce the concepts of coexistence and etiquette.

In our Wi-Fi example, the Wi-Fi routers merely coexist, and the technological standard allows them to try and use the codes/spectral bands that are in their best interests, to best communicate with their client devices (though actual Wi-Fi routers also follow some sort of etiquette with other routers). One could additionally introduce some sort of etiquette into the equation by requiring that one router should, for example, “wait in the cue” for another — and vice versa — as and when required, as well as other requirements for cooperation depending upon the technology used. This minimal cooperation would be enough for them to, in Mr Peha's words, “greatly improve efficiency if and only if designed appropriately for the applications in the band” - depending upon the technology used, being too 'polite' could cause longer wait times that decrease efficiency. The situation is complicated by the existence of multiple technologies at the same spot – for example, your Bluetooth receiver, two-way radio and Wifi router working in the same room. If there is potential for interference, common communication protocols could be implemented to enable all those devices to 'talk' to each other and effectively follow some form of wireless etiquette so that they can cooperate and not get in each others way. This is all the more important as Wi-Fi will become an essential part of the cellphone communication network for 4G.

To conclude, there are many ways shared spectrum technology could hypothetically work, and in practice the core technologies that are used would dictate the details of the spectrum sharing solution. Spectrum sharing would reduce the regulatory conundrum that is spectrum allocation, and make more efficient use of spectrum — most obviously through trunking efficiency, though there may be other technological benefits depending upon the core technology used. For maximum efficiency and robustness, there would have to be some kind of rules followed, so that devices apply for spectrum like people in a cafeteria queue as opposed to the scrum you might find trying to get into an Indian bus; the etiquette we were talking about earlier should be baked into the design of the communication infrastructure. Some services (like voice calling) by their nature, need a guaranteed high QoS — need to be conflict-free — and therefore need Licensed Shared Access. Others need a minimum of regulation — but with the movement of what used to be CUS-appropriate devices (In many plans for 4G LTE-Advanced, specifically Wi-Fi) towards LSA-appropriate applications, a careful optimization needs to be done in deciding where to draw the line.

The Big Question: Infrastructure Sharing

We've gone through a thought experiment on intra- and inter-operator sharing of spectrum for the particular case of mobile towers in adjacent cells, and come to the general conclusion that the solution is in principle a question of fast and efficient coordination between the geographically separated towers, toward which there are two driving forces at present: the demand for more efficient use of spectrum by a growing body of users with growing data needs, and the supply of low latency, cheaper and higher bandwidth communication options using fiber-optic cables.

There are essentially two parts to the big question we're going to ask: one, what happens when there are multiple operators serving the same geographical area, and two, is it necessary to have multiple towers standing right next to each other for multiple operators?

To answer the first question, one could have a 'roaming' agreement between multiple operators at the same spot: if all the channels of one operator are busy, the user just has to switch to a channel of an operator which isn't. For the second, a single tower (the physical tower structure as well as the transmitting equipment on it) could serve any operator, who could rent it's usage on a per-call basis. That, in fact, already seems to be the case: Airtel and Vodaphone, for instance, each own a 42% share in India's largest tower corporation Indus Towers, the remaining 16% belonging to Idea Cellular.

To answer the first question, one could have a 'roaming' agreement between multiple operators at the same spot: if all the channels of one operator are busy, the user just has to switch to a channel of an operator which isn't.

For the second, a single tower (the physical tower structure as well as the transmitting equipment on it) could serve any operator, who could rent it's usage on a per-call basis. That, in fact, already seems to be the case: Airtel and Vodaphone, for instance, each own a 42% share in India's largest tower corporation Indus Towers, the remaining 16% belonging to Idea Cellular.

Infrastructure sharing will be explored further in a forthcoming post.

Coarse-grained Spectrum Sharing

For completeness, we should point out that there are more course-grained (simpler but less efficient) means of sharing in time as well as geography: the appropriate thought experiment is to imagine a radio station at the base of a hill that only has two shows, one for breakfast and one for dinner. Using its radio spectrum on the other side of that hill, or beyond the area it serves, would be fine at anytime; using it's spectrum in between the morning and evening shows would be fine anywhere.

Caveats

It must be emphasized at this point that the above is a purely hypothetical scenario, and not a prescription. Getting this to work would involve technical hurdles that a brief overview such as the one above could not bring up, that could only be discovered in the process of bringing the technology to market. Each technological solution – GSM, CDMA and LTE – would present its own difficulties, which may become apparent only when the product is shipped, so to speak. Fine technical judgments would need to be made: an example of the difficulty involved could be gauged from the early debates comparing the first CDMA standard (IS-95) with GSM at the time.

The economic model to use for shared spectrum and shared infrastructure is also something under intense discussion right now, and a number of scholarly papers have already been written up.

[1]. This is what you'd get in your first few Google search results when you look for “shared spectrum”, because the former has become so widely accepted that it's now part of the linguistic background.

[2]. Explained on http://www.radioraiders.com/gsm-frequency.html, referring to 3GPP spec http://www.3gpp.org/ftp/Specs/latest/Rel-7/45_series/45005-7d0.zip

[3]. From http://www.umtsworld.com/technology/cdmabasics.htm

[4]. From Mike Buehrer, William Tranter-Code Division Multiple Access (CDMA)-Morgan & Claypool Publishers (2006).

[5]. There are multiple definitions; the simplest one is “how many steps (in cells) that you have to walk from the tower before you can reuse the frequency”, which will suffice for us.

[6]. Of course, it's going to be messier in practices.

[7]. From http://www.vumc.com/branch/PICA/Software/

[8]. Orthogonal for synchronous CDMA, or 'sufficiently' orthogonal for asynchronous CDMA

[9]. Remember that the receiver on the tower has to demux (split) the signals received from many cellphones, and while a Wifi router would perhaps service multiple laptops in the same building, a CDMA tower has to work for a couple of hundred phones at varying distances – some a building-length away and some, many kilometers away. Every receiver has its own maximum signal to noise ratio, where the strength of the signal received has to be more that a certain fraction (which can be quite small, for a good receiver) of the strength of the electromagnetic (radio) noise it receives from other sources; cellphone towers have to deal with much larger signal to noise ratios than Wifi routers. For an FDMA or TDMA system, different users' data arrives at different frequency or time-slots, so as long as those slots are properly differentiated, one user's signal won't be another user's noise. For the commonly used asynchronous CDMA system, however, this is not the case, so at a receiver on a tower, the signal transmitted by a distant cellphone could be swamped by that from a much closer phone. The way this is dealt with is to have phones closer to the tower decrease their transmission power. So even in CDMA, the tower is still telling the phone what to change, only in this case it's the transmission power as opposed to the exact frequency and time.

[10]. http://ec.europa.eu/digital-agenda/en/promoting-shared-use-europes-radio-spectrum

[11]. From Mike Buehrer, William Tranter-Code Division Multiple Access (CDMA)-Morgan & Claypool Publishers (2006)

For more details visit https://cis-india.org/telecom/blog/an-introduction-to-spectrum-sharing

An Analysis of the Cases Filed under Section 46 of the Information Technology Act, 2000 for Adjudication in the State of Maharashtra

bhairav — 2013-10-01T15:29:46Z

This is a brief review of some of the cases related to privacy filed under section 46 of the Information Technology Act, 2000 ("the Act") seeking adjudication for alleged contraventions of the Act in the State of Maharashtra.

Background

Section 46 of the Act grants the Central Government the power to appoint an adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating officer, contraventions of the Act. The adjudicating officer may be of the Central Government or of the State Government [see section 46(1) of the Act], must have field experience with information technology and law [see section 46(3) of the Act] and exercises jurisdiction over claims for damages up to `5,00,00,000 [see section 46(1A) of the Act]. For the purpose of adjudication, the officer is vested with certain powers of a civil court [see section 46(5) of the Act] and must follow basic principles of natural justice while conducting adjudications [see section 46(2) of the Act]. Hence, the adjudicating officer appointed under section 46 is a quasi-judicial authority.

In addition, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court [see section 46(2) of the Act], and award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss and repeat offences [see section 47 of the Act]. The adjudicating officer may impose penalties for any of the offences described in section 43, section 44 and section 45 of the Act; and, further, may award compensation for losses suffered as a result of contraventions of section 43 and section 43A. The text of these sections is reproduced in the Schedule below. Further law as to the appointment of the adjudicating officer and the procedure attendant on all adjudications was made by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003.[1]

It is clear that the adjudicating officer is vested with significant judicial powers, including the power to enforce certain criminal penalties, and is an important quasi-judicial authority.

Excursus

At the outset, it is important to understand the distinction between compensation and damages. Compensation is a sum of money awarded by a civil court, before or along with the primary decree, to indemnify a person for injury or loss. It is usually awarded to a person who has a suffered a monetary loss as a result of the acts or omissions of another party. Its quantification is usually guided by principles of equity. [See Shantilal Mangaldas AIR 1969 SC 634 and Ranbir Kumar Arora AIR 1983 P&H 431]. On the hand, damages are punitive and, in addition to restoring an indemnitee to wholeness, may be imposed to deter an offender, punish exemplary offences, and recover consequential losses, amongst other objectives. Damages that are punitive, while not judicially popular in India, are usually imposed by a criminal court in common law jurisdictions. They are distinct from civil and equitable actions. [See the seminal case of The Owners of the Steamship Mediana [1900] AC 113 (HL)].

Unfortunately, section 46 of the Act uses the terms “damage”, “injury” and “compensation” interchangeably without regard for the long and rich jurisprudence that finds them to be different concepts.

The Cases related to Privacy

In the State of Maharashtra, there have been a total of 47 cases filed under section 46 of the Act. Of these, 33 cases have been disposed of by the Adjudicating Officer and 14 are currently pending disposal. [2] At least three of these cases before the Adjudicating Officer deal with issues related to privacy of communications and personal data. They are:

Case Title	Forum	Date
Vinod Kaushik v. Madhvika Joshi	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	10.10.2011
Amit D. Patwardhan v. Rud India Chains	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	15.04.2013
Nirmalkumar Bagherwal v. Minal Bagherwal	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	26.08.2013

In all three cases the Adjudicating Officer was called upon to determine and penalise unauthorised access to personal data of the complainants. In the Vinod Kaushik case, the complainants’ emails and chat sessions were accessed, copied and made available to the police for legal proceedings without the permission of the complainants. In the Amit Patwardhan and Nirmalkumar Bagherwal cases, the complainants’ financial information in the form of bank account statements were obtained from their respective banks without their consent and used against them in legal proceedings.

The Vinod Kaushik complaint was filed in 2010 for privacy violations committed between 2008 and 2009. The complaint was made against the complainant’s daughter-in-law – the respondent, who was estranged from her husband, the complainant’s son. The respondent had, independent of the proceedings before the Adjudicating Officer, instituted criminal proceedings alleging cruelty and dowry-related harassment against her estranged husband and the complainant. To support some of the claims made in the criminal proceedings, the respondent accessed the email accounts of her estranged husband and the complainant and printed copies of certain communications, both emails and chat transcripts. The complaint to the Adjudicating Officer was made in relation to these emails and chat transcripts that were obtained without the consent and knowledge of the complainant and his son. On 09.08.2010, the then Adjudicating Officer dismissed the complaint after finding that, owing to the marriage between the respondent and the complainant’s son, there was a relation of mutual trust between them that resulted in the complainant and his son consensually sharing their email account passwords with the respondent. This ruling was appealed to the Cyber Appellate Tribunal ("CyAT") which, in a decision of 29.06.2011, found irregularities in the complainant’s son’s privity to the proceedings and remanded the complaint to the Adjudicating Officer for re-adjudication. The re-adjudication, which was conducted by Shri Rajesh Aggarwal as Adjudicating Officer, resulted in a final order of 10.10.2011 ("the final order") that is the subject of this analysis. The final order found that the respondent had violated the privacy of the complainant and his son by her unauthorised access of their email accounts and sharing of their private communications. However, the Adjudicating Officer found that the intent of the unauthorised access – to obtain evidence to support a criminal proceeding – was mitigatory and hence ordered the respondent to pay only a small token amount in compensation, not to the complainants but instead to the State Treasury. The Delhi High Court, which was moved in appeal because the CyAT was non-functional, upheld the final order in its decision of 27.01.2012.

The Amit Patwardhan complaint was filed against the complainant’s ex-employer – the respondent, for illegally obtaining copies of the complainant’s bank account statement. The complainant had left the employ of the respondent to work with a competing business company but not before colluding with the competing business company and diverting the respondent’s customers to them. For redress, the respondent filed suit for a decree of compensation and lead the complainant’s bank statements in evidence to prove unlawful gratification. Since the bank statements were obtained electronically by the respondent without the complainant’s consent, the jurisdiction of the Adjudicating Officer was invoked. In his order of 15.04.2013, Shri Rajesh Aggarwal, the Adjudicating Officer, found that the respondent had, by unlawfully obtaining the complainant’s bank account statements which constitute sensitive personal data, violated the complainant’s privacy. The Adjudicating Officer astutely applied the equitable doctrine of clean hands to deny compensation to the complainant; however, because the complainant’s bank was not a party to the complaint, the Adjudicating Officer was unable to make a ruling on the lack of action by the bank to protect the sensitive personal data of its depositors.

The Nirmalkumar Bagherwal complaint bears a few similarities to the preceding two cases. Like the Vinod Kaushik matter, the issue concerned the manner in which a wife, estranged but still legally married, accessed electronic records of personal data of the complainants; and, like the Amit Patwardhan matter, the object of the privacy violation was the bank account statements of the complainants that constitute sensitive personal data. The respondent was the estranged wife of one of the complainants who, along with his complainant father, managed the third complainant company. To support her claim for maintenance from the complainant and his family in an independent legal proceeding, the respondent obtained certain bank account statements of the complainants without their consent and, possibly, with the collusion of the respondent bank. After reviewing relevant law from the European Union and the United States, and observant of relevant sectoral regulations applicable in India including the relevant Master Circular of the Reserve Bank of India, and further noting preceding consumer case law on the subject, the Adjudicating Officer issued an order on 26.08.2013. The order found that the complainant’s right to privacy was violated by both the respondents but, while determining the quantum of compensation, distinguished between the respondents in respect of the degree of liability; the respondent wife was ordered to pay a token compensation amount while the respondent bank was ordered to pay higher compensation to each of the three complainants individually.

The high quality of each of the three orders bears specific mention. Despite the superb quality of the judgments of the Indian higher judiciary in the decades after independence, the overall quality of judgment-writing appears to have declined. [3] In the last decade, several Indian judges have called for higher standards of judgment writing from their fellow judges. [4] In this background, it is notable that Shri Rajesh Aggarwal, despite not being a member of the judiciary, has delivered well-reasoned, articulate and clear orders that are cognisant of legal issues and also easily understandable to a non-legal reader.

In each of these cases, the Adjudicating Officer has successfully navigated around the fact that none of the primary parties were interacting and transacting at arm’s length. In the Vinod Kaushik and Nirmalkumar Bagherwal matters, the primary parties were estranged but still legally married partners and in the Amit Patwardhan matter the parties were in an employer-employee relationship. The first Adjudicating Officer in the Vinod Kaushik matter failed, in his order of 09.08.2010, to appreciate that the individual communications of individual persons were privileged by an expectation of privacy, regardless of their relationship. Hence, despite acknowledging that the marital partners in that matter were in conflict with each other, and despite being told by one party that the other party’s access to those private communications was made without consent, the Adjudicating Officer allowed his non-judicial opinion of marriage to influence his order. This mistake was corrected when the matter was remanded for re-adjudication. In the re-adjudication, the new Adjudicating Officer correctly noted that the respondent wife could have chosen to approach the police or a court to follow the proper investigative procedure for accessing emails and other private communications of another person and that her unauthorised use of the complainant’s passwords amounted to a violation of their privacy.

Popular conceptions of different types of relationships may affect the (quasi) judicial imagination of privacy. In comparison to the Vinod Kaushik matter, the Nirmalkumar Bagherwal and Amit Patwardhan matters both dealt with unauthorised access to bank account statements, by a wife and by an ex-employer respectively. In any event, the same Adjudicating Officer presided over all three matters and correctly found that the facts in all three matters admitted to contraventions of the privacy of the complainants. The conjecture as to whether the first Adjudicating Officer in the Vinod Kaushik matter would have applied the same standard of family unity to unauthorised access of bank account statements by an estranged wife who was seeking maintenance remains untested. However, the reliance placed on the decision of the Delhi State Consumer Protection Commission in the matter of Rupa Mahajan Pahwa, [5] where the Commission found that unauthorised access to a bank pass book by an estranged husband violated the privacy of the wife, would suggest that judges clothe financial information with a standard of privacy higher than that given to emails.

Emails are a form of electronic communication. The PUCL case (Supreme Court of India, 1996)[6] while it did not explicitly deal with the standard of protection accorded to emails, held that personal communications were protected by an individual right to privacy that emanated from the protection of personal liberty guaranteed under Article 21 of the Constitution of India. Following the Maneka Gandhi case (Supreme Court of India, 1978)[7]

it is settled that persons may be deprived of their personal liberty only by a just, fair and reasonable procedure established by law. As a result, interceptions of private communications that are protected by Article 21 may only be conducted in pursuance of such a procedure. This procedure exists in the form of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that came into effect on 27 October 2009 ("the Interception Rules"). The Interception Rules set out a regime for accessing private emails in certain conditions. The powers and procedure of Section 91 of the Code of Criminal Procedure ("CrPC") may also apply to obtain data at rest, such as emails stored in an inbox or sent-mail folder.

Finally, the orders of the Adjudicating Officer reveal a well-reasoned and progressive understanding of the law and principles relating to the quantification of compensation. By choosing to impose larger amounts of compensation on the bank that violated the privacy of the complainant in the Nirmalkumar Bagherwal matter, the Adjudicating Officer has indicated that the institutions that hold sensitive personal data, such as financial information, are subject to a higher duty of care in relation of it. But, most importantly, the act of imposing monetary compensation of privacy violations is a step forward because, for the first time in India, it recognises that privacy violations are civil wrongs or injuries that demand compensation.

[1]. These Rules were issued vide GSR 220(E), dated 17 March 2003 and published in the Gazette of India, Extraordinary, Part II, Section 3(i). These Rules can be accessed here – http://it.maharashtra.gov.in/PDF/Qual_ExpAdjudicatingOfficer_Manner_of_Holding_Enquiry_Rules.PDF (visited on 30 September 2013).

[2]. These cases and statistics may be viewed here – http://it.maharashtra.gov.in/1089/IT-Act-Judgements (visited on 30 September 2013).

[3]. See generally, Upendra Baxi “"The Fair Name of Justice": The Memorable Voyage of Chief Justice Chandrachud” in A Chandrachud Reader (Justice V. S. Deshpande ed., Delhi: Documentation Centre etc., 1985) and, Rajeev Dhavan, "Judging the Judges" in Judges and the Judicial Power: Essays in Honour of Justice V. R. Krishna Iyer (Rajeev Dhavan and Salman Khurshid eds., London: Sweet & Maxwell, 1985).

[4]. See generally, Justice B.G .Harindranath, Art of Writing Judgments (Bangalore: Karnataka Judicial Academy, 2004); Justice T .S. Sivagnanam, The Salient Features of the Art of Writing Orders and Judgments (Chennai: Tamil Nadu State Judicial Academy, 2010); and, Justice Sunil Ambwani, “Writing Judgments: Comparative Models” Presentation at the National Judicial Academy, Bhopal (2006) available here – http://districtcourtallahabad.up.nic.in/articles/writing%20judgment.pdf (visited on 29 Sep 2013).

[5]. Appeal No. FA-2008/659 of the Delhi State Consumer Protection Commission, decided on 16 October 2008.

[6]. (1997) 1 SCC 301.

[7]. (1978) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra

Alt needs to Shift

nishant — 2012-12-14T10:03:30Z

People maybe talking more online, but they all seem to be talking about the same kind of thing.

Nishant Shah's column was published in the Indian Express on November 18, 2012.

If you were to recount what has happened in the world, based entirely on your tweetosphere and Facebook timelines, you might realise that everything important seems to have happened elsewhere. It is true that we live in a widely connected viral world, where if the USA sneezes, India gets a flu, but it seems as if lately, the things that I hear and read about are generally things that happen only at a global level. More surprisingly, most of the news that trends on Twitter, gets promoted on Facebook, and discussed on Google Plus, is in sync with what is being reported in mainstream media.

Of course, the voices are different. People have found a space for their opinions. There are strong critiques and alternative viewpoints around these events which are finding space in the public domain.

Much like the salons and cafes of the 18th century, which saw a whole range of new educated classes coming into the public to discuss and shape the society they lived in, the digital commons have created new public spaces of expression and discussion. This has been, indeed, one of the visions of the social web and we have reached a point where, at least for digital natives who have grown up within digital ecosystems, there is space to produce alternative opinions in their immediate environments.

At the turn of the millennium, when the social Web was being shaped, this was one of the biggest excitements — the possibility that voices from outside of mainstream and traditional media, which often get curtailed, would find contestations and alternative visions from people’s everyday experiences. And in many ways, it looks like we have achieved this dream, and found channels, communities and information strategies, which allow for conflicting views to co-exist in our knowledge spectrum. It is fascinating to realise that just a decade ago, the ways in which we talked about the key questions of our life, was so different, and was largely controlled by those in positions of power who identified only certain things as “newsworthy”.

Traditional media has also changed dramatically, with citizen reporters contributing to the content, crowdfunded information shaping news, and ordinary people being the first to witness globally significant events before the larger media complexes arrived. And now that we are well on our way to harnessing the power of this social web, there is something else that needs to be addressed.

It is the concern that increasingly people are talking more, but they seem to be talking about the same kind of thing! Sure, there are many different voices, but their focus of attention is the same. We see a whole range of alternative opinions emerging, but they are still clustered around the things that traditional media is also covering.

In the age of information overload, with so many different information streams, it feels like there is a homogenisation of information where increasingly only that which can be easily understood, easily read, easily captured to create spectacles gets to be at the centre of the attention economies. Which is why, news which is local, things which do not have global interest, and events which cannot be captured in videos on YouTube and hashtags on Twitter, do not feature in the alternative worlds of the social web. And when these locally relevant and significant things get mentioned, they have to work so much harder, to overcome the visibility threshold to get attention from the local publics.

We have found the alternative to the mainstream, but maybe it is now time to find the alternative to the alternative. We need to think of localisation of our social web. A lot of effort is made towards being on the global information highway, but we now also need to start investing energy into rendering our local contexts more accessible and intelligible, not only to the larger worlds but also to ourselves. Maybe it is time to reflect on how much we posted, read and consumed of the recent presidential elections in the USA, and try to recollect what else happened in the world. Maybe it is time to step out of our silos where we have replaced multiplicity of things with diversity of opinions about a narrow range of things. The next time you see something trending or popular, it might be a good idea to reflect on what else might be hiding behind the virality of that digital object.

This column was informed by conversations from a thought exploration on ‘Habits of Living’ supported by Brown University and Centre for Internet and Society Bangalore

For more details visit https://cis-india.org/raw/digital-humanities/indian-express-nov-18-2012-nishant-shah-alt-needs-to-shift

Pathways to Higher Education

Atmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants

Are Indian Consumer Laws Ready for the Digital Age?

Arbitrary Arrests for Comment on Bal Thackeray's Death

Facts of the case

What provisions of law were used?

Was the law misapplied?

Role of bad law and the police

Rule of law

Social Media Regulation vs. Suppression of Freedom of Speech and Expression

App Developers Series: Products-Services Dichotomy & IP (Part I)

Question 1: “What is your IP?”

Services for SMEs

Understandings of IP (and lack of)

IP understanding in services: irrelevant or important?

Announcement of a Three-Region Research Alliance on the Appropriate Use of Digital Identity

Excerpt from the blog post by Subhashish Bhadra announcing this new research alliance

Analyzing the Latest List of Blocked URLs by Department of Telecommunications (IIPM Edition)

What has been blocked?

Are there any mistakes in the order?

Reasons for Blocking Websites

Are the blocks legitimate?

Blocking a Public Notice issued by a Statutory Body of Government of India

Implementation of the order by the ISPs

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

1. Introduction

2. Analysis of the Recommendations

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

3. Conclusion

List of Acronyms

Analysis of the Copyright (Amendment) Bill, 2010

Existing Copyright Act

Proposed Amendments

Some positive amendments

Some negative amendments

Missed opportunities

Analysis of the Copyright (Amendment) Bill 2012

Welcome Changes

Provisions for Persons with Disabilities

Extension of Fair Dealing to All Works

Creative Commons, Open Licensing Get a Boost

Physical Libraries Should Celebrate, Perhaps Virtual Libraries Too

Limited Protection to Some Internet Intermediaries

Compulsory Licensing Now Applies to Foreign Works Also

Worrisome Changes

Term of Copyright for Photographs Nearly Doubled

Cover Versions Made More Difficult: Kolaveri Di Singers Remain Criminals

Digital Locks Now Provided Legal Protection Without Accountability

Removal of Parallel Importation

Expansion of Moral Rights Without Safeguards

Backdoor Censorship

Missed Opportunities

Fair Dealing Guidelines, Criminal Provisions, Government Works, and Other Missed Opportunities

Amendments Not Examined

A Note on the Parliamentary Process

Users and Smaller Creators Left Out of Discussions

Concluding Thoughts

Analysis of DIT's Response to Second RTI on Website Blocking

What the DIT's Response Tells Us, and What It Doesn't

Conflicting Data on Censorship Requests

Content Removal vs. Content Blocking

Role of the Indian Penal Code and Code of Criminal Procedure

Police Are Defeating the Constitution and the IT Act

DIT Either Evasive or Not Following Rules

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Introduction

Analysis of the Aadhaar Act

Collection Limitation

Notice

Access and Correction

Disclosure

Consent

Purpose

Security

Accountability

Openness