Centre for Internet & Society
How India Makes E-books Easier to Ban than Books (And How We Can Change That)

Banning E-Books is Trivially Easy

Fixing India’s anarchic IT Act

A file photo of Shaheen Dhada (left) and Renu Srinivas, the two girls who were arrested for their Facebook posts in Mumbai. Photo: AP

Draft nonsense

Pranesh Prakash

Internet Governance Blog

by kaeru — last modified Oct 18, 2011 06:40 AM

Read More…

DIT's Response to RTI on Website Blocking

by Pranesh Prakash last modified Aug 02, 2011 07:13 AM
For the first time in India, we have a list of websites that are blocked by order of the Indian government. This data was received from the Department of Information Technology in response to an RTI that CIS filed. Pranesh Prakash of CIS analyzes the implications of these blocks, as well as the shortcomings of the DIT's response.

Quick Analysis of DIT's Response to the RTI

Blocked websites

The eleven websites that the DIT acknowledges are blocked in India are:

  1. http://www.zone-h.org
  2. http://donotdial100.webs.com
  3. http://www.bloggernews.net/124029 [accessible from Tata DSL, but not from others like Reliance Broadband and BSNL Broadband]
  4. http://www.google.co.in/#h1=en&source=hp&biw=1276&bih=843&=dr+babasaheb+ambedkar+wallpaper&aq=4&aqi=g10&aql=&oq=dr+babas&gs_rfai=&fp=e791fe993fa412ba
  5. http://www.cinemahd.net/desktop-enhancements/wallpaper/23945-wallpapers-beautiful-girl-wallpaper.html
  6. http://www.chakpak.com/find/images/kamasutra-hindi-movie
  7. http://www.submitlink.khatana.net/2010/09/jennifer-stano-is-engaged-to.html
  8. http://www.result.khatana.net/2010/11/im-no-panty-girl-yana-gupta-wardrobe.html
  9. http://www.facebook.com/pages/l-Hate-Ambedkar/172025102828076
  10. http://www.indybay.org
  11. http://arizona.indymedia.org

 

Of the eleven blocked websites, one was still accessible on a Tata Communications DSL connection.  Two of the blocked websites are grassroots news organizations connected to the Independent Media Centre: IndyBay (San Francisco Bay Area IMC) and the Arizona Indymedia website.  The Bloggernews.net page that is on the blocked list is in fact an article by N. Vijayashankar (Naavi) from March 12, 2010 titled "Is E2 labs right in getting zone-h.org blocked?", criticising the judicial blocking of Zone-H.org by E2 Labs (with E2 Labs being represented by lawyer Pawan Duggal).  The Zone-H.org case is still going through the judicial motions in the District Court of Delhi, but E2 Labs managed to  get an ex parte (i.e., without Zone-H being heard) interim order from the judge asking Designated Officer (Mr. Gulshan Rai of DIT) to block access to Zone-H.org.

As has happened in the past, the government (or the court) accidentally ordered the blocking of all of website host webs.com, instead of blocking only http://donotdial100.webs.com (which subdomain apparently hosted 'defamatory' and 'abusive' information about mafia links within the Maharashtra police and political circles).

It is interesting to note that for most of the websites on most ISPs one gets a 'request timed out' error while trying to access the blocked websites, and not a sign saying: "site blocked for XYZ reason on request dated DD-MM-YYYY received from the DIT".  On Reliance broadband connections, for some of the above websites an error message appears, which states: "This site has been blocked as per instructions from Department of Telecom".

Judicial blocking

As per the response of the government, all eleven seem to have been blocked on orders received from the judiciary.  While they don't state this directly, this is the conclusion one is led to since the Department admits to blocking eleven websites and also notes that there have been eleven requests for blocking from the judiciary.  Normally the judiciary is often thought of as a check on the executive's penchant for banning (seen especially in the recent book banning cases in Maharashtra, for instance, where the Bombay High Court has overturned most of the government's banning orders).  However, in these cases the ill-informed lower judiciary seem to be manipulated by lawyers to suppress freedom of speech and expression, even going to the extent of blocking grassroots activist news organizations like the Independent Media Centre.

Websites not blocked by DIT

The DIT also notes that the blocks on Typepad.com was not authorized by it (nor, according to the RTI response received by Nikhil Pahwa of Medianama was the Mobango.com block authorised by the DIT).  Typepad.com, Mobango.com, and Clickatell.com don't seem to be blocked currently.  However, as was reported by Medianama, for a while when they were being blocked, some sites and ISPs (such as Typepad.com on Bharti Airtel DSL) showed a message stating that the website was blocked on request from the Department of Telecom, which we don't believe has the authority to order blocking of websites.  While we still await a response from the Department of Telecom to the RTI we filed with them on this topic, in a letter to the Hindu, the Department of Telecom has clarified that it did not order any block on Typepad.com or any of the other websites.  This leaves us unsure as to who ordered these blocks.  Further, it points out a lacuna in our information policy that ISPs can suo motu block websites without justifications (such as violation of terms of use), proper notice to customers, or any kind of repercussions for wrongful blocking.

Insufficient information on Committee for Examination of Requests

All requests for websites blocking (except those directly from the judiciary) must be vetted by the Committee for Examination of Requests (CER) under Rule 8(4) of the Rules under s.69A of the IT Act.  Given that the DIT admits that the Designated Officer (who carries out the blocking) has received 21 requests to date, there should be at least 21 recommendations of the CER.  However, the DIT has not provided us with the details of those 21 requests and the 21 recommendations.  We are filing another RTI to uncover this information.

 

Text of the DIT's Response

Government of India
Ministry of Communications & Information Technology
Department of Information Technology
Electronics Niketan, 6 CGO Complex,
New Delhi-110003
 
No : 14(3)/2011-ESD

Shri Pranesh Prakash
Centre for Internet and Society
194, 2-C Cross,
Domulur Stage II,
Bangalore- 560071.

Subject: Request for information under RTI Act,

Sir,
Reference your request dated 28lh February 2011 on the above subject.
The point wise information as received from the custodian of Information is enclosed for your reference and records.

sd/-
(A.K.Kaushik)
Additional Director & CPIO
Tel: 011-24364803


Subject : RTI on website blocking requested by Shri Pranesh Prakash

(i) Did the Department order Airtel to block TypePad under S.69A of the Information Technology Act ("IT Act"), 2000 read with the Information Technology (Procedures and Safeguards for Blocking Access of Information by Public) Rules, 2009 ("Rules") or any other law for the time being in force? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel for blocking of websites in contravention of S.69A of the IT Act?

Reply - This Department did not order Airtel to block the said site.

(ii) Has the Department ever ordered a block under s.69A of the IT Act? If so, what was the information that was ordered to be blocked?

Reply - The Department has issued directions for blocking under section 69A for the following websites:
(a) www.zone-h.org.
(b) http://donotdial100.webs.com (IP 216.52.115.50)
(c) www.bloggernews.net/124029
(d) http://www.google.co.in/#h 1 =en&source=hp& biw=1276&bih=843&=dr+babasaheb+ambedkar+ wallpaper&aq=4&aqi=g10&aql =&oq=dr+ babas& gs_rfai=&fp=e791 fe993fa412ba
(e) http://www.cinemahd.net/desktop-enhancements/wallpaper/23945- wallpapers-beautiful-girl-wallpaper.html
(f) http://www.chakpak.com/find/images/ kamasutra-hindi-movie
(g) http://www.submitlink.khatana.net/2010/09/jennifer-stano-is-engaged- to.html
(h) http://www.result.khatana.net/2010/11/im-no-panty-girl-yana-gupta- wardrobe.html.
(i) http://www.facebook.com/pages/l-Hate-Ambedkar/172025102828076
(j) www.indybay.org
(k) www.arizona.indymedia.org

(iii) How many requests for blocking of information has the Designated Officer received, and how many of those requests have been accepted and how many rejected? How many of those requests were for emergency blocking under Rule 9 of the Rules?

Reply - Designated Officer received 21 request for blocking of information. 11 websites have been blocked on the basis of orders received from court of law. One request has been rejected. For other requests, additional input/information has been sought from the Nodal Officer.

No request for emergency blocking under rule 9 of the Rules have been received.

(iv) Please provide use the present composition of the Committee for Examination of Requests constituted under Rule 7 of the Rules.

Reply - The present composition of the Committee is :
(a) Designated Officer (Group Coordinator - Cyber Law)
(b) Joint Secretary, Ministry of Home Affairs
(c) Joint Secretary, Ministry of Information and Broadcasting
(d) Additional Secretary and Ministry of Law & Justice
(e) Senior Director, Indian Computer Emergency Response Team

(v) Please provide us the dates and copies of the minutes of all meetings held by the Committee for Examination of Requests under Rule 8(4) of the Rules, and copies of their recommendations.

Reply - The Committee had met on 24-08-2010 with respect to request for blocking of website www.betfair.com.

(vi) Please provide us the present composition of the Review Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.
(vii) Please provide us the dates and copies of the minutes of all meetings held by the Review Committee under Rule 14 of the Rules, and copies of all orders issued by the Review Committee.

Reply - This Department do not have details for above. The said information may be available with Department of Telecommunications.

Iraq Delegation to Visit India for Study of E-Governance in Indian Cities ― Meetings in Bangalore and Delhi

by Prasad Krishna last modified Aug 02, 2011 07:13 AM
Contributors: Abeer Fawaeer
An Iraqi Government delegation headed by HE Mr. Abdul Kareem Al-Samarai, Minister of Science & Technology, Government of Iraq will be in India on a e-governance tour. The study tour is organised by the United Nations Development Programme (UNDP) and the Economic and Social Commission for Western Asia (ESCWA).

The Building e-Iraq National e-Governance strategic plan clearly emphasizes the need for connecting services and citizens to better access of information and services using ICTs as a leading resource/innovative force and as a contributing factor to enhancing transparency and accountability as well as facilitate the effective and efficient provisioning of essential services.  In this context, and as identified by the Iraqi e-governance ministerial steering committee, community service centers (CSCs) have been identified as having a direct bearing on sustainable social and economical changes consistent with the MDGs.

As agreed within the steering committee, the community based connectivity services centres will be hosted within existing community structures throughout Iraq in order to enhance penetration levels and provide for cost-effective strategies. Post offices and youth centres would henceforth represent the point of entry for the community centres, where the Iraqi government is rehabilitating the buildings and has already provided Internet access with the hope of introducing e-governance services. The centres will also be linked with the implementation of the pilot e-services to promote access to information resources and government programmes and services. Additionally, the centres will serve to address local issues and priorities.

UNDP in partnership with ESCWA is organizing a study tour to India that would expose senior Iraqi stakeholders to e-government and e-governance as a means to enhance the effectiveness and efficiency of the public sector in service provision, and make them learn from India's experience in:

  • Harnessing ICT technologies in service of community development, inclusiveness and empowerment, particularly at the local level; 
  • Highlighting e-governance practices in connecting citizens to the state – at both the federal and local levels – and enhancing services;
  • Presenting success stories and lessons learned from India’s experience in instigating and operating CSCs; and
  • Providing the Government of India with a frame of reference in designing an appropriate, efficient and effective decentralized planning process and service delivery.

Dr. Samir Salim Raouf, Deputy Minister, Ministry of Science and Technology, Dr. Mahmood Kasim Sharief, Director General, Ministry of Science and Technology, Zagros Fattah Mohammed Mohammed, Director General, Ministry of Planning - KRG, Najwa Saeed Fathullah, Director General, Ministry of Finance, Majeed Hameed Jassim, Director General, Ministry of Communication, Dr. Kathim Mohammed Breesam, Director General, Ministry of Planning, Majed Sadoon Jasim, Director General, Ministry of Interior, Naeef Thamer Hussien, Director General, Ministry of Education, Ismael Khaleel Murad, Chief of Information, Ministry of Higher Education, Anwer Alwan Jassim, Ministry of Higher Education, Khalaf Muhammad Khalaf, Deputy Director General, Ministry of Education, Samer Noori Taqi, Chief of Information, Ministry of Municipalities and Public Works, Safaa Mohammed Kassar, Anbar Governorates, Abdulamer Abdulwahid Mubarak, Basra Governorates, Isam Hussein Ali, Ministry of Science and Technology, Sudipto Mukherjee, Head of Economic Recovery and Poverty Alleviation, UNDP, Abeer Fawaeer, E-Governance Specialist, UNDP and Dalia Zendi, Project Associate, UNDP will participate in the meetings.

Study tour structure

The delegation will hold meetings with Deepak Menon of India Water Portal, Ashok Kamath of Pratham Books, Srikanth Nadhamuni of E-governments foundation, Dr. Subbramanya of Geodesic, Parth Sarwate of Azim Premji Foundation, Abhay Singhavi of Narayana Hrydayalaya and MN Vidyashankar and DS Ravindran of Department of e-governance, Government of Karnataka.

In Delhi, the delegation will hold meetings in the Department of Information Technology, National Informatics Centre, National Institute for Smart Government, Ministry of Urban Development and Ministry of Panchayati Raj.

Expected outcomes

The study tour will be concluded in Delhi with a brainstorming session to discuss and explore the results achieved by the study tour, and ultimately formulate an integrated framework for identifying, establishing, operating and managing CSCs in Iraq with wider national and local e-governance development plan in line with overarching public sector and modernization programme and generate a list of pilots quick-win e-services applications that can be implemented in Iraq.

Other expected outputs are:

  • To identify critical and relevant lessons from the Indian e-governance models, with particular emphasis on linkages between ICT and broad-based development in the areas of education, health, water and social development of rural and urban areas;
  • To enhance awareness on the role and operation of CSCs at various levels and their pivotal role in facilitating access to essential services and reducing service costs;
  • To improve understanding of the challenges in the effective application of ICTs for development and the key factors in the design and implementation of ICT for development projects and programmes;
  • To enhance the understanding of the measures to be undertaken by the centre and the provinces to identify and put in place e-services;
  • To highlight the successes and lessons learned from the Indian decentralized and local area planning and development model; 
  • To learn about the latest development in IT industry and the infrastructure required for CSCs and e-services; and
  • To explore working partnerships between the Government of India and the Indian IT companies.

 This study tour is in furtherance to the e-Governance Action plan prepared by the Iraq Government. The Centre for Internet and Society is assisting the delegation for the meetings held in Bangalore.

Power to the People

by Nishant Shah last modified Mar 21, 2012 09:35 AM
The digital revolution has helped make NGOs and civil society more influential, independent and transparent, writes Nishant Shah in this article published in the Indian Express on Sunday, May 15, 2011.

Power to the People

The rise and spread of internet and digital technologies has invigorated the voluntary sector in the country, granting them better mobility, access to resources and wider visibility through digital networks. With the rise of the internet, augmented by easy access, civil society needs to claim its stake in the World Wide Web. Visibility and presence have become the buzzwords. There is a concentrated effort to become a Simple, Moral, Accountable, Responsible and Transparent (SMART) organisation that doesn’t operate in remote silos but reaches out to an audience and a resource base.

While NGOs in the more developed countries have taken to digital technologies more easily, there is no doubt that the digital revolution has finally come to the civil society in India and it is offering unprecedented opportunities for social change and political participation. From the Bell Bajao campaign, which brought to the fore domestic violence in the urban middle class, to the recent demonstrations for Anna Hazare, we see many examples of the ways in which civil society and NGOs can still mobilise support from the public.

What has also been interesting is how collectives rather than registered organisations have played an important role in the public delivery of such campaigns.

Here is a look at three ways in which engagement with digital technologies, has led to new models of making public interventions and processes of initiating change for civil society collectives and NGOs.

Birds of a Feather

With the networked effect of the digital technologies, something as simple as building a Facebook page puts out the concerns and draws the attention and resources of a larger population. NGOs need no longer confine themselves to finding people in immediate environments and are extending their support base to large online networks. The Bangalore-based Blank Noise Project that started off as a public art intervention by Jasmeen Patheja has now emerged as a large volunteer-based network that harnesses the power of peer-to-peer networks to mobilise young urban dwellers, to talk about gender, safety and urban space. Not yet a formal NGO, it uses blogs, Twitter, Facebook, mailing lists etc. in order to bring people together for public interventions as well as digital dissemination. With more than 4,000 volunteers running the project in different cities, BNP proves the power of the Web to find “people like us” for a common cause. 

Beyond Patronage

With the kind of outreach and visibility afforded by the internet, NGOs are turning to public support and individual contributions to carry out their work. Take Kickstarter, for example — a site where any NGO wanting to launch a creative project, can put up a project description and a budget. They can then invite people from around the world to “pledge” money by swiping credit cards, beginning with a contribution of $5. If, within a given time-span, enough people pledge enough money to cover the project’s budget, the organisation receives the money through electronic transfers. They become, thus, accountable not to individual donors or private development agencies. Instead, they become transparent and responsible towards the larger public who, as stakeholders and supporters can now endorse, amplify and track the activities of the organisation. 

Transparency Unlimited

With the rise of information technologies, citizens have started asking for more details about organisations that seek to represent them in different sectors. It has become necessary for NGOs to become accountable at two levels — one is at the level of financial integrity and the second is at the level of public responsibility. The consortium Credibility Alliance is one example by which the voluntary sector can disclose certain minimum information to its public in order to build transparent governance structures. NGOs have also become more sensitive to the politics of representation and how to involve communities they work with, in their processes rather than becoming self-appointed vanguards. The field of collaboration has opened up and we see the rise of networks rather than individual players in the field.

Digital and internet technologies amplify, augment and enhance the existing processes. In the voluntary sector, like almost any other walk of life, many of these practices already exist. What these systems of the digital age have done is provide new ways by which the everyday citizen can participate and contribute to the processes of change.

Read the original published by the Indian Express here

RTI and Third Party Information: What Constitutes the Private and Public?

by Noopur Raval — last modified Nov 24, 2011 09:21 AM
The passing of the Right to Information Act, 2005 was seen as giving an empowering tool in the hands of the citizens of India, six years post its implementation, loopholes have surfaced with misuse of the many fundamental concepts, which have yet not been defined to allow for a consistent pattern of decisions. Among many problems that emerge with the Act, a major problem is defining the extent to which an individual has access to other people’s information. While most of us tend to think that asking for other people’s phone numbers, personal details like passport number or IT returns are private and would be kept so, under the RTI Act and as seen in the Central Information Commission (CIC) decisions, all of these details can be availed of by someone who doesn’t know you at all!

According to section 2 (n) of the RTI Act, 2005, 'third party' means a person other than the citizen making a request for information and includes a 'public authority'. This implies that the term 'third party' includes anyone other than the appellant or the respondent. In matters where an appellant is seeking information not regarding his or her own activities, or is asking for details of shared records that list details of several persons other than him or her, information cannot be provided until the ‘third party’ consents to disclosure and subsequently until the Central Public Information Office (CPIO), after considering the implications of such disclosure allows it. Section 11 (1) the Act provides the procedure to access third party information wherein the appellant needs to request for the third party’s consent after which the CPIO will produce a written request to the 'third party' and within a stipulated time period obtain their response. However, it is not the information bearer (third party) who holds the key to disclosure. The power, by the RTI Act, 2005, is vested in the public information officer who will then, either see a 'larger public interest', or otherwise allow disclosure based on the merits of the case.

In such a situation, it is interesting to see who the Central Information Commission (CIC) regards as 'third party'. While going through the judgments delivered by the CIC, one comes across several judgments that tell you who can and who cannot access your information. While a son or daughter naturally inherits his/her father’s wealth, land or other possessions, they do not inherit his position for obtaining information. This is just one instance. Similar holds true for access to information of a deceased kin. Unless the public information officer sees a ‘larger public interest’ in disclosure of such information, it cannot be revealed even to the deceased’s wife, husband or children unless they hold a power of attorney specifically to a right to access information.

This brings us to the question of ‘larger public interest’ and what information can be delved to anyone for this cause. While the RTI Act, 2005, clearly states that the appellant needs not a reason to ask for any information, it is largely based on the public information officer’s inference as to what the appellant may do with the data and hence, maybe deemed as acting in public interest or for personal gains. This also produces positions of potential criminality and the need for State subjects to prove themselves as ideal information seekers, void of malice in order for the public information officer to rule in their favour.

Third party position is a problematic one as it only goes so far as to define the state-mediated interaction between two subjects in relation to each other through legal machinery that holds massive discretionary powers to disclose or withhold information. Hence, while, in relation to ‘third party’, a subject may need to justify his larger benevolent interests, the State finds no problems revealing or disclosing information for its own good. In Shri Rajender Kumar Arya vs Dy. Commissioner of Police (DCP), (4 March 2009), the commission ruled that they now have the decision of the Madras High Court in the context of right to privacy in light of the RTI Act. The Madras High Court observed that with the advent of the Right to Information Act, section 3 of the Act entitles a citizen to the right of information. Section 4(2) of the said Act obliges a public authority to disclose information to common people. Even personal information or information, which may otherwise amount to an invasion of privacy, may also be disclosed if the larger public interest so warrants. The court in fact came to the conclusion that the right to privacy virtually fades out in front of the 'Right to Information' and 'larger public interest’. This tells us that ‘third party’ is a mere negotiating position from which the State itself regulates information flow to citizens and can revoke these privileges as and when needed.

Moreover, there is no clear definition to the ‘larger public interest’ or ‘invasion of privacy’. In several judgments, the committee upholds principles of natural justice to justify instance of public good but these cannot be upheld for all decisions. It is also interesting to see what comes under the purview of ‘public information’. It’s a misconception if you think that you hold the right to revealing your age, birth date, place you belong to, your marks, the rank that you hold, the salary you get, the returns you file or subsequently any of this information regarding your children. As upheld in Madhulika Rastogi vs Regional Passport Office, New Delhi, on 4 February 2009, M. Rajamannar vs PIO, AC Division, Indira Gandhi National Open University on 18 February 2009 and A.V.Subrahmanyam vs BSNL, Hyderabad on 16 February 2009 — the judgments illustrate that information submitted to public authorities at any point in time whether to get admitted to school, to get a license, to pass a public services examination or even file a divorce; all qualify for access to other people because they have been knowingly submitted to the public domain. A lot of sensitive information like passport details, telephone call records and medical records that can map intimate interactions of a person’s daily life can also be obtained if larger public interest is proven.

Hence, it becomes important to revise and rethink the commonly accepted notions of privacy, especially when information gains such strategic importance as well as fluidity through fast expanding platforms as well as tools such as RTI. While one may confidently think that information generated by the self, pertaining to one’s own business and life rightfully belongs to the private domain, it is very important to realize the constantly looming hold of the State to any information. In such a situation, what you can claim as private data totally depends on how much common interest it garners.

Rebuttal of DIT's Misleading Statements on New Internet Rules

by Pranesh Prakash last modified Jul 11, 2012 01:18 PM
The press statement issued on May 11 by the Department of Information Technology (DIT) on the furore over the newly-issued rules on 'intermediary due diligence' is misleading and is, in places, plainly false. We are presenting a point-by-point rebuttal of the DIT's claims.

In its press release on Wednesday, May 11, 2011, the DIT stated:

The attention of Government has been drawn to news items in a section of media on certain aspects of the Rules notified under Section 79 pertaining to liability of intermediaries under the Information Technology Act, 2000. These items have raised two broad issues. One is that words used in Rules for objectionable content are broad and could be interpreted subjectively. Secondly, there is an apprehension that the Rules enable the Government to regulate content in a highly subjective and possibly arbitrary manner.

There are actually more issues than merely "subjective interpretation" and "arbitrary governmental regulation".

  • The Indian Constitution limits how much the government can regulate citizens’ fundamental right to freedom of speech and expression. Any measure afoul of the constitution is invalid.
  • Several portions of the rules are beyond the limited powers that Parliament had granted the Department of IT to create interpretive rules under the Information Technology Act. Parliament directed the Government to merely define what “due diligence” requirements an intermediary would have to follow in order to claim the qualified protection against liability that Section 79 of the Information Technology Act provides; these current rules have gone dangerously far beyond that, by framing rules that insist that intermediaries, without investigation, has to remove content within 36-hours of receipt of a complaint, keep records of a users' details and provide them to law enforcement officials.

The Department of Information Technology (DIT), Ministry of Communications & IT has clarified that the Intermediaries Guidelines Rules, 2011 prescribe that due diligence need to be observed by the Intermediaries to enjoy exemption from liability for hosting any third party information under Section 79 of the Information Technology Act, 2000. These due diligence practices are the best practices followed internationally by well-known mega corporations operating on the Internet.  The terms specified in the Rules are in accordance with the terms used by most of the Intermediaries as part of their existing practices, policies and terms of service which they have published on their website.

  1. We are not aware of any country that actually goes to the extent of deciding what Internet-wide ‘best practices’ are and actually converting those ‘best practices’ into law by prescribing a universal terms of service that all Internet services, websites, and products should enforce.
  2. The Rules require all intermediaries to include the government-prescribed terms in an agreement, no matter what services they provide. It is one thing for a company to choose the terms of its terms of service agreement, and completely another for the government to dictate those terms of service. As long as the terms of service of an intermediary are not unlawful or bring up issues of users’ rights (such as the right to privacy), there is no reason for the government to jump in and dictate what the terms of service should or should not be.
  3. The DIT has not offered any proof to back up its assertion that 'most' intermediaries already have such terms.  Google, a ‘mega corporation’ which is an intermediary, does not have such an overarching policy.  Indiatimes, another ‘mega corporation’ intermediary, does not either.  Just because a company like Rediff and Blizzard's World of Warcraft have some of those terms does not mean a) that they should have all of those terms, nor that b) everyone else should as well.

    In attempting to take different terms of service from different Internet services and products—the very fact of which indicate the differing needs felt across varying online communities—the Department has put in place a one-size-fits-all approach.  How can this be possible on the Internet, when we wouldn't regulate the post-office and a book publisher under the same rules of liability for, say, defamatory speech.
  4. There is also a significant difference between the effect of those terms of service and that of these Rules.  An intermediary-framed terms of service suggest that the intermediary may investigate and boot someone off a service for violation, while the Rules insist that the intermediary simply has to mandatorily remove content, keep records of users' details and provide them to law enforcement officials, else be subject to crippling legal liability.

So to equate the effect of these Rules to merely following ‘existing practices’ is plainly wrong. An intermediary—like the CIS website—should have the freedom to choose not to have terms of service agreements. We now don’t.“In case any issue arises concerning the interpretation of the terms used by the Intermediary, which is not agreed to by the user or affected person, the same can only be adjudicated by a Court of Law. The Government or any of its agencies have no power to intervene or even interpret. DIT has reiterated that there is no intention of the Government to acquire regulatory jurisdiction over content under these Rules. It has categorically said that these rules do not provide for any regulation or control of content by the Government.”

The Rules are based on the presumption that all complaints (and resultant mandatory taking down of the content) are correct, and that the incorrectness of the take-downs can be disputed in court.  Why not just invert that, and presume that all complaints need to be proven first, and the correctness of the complaints (instead of the take-downs) be disputed in court?  

Indeed, the courts have insisted that presumption of validity is the only constitutional way of dealing with speech. (See, for instance, Karthikeyan R. v. Union of India, a 2010 Madras High Court judgment.)

Further, only constitutional courts (namely High Courts and the Supreme Court) can go into the question of the validity of a law.  Other courts have to apply the law, even if it the judge believes it is constitutionally invalid.  So, most courts will be forced to apply this law of highly questionable constitutionality until a High Court or the Supreme Court strikes it down.

What the Department has in fact done is to explicitly open up the floodgates for increased liability claims and litigation - which runs exactly counter to the purpose behind the amendment of Section 79 by Parliament in 2008.

“The Government adopted a very transparent process for formulation of the Rules under the Information Technology Act. The draft Rules were published on the Department of Information Technology website for comments and were widely covered by the media. None of the Industry Associations and other stakeholders objected to the formulation which is now being cited in some section of media.”

This is a blatant lie.

Civil society voices, including CIS, Software Freedom Law Centre, and individual experts (such as the lawyer and published author Apar Gupta) sent in comments.  Companies such as Google, E2E Networks, and others had apparently raised concerns as well.  The press has published many a cautionary note, including editorials, op-ed and articles in the Hindu, the Hoot, Medianama.com, and Kafila.com, well before the new rules were notified.  We at CIS even received a 'read notification' from the email account of the Group Coordinator of the DIT’s Cyber Laws Division—Dr. Gulshan Rai—on Thursday, March 3, 2011 at 12:04 PM (we had sent the mail to Dr. Rai on Monday, February 28, 2011).  We never received any acknowledgement, though, not even after we made an express request for acknowledgement (and an offer to meet them in person to explain our concerns) on Tuesday, April 5, 2011 in an e-mail sent to Mr. Prafulla Kumar and Dr. Gulshan Rai of DIT.

The process can hardly be called 'transparent' when the replies received from 'industry associations and other stakeholders' have not been made public by the DIT. Those comments which are public all indicate that serious concerns were raised as to the constitutionality of the Rules.

The Government has been forward looking to create a conducive environment for the Internet medium to catapult itself onto a different plane with the evolution of the Internet. The Government remains fully committed to freedom of speech and expression and the citizen’s rights in this regard.

The DIT has limited this statement to the rules on intermediary due diligence, and has not spoken about the controversial new rules that stifle cybercafes, and restrict users' privacy and freedom to receive information.

If the government is serious about creating a conducive environment for innovation, privacy and free expression on the Internet, then it wouldn’t be passing Rules that curb down on them, and it definitely will not be doing so in such a non-transparent fashion.

A Comment on the 2009 IGF Draft Programme Paper

by Anja Kovacs last modified Aug 02, 2011 07:15 AM
The Centre for Internet and Society is part of a broad group of civil society actors that submitted a comment on the Draft Programme Paper of the fourth Internet Governance Forum (IGF), taking place in Sharm El Sheikh, Egypt, in November 2009. The IGF is a forum for multistakeholder policy dialogue on Internet governance issues. The comment decries the complete absence of attention for Internet Rights and Principles in the agenda as it stands as of today, and this despite repeated requests from a wide range of stakeholders to make this theme a central one. All stakeholder groups were invited to submit their comments on the Draft Programme Paper of the 2009 IGF to the IGF Secretariat by 15 August.

The comment submitted reads as follows:

Re: IGF Draft Programme Paper, August 2009

We, the undersigned would like to express our surprise and disappointment that Internet Rights and Principles was not retained as an item on the agenda of the 2009 IGF in any way. Although this topic was suggested as a theme for this year's IGF or for a main session by a range of actors during and in the run-up to May's Open Consultations, this widespread support is not reflected in the Draft Programme Paper, which does not include Internet Rights and Principles even as a sub-topic of any of the main sessions. The WSIS Declaration of Principles, 2003, and the Tunis Agenda, 2005, explicitly reaffirmed the centrality of the Universal Declaration of Human Rights to an inclusive information society. To make these commitments meaningful, it is of great importance that a beginning is made to explicitly building understanding and consensus around the meaning of Internet Rights and Principles at the earliest. We recommend that the Agenda of the 2009 IGF provide the space to do so.

Signatories:

Centre for Internet and Society, Bangalore

Association for Progressive Communications

IP Justice

Bytesforall, Pakistan

Instituto Nupef, Rio de Janeiro, Brazil

Jacques Berleur

Ginger Paque

Fouad Bajwa

Milton L Mueller

Willie Currie

Michael Gurstein

Jeanette Hofmann

Eric Dierker

Jeffrey A Williams

Charity Gamboa, chairperson Internet Governance Working Group, ISOC Philippines

Ian Peter

Tracy F. Hackshaw

Shaila Rao Mistry, Internet Rights and Principles

Lee W McKnight

Jeremy Malcolm

Tapani Tarvainen

Shahzad Ahmad, ICT Policy Monitors Network

Carlos Afonso

Dina Hovakmian

Rui Correia

Lisa Horner

Deirdre Williams

Jaco Aizenman

Nyangkwe Agien Aaron

Siranush Vardanyan, Armenia

Kwasi Boakye-Akyeampong

Linda D. Misek-Falkoff

Baudouin Schombe

Stefano Trumpy

Value Added Services of Information & Communication Technology- Mobile Telephony for Farmers Benefit

by Radha Rao last modified Aug 02, 2011 07:15 AM
Mr. G Raghunatha, State Manager, IFFCO Kisan Sanchar Ltd., Bangalore and Secretary, Institution of Agricultural Technologists, Bangalore has written an article on how ICT - Mobile Technology can be used for the farmers' benefit.

The rural areas are suffering with extreme poverty and isolation.  Such isolation has led to many miseries and tragic consequences in many families. This trend is more evident due to the absence of joint family system, which has deprived the supportive role of family members. It is seen that mobile phones have to some extent end isolation and therefore proved to be most transformative technology of economic development in recent times. The mobile phone technology has been so powerful and costs so little that it has now proved possible to sell mobile phone access to the poor.

The rural poor have access to wireless banking and payment systems. The mobile revolution is creating logistics revolution in farm to retail marketing connecting farmers to food retailers enabling them to sell the produce at high farm gate prices without delay.

Mobile telephony has become a part of everybody’s of life. This has also become a symbol of progress. If rural telephony grows by 1% there will be an increase of 0.6% in Gross Domestic Product (GDP) showing the impact of growth of rural mobile telephony on Indian economy. 70% of the population of the country is still left behind so far as mobile telephone connectivity is concerned. This indicates that there is an excellent potential for growth in rural areas.

The rural population deserves to shift to mobile telephones in view of the delipitated, ancient and almost useless fixed line infrastructure. They have proved to be an effective instrument of empowerment of rural masses. It is a welcome sign that mobile operators have now shifted their focus to service the rural areas. The once neglected, non profitable areas with high operating costs with low income subscribers is now seen as a proverbial pot of gold with technological advancement and better network management.

Karnataka being in the forefront of Information technology revolution has not lagged behind to harness the Information and communication technology for strengthening the rural masses. Communication is a major challenge and serious impediment in taking the fruits of development to our farmers in the country. IFFCO has realized that a reliable and economical communication medium, as well as, useful services of relevance over this channel have the potential to transform the quality of living in our villages. The need of the hour is to take valuable information inputs to farmers- directly to their ‘ears’ & ‘eyes’ using latest information media like mobile technologies, in addition, rural friendly technologies which are simple, affordable and can address the basic needs of our farmers need to be designed, developed and supplied in all the villages of our country. IFFCO was amongst the first in India to realize the importance and benefits of information and communication technology (ICT) for the development of rural India and applied the technology under 'ICT Initiatives for Farmers & Cooperatives'.

As the country witnessed a boom in Communication in the past decades, most of the developments had been limited to urban areas. It is well known that communication plays a vital role in overall growth in country. It has been proved that mobile telephony has a positive and significant impact on economic growth. But communication infrastructure is still lacking in rural areas.

'IFFCO Kisan Sanchar Limited (IKSL)' is IFFCO's initiative tying up with telecom giant “Airtel”to take further the application of ICT to the benefit of Rural India through a mandate to design, develop, source and supply state of the art, economical & environmentally friendly rural communication & other technologies with value additions of content & services. The focus is to empower people living in villages by taking advantage of appropriate technology to address issues relating to farmers who are in need of communication, access to input from experts and services of reliable quality.

IFFCO has always been in the forefront in spreading the benefits of latest in science and technology for the upliftment of quality of life in rural India. Service to farmers is an integral part of the marketing in gaining trust of rural masses. IFFCO has distinction of floating institutions with focus on rural India like IFFCO- TOKIO General Insurance (ITGI), CORDET, IFFCO Foundation, Kisan Sewa Trust and IFFDC. Unique initiatives of ITGI like 'Sankat Haran Bima Yojna' and ‘Barish Bima Yojana’ have become very popular

IKSL is harnessing domain strength of vast resources of expertise both within and outside IKSL by leveraging organizations engaged in communications & rural friendly technologies. Partnerships have been forged with giant companies like Airtel and Freeplay.  Innovation, dynamism & sense of purpose guide IKSL in its journey towards harnessing technology for the betterment of life in rural India.

Value added services are designed to disseminate through mobile channel five voice messages of current importance to farmers in local languages every day free of cost. The broad areas covered are: recommendation on best agricultural practices, nutrient management, animal husbandry, problems & possible solutions for the specific location, information on mandies, weather & climate and several other areas. In Karnataka IKSL is entering into an MOU with University of Agricultural Sciences, Bangalore & Dharwad for developing content in the form of message bank and helpline services which is enhanced and updated on a continuous basis.

 

Information and Communication Technology For Improving Agriculture and Rural Livelihoods

by Radha Rao last modified Aug 02, 2011 07:15 AM
ಮೈಕೇಲ್, ಮೊಬೈಲ್ ಮತ್ತು ಗ್ರಾಮೀಣ ಅಭಿವೃದ್ಧಿ (ಮೈಕೇಲ್ ರಿಗ್ಸ್ ಭಾಷಣ) - ಚಾಮರಾಜ ಸವಡಿ

ಕೃಷಿ ಸಂಪದ - ಇ-ಮ್ಯಾಗಜೀನ್ ಬಿಡುಗಡೆ

by Radha Rao last modified Aug 02, 2011 07:15 AM
ಪರಿಸರ ಬರಹಗಾರ ನಾಗೇಶ್ ಹೆಗಡೆ ಅವರು ಕಂಪ್ಯೂಟರಿನ ಸ್ವಿಚ್ ಒತ್ತಿ ಪರದೆಯಲ್ಲಿ ಡಿಜಿಟಲ್ ಪುಟ ಬೆಳಗಿ "ಕೃಷಿ ಸಂಪದ" ಇ-ಮ್ಯಾಗಜೀನನ್ನು ಇಂಟರ್ನೆಟ್ ಲೋಕಕ್ಕೆ ಅರ್ಪಿಸಿದರು.

"ನಮ್ಮ ಪಾರಂಪರಿಕ ಜ್ಞಾನವನ್ನು ರಕ್ಷಿಸಲಿಕ್ಕಾಗಿ ಮಾಹಿತಿ ತಂತ್ರಜ್ಞಾನ ಮತ್ತು ಸಂವಹನದ ತಂತ್ರಜ್ಞಾನವನ್ನು ಸಮರ್ಥವಾಗಿ ಬಳಸಿಕೊಳ್ಳಬೇಕಾಗಿದೆ. ಇಂಟರ್ನೆಟ್ನಲ್ಲಿ ಪ್ರಕಟವಾಗುವ ಇ-ಮ್ಯಾಗಜೀನಗಳು ಈ ನಿಟ್ಟಿನಲ್ಲಿ ಪ್ರಧಾನಪ್ರಾತ್ರವಹಿಸಬಲ್ಲವು. ಅದಕ್ಕಾಗಿ ಕನ್ನಡದ ಮೊದಲ ಕೃಷಿ ಇ-ಮ್ಯಾಗಜೀನ್ "ಕೃಷಿ ಸಂಪದ" ವನ್ನು ಇಂದು ಬಿಡುಗಡೆ ಮಾಡಲು ಸಂತೋಷವಾಗುತ್ತಿದೆ" ಎಂಬ ಮಾತುಗಳೊಂದಿಗೆ ಪರಿಸರ ಬರಹಗಾರ ನಾಗೇಶ್ ಹೆಗಡೆ ಅವರು ಕಂಪ್ಯೂಟರಿನ ಸ್ವಿಚ್ ಒತ್ತಿ ಪರದೆಯಲ್ಲಿ ಡಿಜಿಟಲ್ ಪುಟ ಬೆಳಗಿ "ಕೃಷಿ ಸಂಪದ" ಇ-ಮ್ಯಾಗಜೀನನ್ನು ಇಂಟರ್ನೆಟ್ ಲೋಕಕ್ಕೆ ಅರ್ಪಿಸಿದರು. 

ನಲವತ್ತು ವರುಷಗಳ ಮುಂಚೆ ಯು.ಎಸ್.ಎ ದೇಶದ ಗಗನಯಾತ್ರಿಗಳು ಚಂದ್ರನ ನೆಲದಲ್ಲಿ ಪ್ರಪ್ರಥಮ ಭಾರಿ ಪಾದಾರ್ಪಣೆ ಮಾಡಿದರು. ಇಡೀ ಜಗತ್ತು ಆ ಘಟನೆಯನ್ನು ಕಾತರದಿಂದ ನಿರೀಕ್ಷಿಸುತ್ತಿತ್ತು. ಮಾನವನೊಬ್ಬ ಚಂದ್ರನ ಮೇಲಿಟ್ಟ ಪುಟ್ಟ ಹೆಜ್ಜೆ ಮನುಕುಲದ ವೈಜ್ಞಾನಿಕ ಪ್ರಗತಿಯ ಪಯಣದ ಪರ್ವತ ಹೆಜ್ಜೆ. ಆ ಕ್ಷಣದಲ್ಲಿ ಭೂಲೋಕದ ಜನರೆಲ್ಲ ಸಂಭ್ರಮಿಸಿದ್ದರು. ಅದೇ ಸಂದರ್ಭದಲ್ಲಿ ಯು.ಎಸ್.ಎ ದೇಶದ ಮಿಲಿಟರಿ ಇನ್ನೊಂದು ಬೃಹತ್ ಯೋಜನೆಯಲ್ಲಿ ಮುಳುಗಿತ್ತು - ರಷ್ಯಾ ದೇಶದಿಂದ ಪರಮಾಣು ಬಾಂಬ್ ದಾಳಿ ನೆಡೆದರೆ, ಯು.ಎಸ್.ಎ ದೇಶದ ಸರಕಾರ, ಸೇನಾಪಡೆಗಳು ಹಾಗು ವೈಜ್ಞಾನಿಕ ಪ್ರಗತಿಗೆ ಸಂಬಂಧಿಸಿದ ಅಗಾಧ ಮಾಹಿತಿಯನ್ನು ರಕ್ಷಿಸುವ ಯೋಜನೆ ಅದಾಗಿತ್ತು. ಅದಕ್ಕಾಗಿ ನಾಲ್ಕು ಬೇರೆ ಬೇರೆ ಸ್ಥಳಗಳಲ್ಲಿ ಇರಿಸಿದ ಕಂಪ್ಯೂಟರ್ ಗಳಲ್ಲಿ ಶೇಖರಿಸಿಟ್ಟರು. ಒಂದು ಕಂಪ್ಯೂಟರ್ ಬಾಂಬ್ ದಾಳಿಯಿಂದ ನಾಶವಾದರೂ ಉಳಿದ ಮೂರು ಕಂಪ್ಯೂಟರ್ಗಳಲ್ಲಿ ಅಗಾಧ ಮಾಹಿತಿ ಸುರಕ್ಷಿತವಾಗಿ ಉಳಿದಿರುತ್ತಿತ್ತು. ಈ ಪ್ರಾಜೆಕ್ಟಿಗೆ  ಅರ್ಪಾನೆಟ್(ARPANET) ಎಂದು ಹೆಸರಿಡಲಾಗಿತ್ತು.ಇದುವೇ ಮುಂದೆ ಇಂಟರ್ನೆಟ್ ಆಗಿ ಬೆಳೆಯಿತು. ಇಂದು ಕನ್ನಡದ ಮಟ್ಟಿಗೆ ಅದೇ ರೀತಿಯ ಸಂಭ್ರಮ. ಕೃಷಿ ಹಾಗು ಗ್ರಾಮೀಣರಂಗಗಳ ಅಗಾಧ ಮಾಹಿತಿಯನ್ನು ಡಿಜಿಟಲ್ ರೂಪದಲ್ಲಿ ಸಂಗ್ರಹಿಸಿಡುವ ಮಹಾತ್ವಾಕಾಂಕ್ಷೆಯ "ಕೃಷಿ ಸಂಪದ" ಯೋಜನೆ ಅನಾವರಣಗೊಂಡದ್ದು ನಾವೆಲ್ಲ ಹೆಮ್ಮೆ ಪಡಬೇಕಾದ ಬೆಳವಣಿಗೆ ಎಂದು ನಾಗೇಶ್ ಹೆಗಡೆಯವರು ಅಭಿಪ್ರಾಯಪಟ್ಟರು.

ಸಾವಿರಾರು ಕನ್ನಡ ಅಭಿಮಾನಿಗಳು ಸದಸ್ಯರಾಗಿರುವ ಇಂಟರ್ನೆಟ್ ಸಮುದಾಯ "ಸಂಪದ". ಇದರದೇ ಒಂದು ಭಾಗವಾದ ಕೃಷಿ ಸಂಪದದ ಹೊಸದೊಂದು ಯೋಜನೆ "ಕೃಷಿ ಸಂಪದ" ಎಂಬ ಇ-ಮ್ಯಾಗಜೀನ್. ಇದು "ಕ್ರಿಯೇಟೀವ್ ಕಾಮನ್ಸ್" ಲೈಸೆನ್ಸ್ ನಲ್ಲಿ ಪ್ರಕಟವಾಗುತ್ತಿರುವ ಪ್ರಥಮ ಕನ್ನಡದ ಇ-ಮ್ಯಾಗಜೀನ್. ಆದ್ದರಿಂದ ಇದರಲ್ಲಿರುವ ಕಂಟೆಂಟನ್ನು (ಬರಹಗಳು, ಪೊಟೋಗಳು ಇತ್ಯಾದಿ) ಯಾರುಬೇಕಾದರೂ "ಇದ್ದದ್ದು ಇದ್ದ ಹಾಗೆ" ಮರುಬಳಕೆ ಮಾಡಬಹುದು. ಅಂದರೆ ಲಾಭರಹಿತ ಉದ್ದೇಶಗಳಿಗಾಗಿ ಮರುಪ್ರಕಟಿಸಬಹುದು ಅಥವಾ ಪ್ರತಿಗಳನ್ನು ತೆಗೆದು ಆಸಕ್ತರಿಗೆ ಹಂಚಬಹುದು ಎಂದು  "ಸಂಪದ" ತಂಡದ ಪರವಾಗಿ ಹರಿಪ್ರಸಾದ್ ನಾಡಿಗ್  ಆರಂಭದಲ್ಲಿ ತಿಳಿಸಿದರು.

ಇದೇ ಸಂದರ್ಭದಲ್ಲಿ ಕೃಷಿ ಸಂಪದದ ಸಂಪಾದಕರಾದ ಅಡ್ಡೂರು ಕೃಷ್ಣರಾವ್ ರವರು, ಕೃಷಿ ಹಾಗು ಗ್ರಾಮೀಣ ಬದುಕಿನ ಬಗ್ಗೆ ಕಾಳಜಿಯಿರುವ ಎಲ್ಲರಿಗೂ ವೇದಿಕೆ ಒದಗಿಸುವ ಉದ್ದೇಶದಿಂದ ಇ-ಮ್ಯಾಗಜೀನ್ ಅನ್ನು ಆರಂಭಿಸಲಾಗಿದೆ ಎಂದು ತಿಳಿಸಿ, ಇದರ ಉದ್ದೇಶಗಳನ್ನು ವಿವರಿಸಿದರು.

ಬೆಂಗಳೂರಿನ "ಕೃಷಿ ತಂತ್ರಜ್ಞರ ಸಂಸ್ಥೆ" ಯಲ್ಲಿ ನೆಡೆದ ಕಾರ್ಯಕ್ರಮದಲ್ಲಿ ಹಲವಾರು ಆಸಕ್ತರು ಭಾಗವಹಿಸಿದ್ದರು. "ಕೃಷಿ ಸಂಪದ" ಬಿಡುಗಡೆಯ ಬಳಿಕ ಜರುಗಿದ ಸಂವಾದದಲ್ಲಿ ಚುರುಕಿನ ಪ್ರಶ್ನೋತ್ತರ ಜರುಗಿತು. ಕಾರ್ಯಕ್ರಮ ಸೆಂಟರ್ ಫಾರ್ ಇಂಟರ್ನೆಟ್ & ಸೊಸೈಟಿ, ಸಂಪದ ಹಾಗು ಕೃಷಿ ತಂತ್ರಜ್ಞರ ಸಂಸ್ಥೆ - ಇವರ ಸಹಯೋಗದಲ್ಲಿ ಆಯೋಜಿಸಲಾಗಿತ್ತು.

ಇ-ಮ್ಯಾಗಜೀನ್ ಪ್ರತಿಯನ್ನು ಕೃಷಿ ಸಂಪದದ ತಾಣದಿಂದ ಡೌನ್ ಲೋಡ್ ಮಾಡಿಕೊಳ್ಳಬಹುದಾಗಿದೆ: http://krushi.sampada.net

ನಿಮ್ಮ ಅನಿಸಿಕೆ ಇತ್ಯಾದಿಗಳನ್ನು ಕೃಷಿಸಂಪದ ತಂಡಕ್ಕೆ ಇ-ಮೈಲ್ ಮೂಲಕ ಕಳುಹಿಸಿ ಕೊಡಬಹುದಾಗಿದೆ: [email protected]

The ICANN-US DOC 'Affirmation of Commitments' - A Step Forward?

by Anja Kovacs last modified Aug 02, 2011 07:16 AM
On 30 September 2009, ICANN (Internet Corporation for Assigned Names and Numbers) signed an Affirmation of Commitments (AoC) with the US Government's Department of Commerce. For those of us who are concerned that the Internet should serve the global public good, is the new arrangement a step forward? An assessment.

On 30 September 2009, ICANN signed an Affirmation of Commitments (AoC) with the US Government's Department of Commerce. ICANN is the not-for-profit public-benefit corporation that coordinates the Internet's naming system. The Affirmation has been widely hailed for the loosening of US-ICANN ties that it implies. The unilateral control that the US exercised over the organisation had for long been criticised in various quarters as inappropriate for a – by now - global resource such as the Internet. A central instrument of this control was constituted by the reviews that the US's NTIA (National Telecommunications and Information Administration) would conduct of the organisation, based on which the country's Department of Commerce would rework and renew its contract with ICANN. With the signing of the AoC, reviews will henceforth be conducted by panels to be appointed by the Chair of ICANN's Board of Directors, as well as the Chair of the Government Advisory Committee (GAC) in consultation with the other members of the GAC. Since the Affirmation of Commitments is of long standing – unlike earlier Memoranda of Understanding, which had a limited validity – and since the US has demanded for itself a permanent seat on only one of the four panels that the AoC institutes, the US has indeed given up significant amounts of the control that it wielded over the organisation so far.

A clear step forward? Well, not necessarily – and in many ways it is too early to tell. Because while the denationalisation of ICANN was high on many stakeholders' agenda, so was the strengthening of ICANN as an accountable tool for global governance. And where the latter is concerned, the AoC falls sorely short. Although ICANN likes to posit itself as an organisation rooted in communities, where policy is developed from the bottom up, this wonderfully democratic discourse stands in rather ugly contrast to the quite questionable practices that are all too frequently reported from the organisation (the rather stepsisterly treatment meted out to noncommercial users in ICANN in recent times, for example, immediately comes to mind [1]). At the root of this contradiction seems to lie the fact that, while ICANN may be a public interest organisation on paper, in practice it is heavily dominated by large businesses, in particular those US-based, who seem to be willing to go to considerable lengths to defend their interests. The AoC has done nothing to check these tendencies. The review panels suggested are an internal affair, where those who develop policy will get to appoint the people who will assess the policy development processes, and most of those appointed, too, will come from within the organisation. While the suggested wider involvement of ICANN communities, including governments, in reviewing the organisation is a welcome move, it remains to be seen, then, to what extent these review panels will have teeth – in any case their recommendations are not binding. But some go even further and argue that the AoC has effectively removed the one democratic control that existed over ICANN's Board: that of the US Government. As the communities that supposedly make up ICANN do not have the power to unseat the Board, the Board now is effectively accountable... to none.

Since it does not directly address accountability problems within ICANN, the AoC is not so much an improvement, then, as simply a change: it has closed a few old doors, and opened some new ones. Whether this is for good or for bad remains to be seen: in the absence of clear structures of control and oversight, the shape of things to come is never fixed. For those within ICANN who genuinely want to work towards an Internet in the service of the public good, rather than of big business, there is, therefore, a tough task ahead of trying to ensure that the most will be made of the opportunities that the new arrangement does provide. Considering ICANN's institutional culture, this will undoubtedly mean that much of their energy will need to be invested in simply trying to shape new procedures and frameworks of governance in more democratic and accountable directions, eating into valuable time that could and should have been devoted to policy development instead. Indeed, irrespective of the final outcome of the AoC, the spectre of ICANN's lack of accountability and its glaring democratic deficit, for now, remains. And for a forum such as ICANN, that is unbecoming to say the least.

1] For more information, please see http://ncdnhc.org/profiles/blogs/ncuc-letter-to-icann-board-of, http://ncdnhc.org/profiles/blogs/top-10-myths-about-civil, and http://blog.internetgovernance.org/blog/_archives/2009/10/2/4338930.html.

Access Beyond Developmentalism: Technology and the Intellectual Life of the Poor

by Radha Rao last modified Aug 02, 2011 07:16 AM
Essay by Lawrence Liang, September 21, 2009 in response to - A Dialogue on ICTs, Human Development, Growth, and Poverty Reduction

In February 2009 we invited the French philosopher Jacques Ranciere to Delhi for the release of his book “Nights of Labour” which we had translated into Hindi, and to have a conversation with a group of young writers and practitioners at the Cybermohalla (“CM”) in Dakshinpuri. The Cybermohalla is one of three media labs that have been set up in different working class colonies in Delhi where young people living in the colony meet, engage in conversations and write about their neighborhood, technology, media, culture and life in the city. Almost six years old, the CMs were set up as experimental spaces to explore ways of looking at the relationship between technology and the urban poor beyond the lens of developmentalism. The CM is presently involved in documenting intellectual life in their neighborhoods and the transformations brought about by media.

In this brief note I would like to raise a few critical questions about the dominant ICT and Development discourse that dominates policy and NGO circles, and I will be using the writings of Ranciere, the CM practitioners, and the conversation between them as the grounds on which to raise these questions. Ranciere began his career as a labour historian, and had initially set out to do a straight forward history of class consciousness in the labour archives outside Paris. What he found surprised him, and informed his philosophy of education and I believe has immense significance for people working on ICT, poverty and development. Ranciere’s rethinking of labour history paves the way for us to start thinking seriously about the hidden domain of aspiration and desire of the subaltern subject, while at the same time thinking about the politics of our own aspirations and desires.

Ranciere goes into an unexplored aspect of the labour archive of nineteenth century France, where he starts looking at small, obscure and short lived journals brought out by workers, in which they were writing about their own lives. But they were not necessarily writing about their work, or their condition as workers. And if they were , they were not writing about it in glorified terms but with immense dissatisfaction. Instead they were interested in writing poetry, philosophy and indulging in the pleasures of thought. They looked enviously at the thinking life that intellectuals were entitled to. At the same time, intellectuals have always been fascinated with the world of work and the romance of working class identity. Ranciere says “what new forms of misreading will affect this contradiction when the discourse of labourers in love with the intellectual nights of the intellectuals encounters the discourse of intellectuals in love with the toilsome and glorious days of the labouring people”

Ranciere’s motley cast of characters include Jerome Gillard, an iron smith tired of hammering iron, and Pierre Vincard, a metal worker who aspires to be a painter. In other words, a series of sketches of people who refused to obey the role sketched out of for them by history, people who wanted to step across the line and perform the truly radical act of breaking down the time-honored barrier separating those who carried out useful labour from those who pondered aesthetics. He says that “A worker who has never learned how to write and yet tried to compose verses to suit the taste of his times was perhaps more of a danger to the prevailing ideological order than a worker who performed revolutionary songs… Perhaps the truly dangerous classes are not so much the uncivilized ones thought to undermine society from below, but rather the migrants who move at the borders between classes, individuals and groups who develop capabilities within themselves which are useless for the improvement of their material lives and which in fact are liable to make them despise material concerns.”

While we ordinarily think of development in terns of an improvement in the material life and living condition of people, it seems from Ranciere’s account that this was not enough. What the workers wanted was to become entirely human, with all the possibilities of a human being which included a life in thought. What was not afforded to works was the leisure of thought, or the time of night which intellectuals had. This is not to say that an improvement in the material conditions of life was not important. On the contrary it was crucially important, but if we are also recognize inequality as being about the distribution of possibilities, then it is futile to maintain a divide between material and intellectual life. The struggle in other words was between time as a form of constraint and time as a possibility of freedom. For Ranciere, a worker then was someone to whom many lives were owed.

If we were to translate what this means for our understanding of ICT and the subject of development, we find that most interventions frame the poor as objects of the discourse of digital access, and they are rarely seen as the subject of digital imaginaries. How do we think of the space created by ICT as one that expands not just the material conditions but also breaks the divide between those entitled to the world of thought, and those entitled to the world of work? In other words, what is the space that we create when we frame the discourse of ‘digital divides’ only as a matter of technological access? How do we begin to look at the technological lives of people beyond developmentalism and take into account the way it changes aspirations and subjectivities?

Suraj, one of the writers at CM, in his conversation with Ranciere says “The capacity of my intellectual life always competes against my imagination. Exploration for me consists of recognizing the continuous pull by others around me (the constant movement), which propels me to the imagination of an intellectual life which always seems to be beyond me.” What this statement forces us to think about is the fact that we all lead intellectual lives, but the distribution of opportunities to lead an intellectual life is unequal, and we need to think through the history of materiality also as the history of conditions which divide people on the basis of those who think and those who work, or the division of time between the days of labour and the nights of writing. It would be tragic if we were to recycle clichéd ideas of the real needs of the elite and the real needs of the subaltern. The development sector seems to have inherited a certain anti intellectualism on the grounds that it is elitist and the left have failed to engage with such desires on the grounds that they were ‘false consciousness’.

But as Ranciere says “What if the truest sorrow lay not in being able to enjoy the false ones.” Ranciere argues that politics has always been about a distribution of the sensible or sensibilities (and this is certainly evidenced in political discourse as well as the critical discourse on technology where we find metaphors of ‘visibility’, ‘silence’ as a way of thinking about the political condition of the underclass). While the focus of the Harvard Forum has been appropriately on the correlation between ICT and poverty alleviation, it is also important to remember that these technologies (computers, mobiles, DVD players) are also a radical redistribution of the sensible. All of a sudden you have a vast number of people whose access to the world of images, texts and sounds have dramatically increased. At the same time they are engaging with the world of the sensible not just as passive consumers but actively producing, sharing and thinking through these new ephemeral forms.

We could ask questions about the larger change that a small experiment like the CM has been able to bring about. Do these young writers have the ability to change the world, is the model sustainable, etc.? The answer would be yes, but perhaps not in the way usually imagined by funders or NGOs. They have already changed the horizon of the possible by reinventing themselves and claiming their space in the world of thought. This also involves a radical rethinking of the very idea of equality itself. The liberal assumption is that equality for something we strive, in other words that we move from inequality to equality. But what if we were to start with equality itself.

Starting from equality does not presuppose that everyone in the world has equal opportunities to learn, to express their capacities. We recognize immense inequalities in the material conditions of life, but we also recognize that there is always some point of equality when we think of each other as thinking beings, and to think of the process of learning, not as a moving from ignorance to knowledge but as a process of going from what is already known or what is already possessed to further knowledge or new possessions.

It in this context that we also have to recognize that ICT technologies are a serious redistribution of the means of thought and expression. When Victor Hugo, a sympathizer of the working class, was shown a poem written by a worker, his embarrassed and patronizing response was “In your fine verse there is something more than fine verse. There is a strong soul, a lofty heart, a noble and robust spirit. Carry on. Always be what you are: poet and worker. That is to say, thinker and worker.” This is a classic instance of what Ranciere would term as an ‘exclusion by homage’. Thus, the aspiration and desires of the poor have to be ‘something more than fine verse’; the information needs of the poor have to be more than wanting to watch a film or even dreaming of becoming a film maker.

These injunctions certainly tell us more about the fantasies of the state, of the intellectual and of NGOs than they do about people participating in the new realms of the digital, and if we are to avoid collapsing all ICT interventions into ‘exclusions by homage’ then we also need to start thinking about the new landscape via the intellectual possibilities that they hold, and the many lives that they enable. After all, the poor are also those to whom many lives are owed.

Lawrence Liang is founder of the Alternative Law Forum and a Distinguished Fellow with the Centre for Internet and Society.

Link to the original article

Link to related article

IPv6 in India: The promises and challenges

by Pranesh Prakash last modified Aug 02, 2011 07:16 AM
Newspapers have been reporting that IPv4 addresses will get over soon, and that we will have to shift to IPv6. In this short piece, Pranesh Prakash gives a layperson's introduction to the IPv6 Internet we will be entering into soon, and what that means for you.

Reports suggest that the global pool of IPv4 addresses will run dry by 2011, and thus the shift to IPv6 is imminent.  But what does that mean?  There are excellent resources that explain this in technical language.  Below I shall try to do so in non-technical language.

What is IPv6?

Internet Protocol version 4 (IPv4) is a standard defined in 1981, which is central to the Internet, allowing vastly different computers on vastly different kinds of networks to communicate with each other.  (Think of how diplomatic protocols enables diplomats from vastly different cultures to communicate effectively by agreement on certain common minimums (such as a handshake, etc.).)  IPv4 was defined when there were relatively few computers, and even fewer connected to networks.  Many things have changed since then, with one of the most important change being the burgeoning of the Internet and the World Wide Web.  Each computer on the Internet has something known as an IP address.  Each 'packet' of data transmitted over the Internet must have associated from and to IP addresses (which can sometimes be ranges of addresses).  IPv4 can accommodate 4,294,967,296 (2^32) unique IP addresses, whereas IPv6 can handle 340 undecillion (2^128) unique addresses.  When you consider that every device with Internet connectivity has an IP address (from laptops to Blackberries to even alarm clocks), a lot of IP addresses are required.  Since the early 1990s, people have been talking about some of the limitations of IPv4, the primary one being the lack of expandability of IPv4.

Benefits of IPv6

  1. Greater number of computers on the Internet, as it uses more
  2. Better reliability and security, as IPSec, a protocol for authenticating and securing all IP data, is built into IPv6 as a default.
  3. More efficient and thus faster than IPv4.  Despite carrying much more data, IPv6 packets are simpler to route (just as addresses with pincodes are easier for post offices to handle).
  4. More features can be added more easily.  If at a later point of time more features are required, those can be added without a whole new protocol being designed.

What all does IPv6 require?

  1. IPv6-capable Internet Service Providers providing consumers IPv6 addresses
  2. IPv6-capable networking hardware (modems, routers)
  3. IPv6-capable operating systems on consumer devices (smartphones, computers, etc.)
  4. IPv6-capable websites, which depends on (1)

The shift to IPv6

Apart from IPv6 capability, at some point the shift to IPv6 must happen, since IPv4 and IPv6 are not compatible.  Translators, which allow an IPv6 address to be understood by a computer using IPv4, do exist, but they are quite expensive to deploy.  Currently, it is estimated that around 1% of the world's Internet traffic is conducted using IPv6.  The most successful example of IPv6 being used on a large scale was the 2008 Olympics where all network operations (from security camera transmissions to a special IPv6 website).  So why haven't more ISPs shifted to IPv6?  Because of network externalities.  While telephones make sense, being the only person in the world with a telephone doesn't.  Similarly, while IPv6 is the way for the future, it only makes economic sense for ISPs to shift (or even prepare for the shift, by using translators) when there are plenty of others using IPv6.  While some ISPs (like Sify) are already prepared for the shift, others need to gear up.  Importantly, the government step in to encourage (and, perhaps, at some point, mandate) this transition. Following the governments of the US, EU, and China, the Indian government too sees the immensity of this shift, and has tasked the Telecommunication Engineering Centre (TEC) of the Department of Telecommunications to take the lead in this.  The TEC has convened meetings with experts, and thus India seems to be on the right track.

What does all this mean for you?

Perhaps a lot or not very much, depending on how you look at things.  Most modern modems and routers (which are usually provided by your ISP) support IPv6, but are, by default, configured for IPv4.  Many smartphones don't work on IPv6, but generally phones have a shorter shelf life and chances are that market forces will goad manufacturers to support IPv6 by the time the IPv6 Internet becomes more popular.  Thus, while IPv4 addresses might be find themselves near the end of their natural life within one to three years, they will live on thanks to various mechanisms that translate IPv4 to IPv6 (which won't work well with certain applications such as peer-to-peer file-sharing).  Eventually, even those translators will have to be abandoned if we are to embrace a brave new Internet.

 

 

 

The Role of ICT in Judicial Reform- An Exploration

by Rebecca Schild last modified Aug 02, 2011 07:17 AM
A seminar held this month by the Communications and Manufacturing Association of India (CMAI) explored the role that information and communication technology can assume in the process of India's judicial reform efforts. The broad consensus among panelists was that “law is not keeping pace with technology”. However, whether technology will be harnessed to actually facilitate much needed transparency and access to the justice system, or be simply used to improve efficiency within the judicial branch still remains unclear.

The Indian judiciary is facing mounting pressures to reform its apparatus. Even the judiciary itself has come to recognize, on the books, that change is long overdue. Some estimates have it that it would require almost three years to clear the current backlog of cases in High Courts. While technocrats herald that the enormous backlog of cases may eventually be the death knell for India's judicial branch, reform efforts must go beyond achieving the speedier delivery of justice and work towards tackling other inadequacies of the system if “access to justice for all”(1) is to become a reality.

The rural penetration of courts in India is extremely low, which significantly limits access to justice for the many citizens living far beyond the district courts of city centers. An extremely low judge to population ratio in India only contributes further to the already high incidence of pending cases, making delays in justice a regular occurrence. Mr. P.K. Malhotra from the Department of Legal Affairs has noted that increased litigation within the government has also caused a stark increase in the number of pending cases. While the need for reform can be demonstrated quite clearly on a practical level, the right to information (RTI) movement has also provided further impetus for reform on a more fundamental level. Well organized citizens are now demanding the right to a more transparent and accountable judiciary.

As e-government initiatives continue to transform the nature of India's bureaucracy and enhance the quality of government services, there is a mood of great optimism that ICT will also come to play a central role in judicial reform efforts. Speakers at the seminar enthusiastically cited innovative practices such as Singapore's “paperless court” which makes a compelling case for automation.  Notable success in implementing ICT in the judiciary have also been achieved in Canada, Australia, and in several countries across Latin America. This is not to say, however, that the appropriation of ICT is uniform in every case. Variables such as political will and context, institutional capacity and reform goals all play a role in shaping the outcome.  Plans could, for example, take more of an operational approach by prioritizing the improved efficiency and the rationalization of resources by implementing electronic case management systems. Other strategies may be designed and implemented from an access perspective, seeking to restore faith in the justice system by increasing transparency and accountability. This could be done, for example, by installing video technology in court rooms, or publishing legal information online.

At the seminar, India's consortium of well-organized and highly ambitious technocrats were not shy in suggesting the many ways ICT may be used to transform the judicial system, and, additionally, the many ways such an endeavor provides the IT sector with “new opportunities”.  Dr M. Veerappa Moily, Union Minister for Law and Justice, has proposed for India a centrally funded and administered National Judicial Technology Program.  Such a program aims to use ICT in the courtrooms to free the legal system of “historical inefficiencies".  It is of no doubt that ICT can reduce the duplicity of the paper world and make courts more green through electronic case filing and video conferencing. Online case filing systems can increase speed in which citizens can have their cases heard, and real time access to online repositories of legal information drastically expedites the case cycle.

Mr. C P Gurnani, CEO of Tech Mahindra made the bold assertion that with ICT, India's 300 year case backlog can be reduced to three years, in a span of only three years (2). Features of this newly envisioned e-justice system include the use of video hearings to reduce transportation costs, case filing operation systems, RFID based file tracking, and the creation of a publicly accessible and easily searchable e-library. While others were much less optimistic than Mr. Gurani and recognize that the use of ICT in the reform process is “no instant coffee”, the question of whether or not ICT can be a strategically appropriated in the Indian context still remains.

Optimistic accounts of how ICT will increase access to justice, incorporate the marginalized into the law-making process, and increase judicial transparency and accountability all sounds uncomfortably techno-utopian. While ICT should facilitate the reform process, past experiences have shown that the over zealous use of technology has too-often resulted in less than impressive results (3). To ensure that the reform process in India is not driven mainly by the IT sector, it is important that the use of technology remains complimentary to a sound national judicial reform strategy.  An abundant supply of technical support with little demand for the reform process from within the judicial branch may spell disappointing results for all stakeholders. Seeing that India's first seminar discussing the role of IT in the judiciary has been organized by the IT industry, it is safe to assume that reform strategies are being crystallized through the gaze of technocrats rather than the judiciary itself. Technology has an important role to play, but India's technocrats may be jumping the gun.

Many deep-seated challenges must be overcome before the use of ICT can be truly transformative. Often cited is the level of resistance judicial cultures express towards externally imposed change. Quite logically, those required to make change are also those who may have the most to lose in the short-term by doing so. Similarly, it is also difficult garnering the levels of political support judicial reforms require to be effective.  Because the judiciary is such a highly politicized apparatus, efforts to fundamentally transform the system will require the support of a vast number of stakeholders . The low level of technological literacy which exists among India's judges is also problematic. Not only will members of the judiciary be open to new ways of doing business, they will also have to be diligent in adopting a new skill-set in which they may be more than a decade behind in acquiring.

Other deep-rooted limitations of India's judicial system are becoming increasingly apparent today. Questions surrounding access to justice remain deeply embedded in the asymmetries of class power, which are often reinforced by the political nature of the judiciary. Constitutional law in India also remains unstable, as the principles informing judicial action have become increasingly less clear (5). Furthermore, the courts have come to maintain a disproportionate share of power and influence in the Indian political sphere (6). It is questionable if ICT can work to ameliorate some of these malignancies, or if its use will only come to reinforce them.  If technology is appropriated in a way which serves to make the judicial process more transparent and accountable, protect the rights of citizens, and provide greater and more equitable access to justice, it may be safe to assume that a more tech-savvy judiciary is a positive development for citizens.  Publishing legal information online, for example, currently allows for greater transparency in the law making process and allows dialogue on important issues of governance and citizenship. 

However, it is almost unnecessary to reiterate that such outcomes are not guaranteed.  Technology is often seen as neutral– the evaluative outcome of its application remains dependent on numerous variable factors. Most important is whether or not the government provides a legal framework conducive to the appropriation of ICT in ways which are considered to further the public interest. It may be useful to view the successful appropriation of ICT to judicial reform as a cumulative process, each step being a precondition to the other. It is clear to see how basic infrastructure such as civil courts in rural areas must be in place before the use of ICT can facilitate access to justice for individuals who remain peripheral to the legal system. Similarly, one would assume that laws would have to first be to be nondiscriminatory to all members of society before it could it can be widely accepted that more technology will better safeguard our rights and freedoms.

Without a legal framework which is considered to be socially just, greater speed of the judicial process, aided by technology, may become a tool which enables the judiciary to act more arbitrarily, more efficiency.   This could be troubling for individuals who are already marginalized by certain policies or legal practices.  Technology can also make it possible for judges to insulate themselves from the necessary checks and balances required in the law-making process.  While Mr Gurani stated that ICT can help preserve judicial independence, it is questionable if the use of technology is an appropriate strategy to mitigate politicization of the judicial branch.  Any frivolous efforts to spearhead the reform process through the introduction of ICT without the required commitment of judges and policy makers may be naïve at best. At worst, it could serve to reinforce what judicial bodies believe they do well without critically re-examining the fundamental roles, norms and principles of the Indian judicial system itself.

Online case-filing services may unintentionally, due to cost or lack of awareness, erect further barriers to justice for individuals who traditionally remained outside of the sphere of access.  In the same vein, if ICT is favored for use in criminal rather than civil courts, technology may simply become a tool used to sentence people, more quickly.  This scenario sits quite polemic to visions of technology  serving as a tool to empower individuals to better assert their rights and seek justice. Foreshadowing the role ICT may play in the future of India's judicial reform process, SPANCO Technologies is currently piloting the use of video technology in criminal courts.  Furthermore, India's judiciary has made several attempts to insulate itself from the provisions of the RTI act, indicating that new laws, and even new technologies, may not be able to change practice.  There are also strong doubts looming that the Gramin Nyayalayas Act will be successful in leveraging the required financial support needed to construct civil courts in rural areas.  Without the basic building blocks, it is difficult to envision how a National Judicial Technology Program will be successful in bringing "justice" to all who are awaiting it.   Such instances serve as a light warning that technology, even within a favorable legal framework, may not necessarily spell a more accessible, transparent and accountable justice system.

A well-functioning judicial system is required to keep up with the demands of modern democratic society.  It is unquestionable that technology can play an influential role in ensuring that the relationship between citizens and the government is strong and communicative. However, it is important to ask under what conditions may it be beneficial to implement technology’s use. Inferring from last week’s seminar, proposals and rationale behind potential reforms were made from an economic perspective; how ICT can be used to see that cases are filed and judgments are delivered more quickly to improve efficiency and rationalize resources.  Whether technology will be appropriated to facilitate a more equitable justice system is unknown, but it is certain that such will require a coherent national reform strategy with long-term political backing.  Short-shorted technological fixes may improve India's judicial efficiency in the short term, but may, however, overshadow opportunities to bring about a more transparent and accountable system in the long-term.

 

Notes

1. This was a notion emphasized often throughout the seminar.

2. Where these estimates were drawn is unknown.

3. For a concise account of how the use of ICT may be misappropriated in the judicial reform process, see E-Justice: Towards a Strategic Use of ICT in Judicial Reform by Waleed H. Malik

4. For an interesting account of India's judicial system, see "The Rise of Judicial Sovereignty" by Pratap Bhanu Mehta in "The State of India's Democracy", Oxford University Press, 2009.

5. Pratap Bhanu Mehta.

6. Ibid.

Information and livelihoods

by Radha Rao last modified Aug 02, 2011 07:18 AM
An article by Prof. Subbiah Arunachalam (Distinguished Fellow, CIS) in GISW 2009 (Global Information Society Watch, 2009)

Introduction

We live in a divided world where far too many people live in abject poverty. To help these people get out of poverty is good for the world as a whole, for great disparities in wealth will lead to violence and terrorism and no one can live in peace and harmony. None of the Millennium Development Goals (MDGs) can be achieved if we fail to address the problem of poverty and ensure livelihood security for the majority of the poor.

A vast majority of the poor live in the rural areas of developing countries and are dependent on agriculture or fishing for a living. They need information directly relevant to their livelihoods. Agriculture-related information is often one of the most immediate needs, since small-scale agriculture is very important to household incomes in rural areas. Information on current crop prices, fertiliser and pesticide costs, and the availability of improved seeds and low-cost improvements in farm technology can help farmers buy farm inputs and equipment of good quality at the right price, or help them successfully obtain credit.[1] Information on government entitlements and training programmes, opportunities for developing new products, and markets for environmental goods[2] is also useful. Without such information, poor families find it hard to take advantage of new opportunities for generating income and increasing their assets.

Many asset-less poor migrate to cities far and near and are constantly on the lookout for opportunities to work in construction sites, ports, factories and wherever they can be employed. They are often exploited and work in conditions far from satisfactory. They will be happy to have information on where work is available and wages are good.

This report looks at a few examples of how access to information helps improve the lives of people and how new technologies are being used in getting information to those who need it.

Small catch but big impact 

About twelve years ago scientists at the M S Swaminathan Research Foundation (MSSRF) started working with fishing communities in coastal villages of southern India. The major thrust of the project, funded by the International Development Research Centre (IDRC), was to look at how emerging information and communications technologies (ICTs) could be used to make a difference to these people’s lives. But the project managers took a holistic perspective and put people and their needs before technology: they went beyond merely providing online access to information through their internet-enabled Village Knowledge Centres (VKCs). They were concerned about fisherpeople losing their catches, nets, boats and even their lives on days when the sea turned rough. Lives could be saved if only one could have advance knowledge of weather conditions. After some investigation, the MSSRF researchers found that United States (US) Navy satellites were collecting weather and wave height information for the Bay of Bengal, and the Navy website released forecasts based on these data twice daily. The VKC volunteers started downloading this information and made it available to the fisherpeople in their local language through notice boards and a public address system. Ever since this service commenced not a single death in mid-sea has been reported from these villages.

The need for innovation 

Suddenly, the US Navy stopped providing this information and something needed to be done. MSSRF joined hands with Qualcomm, Tata Teleservices and Astute Systems Technology,[3] and these companies came up with an innovative mobile application called Fisher Friend based on third-generation code division multiple access (3G CDMA) technology. With Fisher Friend, the VKCs provide fisherpeople with real-time information on things like fish prices in different markets, weather, wave heights, satellite scan data on the location of fish shoals, and news flashes while they are at mid-sea. Access to these, as well as other information such as relevant government schemes, has improved market transparency and the earnings of smaller fisherpeople. Qualcomm is working on incorporating global positioning system (GPS) capability in the phones, so their exact location can be tracked. This would make rescue operations much easier.

Timely access to relevant information can not only improve the standards of living of a community, but also save lives.

Real evidence, not just anecdotal 

Much of the evidence of the benefits of access to information and the use of technology to facilitate access so far has been anecdotal. In a recent paper in the Quarterly Journal of Economics Robert Jensen of Harvard University has quantified the benefits.[4] He showed that the adoption of mobile phones by fisherpeople and wholesalers in Kerala in southern India had led to a dramatic reduction in price dispersion (the mean coefficient of variation of price across markets over a stretch of 150 kilometres came down from 60%-70% to less than 15%); the complete elimination of waste (from 5%-8% to virtually nil); and near perfect adherence to the Law of One Price.[5] In addition, fisherpeople’s profits increased by 8%, while consumer prices declined by 4% (directly driving a 20 rupee/person/month consumer surplus, the equivalent of a 2% increase in per capita GDP from this one market alone). Sardine consumption increased by 6%. The advent of mobile phones also led to a 6% increase in school enrolment and a 5% increase in the probability of using healthcare when sick. All this with no government programmes, and no new funding requirements.[6]

Several other initiatives involve mobile technology. Nokia recently launched Life Tools in India, a fee-based service, with a view to impacting on the daily lives of people, especially farmers. Life Tools offers timely online access to information that will be of great relevance to farmers, students and the lay public. Nokia has partnered with the Maharashtra State Agricultural Marketing Board (to gather commodity prices from 291 markets), Reuters Market Light, Syngenta and Skymet,[7] among others. It has plans to introduce Life Tools to other developing countries before the end of the year.

Online access to information through mobile phones and through telecentres has also helped shop owners, traders and the self-employed increase their earnings in many countries. The mobile phone is becoming the primary connectivity tool. With significant computing power, it will soon be the primary internet connection, providing information in a portable, well-connected form at a relatively low price, pushing aside the personal computer.

Conclusion 

Today the “bottom” three-quarters of the world’s population accounts for at least 50% of all people with internet access, says a Pew report.[8] As Turner pointed out in 2007, investment in telecom, which facilitates easy access to information, is more productive than investment in other kinds of infrastructure.[9] The impact is particularly noticeable in developing nations.

ICTs are not a technical solution on their own but are enablers in a process of local prioritisation and problem solving. This report has highlighted initiatives that use mobile technology. But mobile solutions are obviously not the only useful ones. For instance, LabourNet in Bangalore connects employers and casual labourers through an online database that is updated constantly.[10] Thanks to LabourNet, workers, especially at construction sites, get decent pay, training, insurance and safety measures at the workplace. However, the information supplied is more at the administrative level than the grassroots level.

The success lies in embedding ICTs in a holistic approach encompassing a diverse range of development initiatives. The trick is not to emphasise technology but to put people and their needs before technology. Sustainable livelihood approaches need to be people-centred, recognising the capital assets of the poor and the influence of policies and institutions on their livelihood strategies.[11]

Also, the mere ability to access information cannot take one far. What is important is what one can do with that information. Often one would need to have additional skills and capital to take advantage of the information. That is why efforts to provide improved access to information should go hand in hand with efforts to enhance skills through training programmes, and efforts to enhance access to finance through microfinance and the formation of self-help groups.

Rural livelihoods involve a wide range of strategies both within and outside the farming sector. Often farming communities need to augment their income through non-farming enterprises, and here the women and youth could play a role in enhancing household income.

It will be good to remember that a large number of ICT-enabled development pilot projects have remained just that – pilot projects that did not scale up.

References

  • Chapman, R., Slaymaker, T. and Young, J. (2003) Livelihoods Approaches to Information and Communication in Support of Rural Poverty Elimination and Food Security, Overseas Development Institute, London.
  • Chapman, R. (2005) ICT enabled knowledge centres and learning in the global village, in The Third MSSRF South-South Exchange Travelling Workshop (MSSRF/PR/05/59), M S Swaminathan Research Foundation, Chennai.
  • Jensen, R. (2007) The digital provide: Information (technology), market performance, and welfare in the South Indian fisheries sector, Quarterly Journal of Economics, 122 (August), p. 879-924.
  • Quitney Anderson, J. and Rainie, L. (2008) The Future of the Internet III, Pew Internet and American Life Project, Washington. www.future-internet.eu/fileadmin/documents/prague_documents/oc-meetings/PIP_FutureInternet3.pdf

 

  1. Chapman, R., Slaymaker, T. and Young, J. (2003) Livelihoods Approaches to Information and Communication in Support of Rural Poverty Elimination and Food Security, Overseas Development Institute, London.
  2. Good examples of environmental goods are handicrafts made from locally available material (plant or mineral-based material) and organic products.
  3. Qualcomm is a US-based multinational that designs and make chips for telecom equipment. Tata Teleservices is a leading mobile service provider, and Astute Systems Technology is a software company writing applications for the chips.
  4. Jensen, R. (2007) The digital provide: Information (technology), market performance, and welfare in the South Indian fisheries sector, Quarterly Journal of Economics, 122 (August), p. 879-924.
  5. An economic law which states that in an efficient market, all identical goods must have only one price. In other words, variations in fish prices caused by differences in demand and supply at different locations disappeared once both buyers and sellers started using mobile phones.
  6. Turner, B. (2007) Cellphones & Development — Evidence, not anecdotes.
    blogs.nmss.com/communications/2007/02/cellphones_deve.html
  7. Syngenta is a multinational company. One of its corporate goals is to help farmers maximise the potential of their resources. Towards this end it provides technological solutions, as well as information relating to agronomy, land use, etc. Skymet provides weather-related services that allow clients to adapt to a changing environment.
  8. Quitney Anderson, J. and Rainie, L. (2008) The Future of the Internet III, Pew Internet and American Life Project, Washington.
    www.future-internet.eu/fileadmin/documents/prague_documents/oc-meetings/PIP_FutureInternet3.pdf
  9. Turner (2007) op. cit.
  10. LabourNet matches the skills sets of people available for work with the needs of those who use their services, similar to headhunters who match the skills of executives and managers and place them in the right companies at the right levels, Only LabourNet deals with the poor.
  11. Chapman, R. (2005) ICT enabled knowledge centres and learning in the global village, in The Third MSSRF South-South Exchange Travelling Workshop  (MSSRF/PR/05/59), M S Swaminathan Research Foundation, Chennai..

Link to the article


Address delivered during the IGF Closing Ceremony

by Radha Rao last modified Aug 02, 2011 07:18 AM
This address was delivered by Dr. Anja Kovacs, as a representative of civil society, to the IGF during its closing ceremony.

Good evening, Mr Chairperson and all the distinguished participants, ladies and gentlemen. Thank you for this opportunity to address this assembly on behalf of civil society, it is a real honour.  And thank you also to the organisers and to the government of Egypt, for the wonderful arrangements and for creating such a excellent environment for us to work in.

I would like to use this opportunity to celebrate, together with you, two very important achievements in particular that we have made collectively during the four days of our intensive deliberations together.

The first one is the progress we are making in terms of recognising the importance of attention for human rights in ensuring a people-centred, development-oriented, non-discriminatory information society.  Thus, for example, in the main session on security, openness and privacy, speakers across stakeholder groups couched the debate not any more in terms of security vs. privacy, but in terms of security and privacy.  Security or other concerns, it was consistently argued, while obviously deserving our attention, should not be used to justify curtailing longstanding gains made in terms of human rights; rather, it is an improved implementation of already agreed on human rights instruments that we need to reach our goal of an inclusive, people-centred information society.  The growing recognition of this fact is an evolution that civil society welcomes with open arms.

Another very hopeful evolution during this IGF was the central attention devoted to the question of where we stand in terms of promoting a people-centred, development-oriented information society more generally.  The message that came out of the main session on “Internet governance in the light of the WSIS principles” clearly confirmed the urgent need to pay greater attention to this important issue, and several suggestions were made to address this concern.  These include devoting devoting a main session solely to the topic of Internet governance for development in next next year's IGF, and I sincerely hope that these suggestions will be taken up.

While we thus have important reason to celebrate, challenges of course remain.  Throughout the existence of the IGF, and perhaps increasingly so, the value of the multistakeholder model has been recognised and stressed by all stakeholder groups.  However, at the same time, it has also been acknowledged that we need to continue to work to further strengthen participation from currently underrepresented countries and groups.  I would like to note, however, that it is important that we do not restrict our efforts in this regard to capacity building, significant as that may be.  Perhaps even more crucial is that the agenda of the IGF consistently talks to the concerns of actors in the developing parts of the world as well. 

The reconfirmation of the importance of a development agenda that we have seen in this IGF is thus a very important step forward indeed. At the same time, within this larger development agenda, it is crucial that we also as soon as possible start to discuss some of the specific issues that require our attention on an urgent basis.  For example, within the IGF as elsewhere, it is generally acknowledged that access to knowledge is central to development processes; yet the IGF so far has not paid systematic attention to the ways in which the amazing possibilities that the Internet offers in this regard are increasingly threatened by new policies that seem to make intellectual property regimes more stringent day by day.  From a developing country perspective, finding a balanced solution that can address these concerns is an urgent priority.  Starting the debate on how this can be achieved here, in the IGF, is certain to attract a larger number of developing country participants, including from governments.  

Going by the experience of the past years as well as this particular meeting, I have no doubt that if given the opportunity, we will measure up to the challenges before us. Without wanting to preclude the Under-Secretary General's report, the proceedings during this IGF have made clear time and again its crucial significance in Internet governance processes.  I hope with all my heart that we will continue to get the opportunity to work together on addressing these important issues and on resolving tensions and contradictions as they emerge, with the support of an independent secretariat that can ensure an environment genuinely inclusive of all stakeholders.  Only when such open, inclusive conditions govern our own processes, may we in turn, together be able to create a genuinely inclusive information society which will indeed create opportunities for all.

Thank you. 

 

When Whistle Blowers Unite

by Sunil Abraham last modified Mar 21, 2012 10:17 AM
Leaking corporate or government information in public interest through popular Web service providers is risky but Wikileaks.org is one option that you could try out.

Leaking corporate or government information in public interest in the age of Satyam has new challenges. You couldn't just upload it to a blog, social networking website or even a document management system like Google documents. Google, Yahoo and most other Web service providers nearly always comply with the national law and cooperate with enforcement agencies. In India there have been several arrests in connection with alleged illegal email messages and content on social networking websites. It did not take court order – just a request from the local police station. Furthermore, you would have to undertake additional risky activity online to draw media attention to your documents. Also those who stand to lose from the leak can send a couple of copyright take down notices which will lead to deletion. So your only real option is Wikileaks.org, where they boast:  Every source protected. No documents censored. All legal attacks defeated.

Launched in December 2006, Wikileaks.org stands alone on the Internet as the last refuge for the truth. Even though the promoters are European and US academic organisations, journalists and NGOs – a near neutral point of view is realised by sparing no one across the political and ideological spectrum. It is the archive of the whistle-blowers of the world and it is ugly: login information and private emails of a holocaust denier, secret documents from the Church of Scientology, Internet block-lists from Thailand and standard operating procedures for US guards at Guantanamo Bay, et cetera. One could safely assume that these guys have very few friends.  Unlike Wikipedia.org whose technology it employs, Wikileaks does not have an open and participatory editorial policy. It accepts documents through a trusted journalist–source system.  

Leaking controversial documents can result in loss of job, limb and life, so extreme caution is always advised. Remember that India still does not have laws protecting whistle blowers, in spite of a bill being introduced in 2006. What follows is only a very rough guide to digital whistle blowing, so please get expert advice before you try these at home:

  • Download and install military grade encryption software like Pretty Good Privacy. Generate a pair of keys – a public and a private one. Use your private key in combination to a journalist's public key to send him or her, a 'for your eyes only message' email.  Only the journalist will be able to decrypt the message using your public key and his private key.  Note however, that an Indian court under the 2008 amendment of the IT Act can ask you to disclose your key-pair. 
  • Step outside. Working from home is a bad idea since DOT mandates that all ISPs retain logs for all users and for all services utilized for an indeterminate time-period. Office is still worse as your network administrator might be also logging your activities. 
  • Find an anonymous public access point. Cyber-cafes, especially in New Delhi, Maharashtra, Karnataka and Tamil Nadu are asking users to provide identity cards and record contact details and in some cases web-cam photographs as well. Using your laptop in a coffee shop may work but DOT is considering cracking down on open wifi networks. 
  • Use an anonymizing service so that the chain of digital evidence leading up to Wikileaks is obliterated. TOR is the anonymizing solution of choice. Several TOR servers that provide private tunnels across the Internet work in unison, to form a cloud of anonymity.

If you were leaking large amounts of data, uploading it may be too risky. Burn the data on DVDs and mail them to Wikileaks. However, do ensure that all digital files have been purged of personal information. For word files this can be done by converting to PDF.  Also you may not want to leave any finger-prints on the package. India will soon have a database of finger prints thanks to the National Unique Identity (NUID) project. We know this thanks to the leaked NUID project document on Wikileaks.org, days before the consultation.

Sense and censorship

by Sunil Abraham last modified Mar 21, 2012 10:15 AM
Sunil Abraham examines Google's crusade against censorship in China in wake of the attacks on its servers in this article published in the Indian Express.

Some believe that Google’s co-founder Sergey Brin’s memories as a six-year-old in the former Soviet Union has inspired Google’s crusade against censorship in China. However, as Siva Vaidhyanathan, author of upcoming book The Googlisation of Everything, notes in a recent blog post — this “isn’t a case of Google standing up for free speech....but about Google standing up against the attacks.”

He was referring to the attacks on Google’s servers that originated from China mid-December last year. Anyone running a multi-billion dollar enterprise online would be well attuned to the security threats posed by anarchists, crackers, spammers and phishers on a daily basis. So what made the recent Google attacks so special? According to Google, intellectual property was stolen and two human-right activists accounts were compromised during the attack. So which was the straw that broke the camel’s back — intellectual property or human rights? Google could have spoken out against censorship years ago — after all it still censors search results in more than 20 countries, including India. Although there is no official channel or protocol guiding censorship practices in India, Google is regularly contacted by government officials and continues to delete web content deemed sensitive according to various ethnic, political and religious groups. Human rights activists note that Google offers some token resistance and then usually complies with the state’s demands. Google’s deputy general counsel, Nicole Wong, justifies her cooperation with the authorities citing the Indian way of torching buses during riots. Therefore it is odd that the US government endorses Google’s selective idealism in China. One week after the attacks, Hillary Clinton decided to lecture the world on Internet freedom. Then, Google and the National Security Agency announced a collaboration to deal with future cyber-attacks. This was followed by Google honouring female bloggers in Iran, forcing cyber-ethnographer, Maximilian Forte to wonder on Twitter, “Is it just me, or is Google consistently joining the causes of the US State Department?” How is Google’s move, and recent White House support for a “free web”, to be understood? How is Google’s move consistent with the Obama administration’s goal of protecting US business interests across the globe? Such questions may tell us why Google is picking a fight with China rather than Saudi Arabia or Burma. The recent privacy disaster incited by the release of Google’s new social networking application Buzz became yet another occasion when many began to doubt Google’s high rhetoric about freedom of expression. When Buzz first made the social connections of Gmail users public without their consent, blogger Evgeny Morozov questioned the company’s logic in protecting the email accounts of Chinese human rights activists (ie, when they are happy to tell the rest of the world who those activists are talking to). According to Morozov, Google has only managed to capture 30 per cent of the Chinese search market, and he believes that Google was willing to sacrifice this market for some much need needed positive PR given after a storm of bad press after projects like Buzz and Wave. 

It is clear that Google will have to fight such pressures towards greater control of the internet across the globe, China being no great exception. This week, Google and Yahoo have come out strongly in opposition to Australia’s plan to implement a mandatory ISP filter. Sometimes, a particular form of censorship serves a useful and necessary purpose — for example, Google and Microsoft were forced by the Indian Supreme Court in September 2008 to stop serving advertisements for do-it-yourself foetus sex determination kits. Given our daughter deficit, I would not have it any other way. However, in Thailand, such filtering takes the form of overly expansive lèse majesté laws which force ISPs to reveal details of individuals posting content deemed insulting to the monarch, Bhumibol Adulyadej — this practice leading to self-censorship and over-moderation on forums and mailing lists in Thailand.

Also, soon as traffic was redirected from Google.cn to Google.com.hk, Google advised its enterprise customers in China to use VPN (virtual private networking), SSH (secure shell) tunneling, or a proxy server to access Google Apps. These are circumvention technologies of choice for many Chinese cyber-activists, says Rebecca McKinnion, founder of Global Voices Online. In her recent congressional submission, she also points out that in China, online defiance has a very different history, perhaps best illustrated by the Mud Grass Horse Internet meme which was an obscene pun on a government media campaign aimed at national unity and harmony. In China, aesthetics rather than technology is the primary tool for subversive political speech. Also like in Burma and Saudi Arabia, offline piracy and pirated satellite television ensures that most citizens are able to access censored content. And the average Chinese netizen cannot tell the difference between Google censoring its own results and the Great Firewall censoring Google. Google’s recent actions has very little real impact on the state of censorship in China.

For original article in the Indian Express

Report on the Fourth Internet Governance Forum for Commonwealth IGF

by Pranesh Prakash last modified Feb 29, 2012 05:42 AM
This report by Pranesh Prakash reflects on the question of how useful the IGF is in the light of meetings on the themes of intellectual property, freedom of speech and privacy.

The first Internet Governance Forum was held in Athens in 2006, as a follow on to the 2005 Tunis World Summit on the Information Society, and to fulfil the principles drawn up at there. Its explicit objective is to “promote and assess, on an ongoing basis the embodiment of WSIS principles in Internet governance processes”. Those principles still form the basis of the talks that happen at the IGF, and are frequently referred to by the various groups that attend the IGF as the basis for their positions and claims. Sometimes, some of the values promoted by the principles are claimed by opposing groups (child safety vs. freedom of expression). Thus, in a way the negotiation of those principles were what really set the tone for the IGF, which in and of itself is a process by which those principles could be furthered. The one question that formed part of people’s conversations through the fourth Internet Governance Forum (IGF) at Sharm el Sheik, as it had in third IGF at Hyderabad, and no doubt ever since the first edition, was “How
useful is the IGF?” This report shall reflect on that question, particularly based on the workshops and meetings that happened around the themes of intellectual property, freedom of speech, and privacy.

There are not many meetings of the nature of the IGF. It is not a governmental meeting, though it is sponsored by the United Nations. It is not a meeting of civil society groups, nor of academics nor industry. It is a bit like the Internet: large and unwieldy, allowing for participation of all while privileging those with certain advantages (rich, English-speaking), and a place where a variety of interests (government, civil society, academia and industry) clash, and where no one really has the final word. While the transformational potential of the Internet and the World Wide Web have been felt by a great many, the potential of the Internet Governance Forum is still to be felt. This report, in part, seeks to present an apology of the IGF process, though it is the belief of this reporter that it could do with a few modifications.

DAY 0 (Saturday, November 14, 2009)

This reporter arrived with his colleagues at Sharm el Sheik late in the afternoon on Saturday, November 14, 2009, with the IGF set to begin the next day. Though we had been advised to register that evening itself, the fatigue of travel (in the case of my colleagues) and the requirement of purchasing new clothes to replace those in the suitcase that had been lost (in my case) kept us from doing so.

DAY 0 (Sunday, November 15, 2009)

The IGF began on Sunday, November 15, 2009, with a large delay. The registration desks seemed to have a bit of difficulty handling the number of people who were pouring in for registration that morning. By the time this reporter was done with registration, the first set of workshops were already under way, and nearing completion, leaving not much time before the commencement of Workshop 361 (Open Standards: A Rights-Based Framework), which was being organized by this reporter.

That workshop had as speakers Sir Tim Berners-Lee (World Wide Web Consortium), Renu Budhiraja (Department of IT, Government of India), Steve Mutkoski (Microsoft), Rishab Ghosh (UNU-MERIT), and Sunil Abraham (Centre for Internet and Society), with Aslam Raffee (Sun Microsystems, formerly with the Government of South Africa) chairing the session thus representing government, industry, civil society, and academia. The theme of the workshop (rights-based framework for open standards) was explored in greatest depth by Tim Berners-Lee, Sunil Abraham, and Rishab Ghosh, while Renu Budhiraja and Steve Mutkoski decided to explore the fault-lines, and the practicalities of ensuring open standards (as well as the interoperability, e-governance, and other promises of open standards). Rishab Ghosh pointed out that while a government could not make it a requirement that your car be a Ford to be granted access to the parking lot of the municipality, it often made such arbitrary requirements when it came to software and electronic access to the government.

Open standards, most of the panellists agreed, had to be royalty-free, and built openly with free participation by anyone who wished to. This model, Sir Tim pointed out, was what made the World Wide Web the success that it is today. This would ensure that different software manufacturers could ensure interoperability which would encourage competition amongst them; that all governments -- even the less developed ones -- would have equal access to digital infrastructure; that citizen-government and intragovernment interaction would be made much more equitable and efficient; and that present-day electronic information would be future-proofed and safeguard against software obsolescence.

Renu Budhiraja in a very useful and practically-grounded presentation pointed out some of the difficulties that governments faced when deciding upon definitions of “open standards”, as well as the limited conditions under which governments may justify using proprietary standards. She spoke of the importance of governments not following the path laid out by market forces, but rather working to lead the market in the direction of openness. Governments, she reminded the audience, are amongst the foremost consumers of software and standards, and have to safeguard the interests of their citizens while making such decisions. Steve Mutkoski challenged the audience to not only think about the importance of open standards, but also think of the role it plays in ensuring efficient e-governance. Standards, he contended, are but one part of e-governance, and that often the reason that e-governance models fail are not because of standards but because of other organizational practices and policies. Pointing to academic studies, he showed that open standards by themselves were not sufficient to ensure

Sunil Abraham pointed out examples of citizens’ rights being affected by lack of open standards, and pointed out the concerns made public by ‘right to information’ activists in India on the need they perceived for open standards. He also pointed out an example from South Africa where citizens wishing to make full use of the Election Commission’s website were required to use a particular browser, since it was made with non-standard proprietary elements that only company’s browser could understand. Since that browser was not a cross-platform browser like Firefox, users also had to use a particular operating system to interact with the government. The session ended with a healthy interaction with the audience.

The importance of having this discussion at the IGF was underscored by Rishab Ghosh who noted that issues of defining and choosing technical standards are often left to technical experts, while they have ramifications much further than that field. That, he opined, is the reason that discussing open standards at a forum like the IGF is important. A more complete report of this workshop may be found at <http://cis-india.org/advocacy/openness/blog/dcos-workshop-09>.

Post the workshop was the opening ceremony which had Mr. Sha Zukang, U.N. Under-Secretary General for Economic and Social Affairs, Tarek Kamel, the Egyptian Minister for Communications and Information Technology, Dr. Ahmed Nazif, the Prime Minister of Egypt, Tim Berners-Lee, and Jerry Yang. The theme of this year’s IGF was the rather unwieldy “access, diversity, openness, security, and critical Internet resources”. The spread of the Internet, as noted by Sha Zukang, is also quite revealing: In 2005, more than 50% of the people in developed regions were using the Internet, compared to 9% in developing regions, and only 1% in least developed countries. By the year 2009, the number of people connecting in developing countries had expanded by an impressive 475 million to 17.5%, and by 4 million in LDCs to 1.5%, while Internet penetration in developed regions increased to 64%. All in all (Jerry Yang pointed out), around 1.6 billion people, or about 25 per cent of the world, is online. Mr. Kamel noted that “the IGF has
proved only over four years that it is not just another isolated parallel process but it has rather managed to bring on board all the relevant stakeholders and key players”.

Of importance in many of the speeches were the accountability structures of the Internet due to the Affirmation of Commitment that the U.S. Department of Commerce signed with ICANN, and the growing internationalisation of the World Wide Web due to ICANN’s decision to allow for domain names in multiple languages. Tim Berners-Lee again pointed out the need to keep the Web universal, and in particular highlighted the role that royalty-free open standards play in building the foundations of the World Wide Web. Other than small remarks, privacy and freedom of expression did not really figure greatly in the opening ceremony. Jerry Yang, through his talk of the Global Net Initiative, was the one who most forcefully pointed out the need for both online. The Prime Minister of Egypt, in passing, pointed out the need to safeguard intellectual property rights online, but that note was (in a sense) countered by Sir Tim’s warning about the limiting effect of strong intellectual property would have on the very foundations of the World Wide Web and the Internet.

DAY 2 (Monday, November 16, 2009)

On the second day was begun by attending the Commonwealth IGF Open Forum. This open forum was most enlightening as in it one truly got to see Southern perspectives on display. Speakers (both on the dais as well as from the audience) were truly representative of the diversity of the Commonwealth, which presently includes 54 states and around 2.1 billion people (including 1.1 billion from India). Issues of concern included things such as the lack of voice of whole regions like East and West Africa in the international IG policy-making arena. Some of the participants noted that issues such as music piracy, which is a favourite topic of conversation in the West, is of no relevance to most in Africa where the pressing copyright- related issues those of education, translation rights, etc. One participant noted that “Intellectual property issues need developing countries to speak in one voice at international fora; the Commonwealth IGF might allow that.”

A number of people also brought up the issue of youth, and pointing towards children as both the present and the future of the Internet. This attitude also showed up in the session that was held later that day at Workshop 277 (IGF: Activating and Listening to the Voice of Tweens) in which not only were youth and IG issues discussed, but the discussion was also by youth. The formation of the new Dynamic Coalition on Youth and Internet Governance with Rafik Dammak as the coordinator also underlines the importance of this issue which came up at the CIGF open forum.

Other concerns were that of sharing ICT best practices and examples, and the need to urgently bridge the rural-urban divide that information and communication technologies often highlight, and sometimes end up precipitating. This divide is, in many ways, similar to the divide between developing and developed nations, and this point was also highlighted by many of the participants. One strength that the CIGF has as a platform, which the IGF possibly lacks, is the commonality of the legal systems of most of the Commonwealth countries, and hence the possibility that arises of joint policy-making. It was heartening to see that British Parliamentarians, apart from bureaucrats from many countries, were in attendance. This strong focus on developing countries and Southern perspective is, this reporter believes, one of the strengths of the CIGF, which needs to be pushed into the global IGF.

The next workshop attended was Workshop 92: A Legal Survey of Internet Censorship and Filtering, which was organized by UNESCO. A large number of very interesting people presented here, and panellists included IFLA/Bibliotheca Alexandrina (whose Sohair Washtawi was surprisingly critical of the Egyptian government), UNESCO (Mogens Schmidt), Freedom House (Robert Guerra), and Frank La Rue, U.N. Special Rapporteur for Freedom of Opinion and Expression. What came of this workshop was the need to engage with to study the online state of freedom of expression as fully as “offline” state of press freedoms are studied, as an interesting fact that came out of this workshop was that there are currently more online journalists behind bars around the world than traditional journalists. A critique of the Freedom House’s online freedom report, which was not sufficiently voiced at the workshop itself, is that it represents a very Western, state-centric idea of freedom of speech and expression, and often looks at the more direct forms of censorship (state censorship) rather than private censorship (via advertising revenue, copyright law, and “manufactured consent”) and self-censorship. This reporter also intervened from the audience to point out that copyright is often a way of curbing freedom of speech (as was the case with the newspaper scholarly reprints of Nazi-era newspapers in Germany recently, or with the Church of Scientology wishing
to silence its critics). The panellists, including Mogens Schmidt and Frank La Rue agreed, and responded by noting that this dimension of copyright requires greater reflection by those groups involved in promoting and safeguarding freedom of speech and expression both online and offline.

The time before the meeting of the Dynamic Coalition on Open Standards was spent listening to Bruce Schneier, Marc Rotenberg, Frank La Rue, Namita Malhotra, and others at the Openness, Security and Privacy Session. Bruce Schneier, one of the most astute and insightful thinkers on issues of security and privacy, focussed on a topic that anyone who reads his blog/newsletters would be familiar with: that openness, security and privacy are not really, contrary to popular perception, values that are inimical to each other. Mr. Schneier instead sees them as values that complement each other, and argued that one cannot ensure security by invading privacy of citizens and users. He noted that “privacy, security, liberty, these aren’t salient. And usually whenever you have these sort of non-salient features, the way you get them in society is through legislation.” On the same note, he held the view that privacy should not be a saleable commodity, but an inalienable fundamental right of all human beings (a position that Frank La Rue agreed with).

Apart from the traditional focus area of states, there was also a lot of focus on corporations and their accountability to their users. On the issue of corporations versus states, Frank La Rue made it clear that he believed the model that some corporations were advocating of first introducing technologies into particular markets, expanding, and then using that to push for human rights, was not a viable model. Human rights, he reiterated, were not alienable, and stated: “You [internet companies] strengthen democracy and democratic principles and then you bring up the technology. Otherwise, it will never work, and it is a self defeating point.”

The meeting of the Dynamic Coalition on Open Standards was next. This meeting served as a ground to build a formal declaration from Sharm el Sheik for DCOS. The meeting was held in the room Luxor, the seating in which was rectangular, promoting a vibrant discussion rather than making some people “presenters” and the rest “audience”. Many of the members of the Dynamic Coalition on Accessibility and Disability were in attendance, seeing common purpose with the work carried out by DCOS. There was spirited discussion on how best to move from a formulation of open standards as “principles” to more citizen- centric “rights”. This shift, pointed out as an important one because they allow for claims to be made in a way that principles and concessions do not. One of the participants helped re-draft the entire statement, based on suggestions that came from him and the rest of the participants. This was, in a sense, the IGF’s multi-stakeholderism (to coin a phrase) at its best.

Because of the late ending to the DCOS meeting, this reporter arrived late for the Commonwealth IGF follow-up meeting. It seemed that the meeting took its time in finding its raison d’être. It was, for a long while, unclear what direction the meeting was headed in because the suggestions from the audience members were of different types: programmatic actionable items, general thematic focus area suggestions, as well as general wishlists. However, in the end, this came together and became productive thanks to the focus that the chairperson and the rapporteur brought to the discussion. Furthermore, it was a great opportunity to connect with the various young people who had been brought together from various backgrounds to attend the IGF by the CIGF travel bursary. It will be interesting to see the shape that CIGF’s future work takes.

Day 3 (Tuesday, November 17, 2009)

The first session attended on the third day was the meeting on “Balancing the Need of Security with the Concerns for Civil Liberties”. The speakers included Alejandro Pisanty (Workshop Chair), Wolfgang Benedek, Steve Purser, Simon Davies, and Bruce Schneier. Once again, the one point that everyone agreed on is that those pitting security against privacy are creating a false dichotomy, and that for security to exist, privacy must be safeguarded. Steve Purser pointed out that common sense takes a long while to develop and that we, as a human collective, have not yet developed “electronic common sense”. Simon Davies’ main point was that accountability must necessarily be appended to all breaches of privacy in the name of security. Indeed, he lamented that oftentimes the situation is such that people have to justify their invocation of privacy, though the state’s invocation of security to trample privacy does not require any such justification. Security, he pointed out, is not something that is justified by the government, judged by the people, and to which the government is held accountable for its breaches of civil liberties.

Bruce Schneier, as usual, was quite brunt about things. He noted that only identity-based security have anything to do with privacy, and that there are a great many ways of ensuring security (metal detectors in a building, locks in a hotel room) that do not affect privacy. At the meeting, this reporter made a comment noting that a lot of debate is happening at a theoretical level, and that while a lot of good ideas are coming out of that discussion, those ideas have to be translated into good systems of governance in countries like India. Some organizations internationally are trying to make human readable privacy signs such as the human readable copyright licences used by Creative Commons. Concerning citizens’ privacy, a lot of systems (such as key escrow) that have been discredited by knowledgeable people (such as Bruce Schneier) are still being considered or adopted by many countries such as India (where this blew up because of a perceived security threat due to RIM BlackBerry’s encryption). National ID schemes are also being considered in many countries, without their privacy implications being explored. In the name of combatting terrorism, unregistered open wireless networks are being made illegal in India. While there have been informed debates on these issues at places like the IGF, these debates need to find actual recognition in the governance systems. That translation is very important.

The next session this reporter attended was the meeting of the Dynamic Coalition on Freedom of Expression of the Media on the Internet. Amongst the other items of discussion during the session, the site Global Voices Online was showcased, and many of the speakers gave their opinions on whether freedom of speech online required a new formulation of the rights, or just new applications of existing rights. The consensus seemed to be that tying up with the Internet Rights and Principles DC would be useful, but that the project need not be one of reformulation of existing rights, since the existing formulations (as found in a variety of international treaties, including the UDHR) were sufficient. One of the participants stressed though that it was important to extend freedom of press guarantees to online journalists (in matters such as defamation, or copyright violation, where news organizations might be granted protection over and above that which an ordinary citizen would receive). Citizen-led initiatives for circumventing censorship were also discussed.

Two very important points were raised during the Openness main session on Day 2 when someone noted that the freedom of expression was not only an individual right but it also a collective right: the right of peoples to express not only ideas but to express their cultures, their traditions, their language and to reproduce those cultures and languages and traditions without any limitation or censorship. This aspect of the freedom of expression finds much resonance in many Southern countries where collective and cultural rights are regarded as being as important as individual and civil-political rights. Secondly, Frank La Rue pointed out that freedom of speech and expression went beyond just giving out information and opinion: it extended to the right to receive information and opinion. Excessively harsh copyright regimes harm this delicate balance, and impinge on the free speech.

One of the issues that was not explored sufficiently was that of the changes wrought by the Internet on the issues raised by the participants. For instance, while there was much talk about defamation laws in many countries and their grave faults (criminal penalties, defamation of ideas and not just persons), there was no talk of issues such as forum-shopping that arises due to online defamation being viewable around the world with equal ease. Thankfully, the coordinators of the Dynamic Coalition urged people to register on the DC’s Ning site (http://dcexpression.ning.com) and keep the conversation alive there and on the DC’s mailing list.

The session held on Research on Access to Knowledge and Development, organized by the A2K Global Academy was most informative. It brought together many recent surveys of copyright law systems from around the world and their provisions for access to knowledge, including the Africa Copyright and Access to Knowledge project with which this reporter is very familiar. The three main focus areas of discussion were Access to Education (A2E), Open Source Software (OSS) and Access to Medicines (A2M). The best presentation of the day was that made by Carlos Affonso of FGV (Brazil) who made an impassioned case for access to knowledge in the developing world, showcasing many practical examples from Brazil. He noted that many of the examples he was showing were plainly illegal under Brazilian laws, which had very limiting limitations and exceptions. He showcased the usage of Creative Commons licensing, Technobrega music, usage of common ICT infrastructure (such as cybercafes), which are often only semi-legal, and the general acceptance of commons-based peer production. The conclusion of the Egyptian study was that more work is needed to expand access to educational materials, including expansion of the limitations and
exceptions to copyright law for educational purposes. The overall consensus of all the various studies was that open source software was playing a very useful and crucial role in promotion of access to knowledge, but pointed out that the main barrier that open source software was facing was that of anti-competitive practices and not something related to copyright law.

Day 4 (Wednesday, November 18, 2009)

On the last day, this reporter was a presenter in a workshop on the “Global State of Copyright and Access to Knowledge”. This session had the following panellists: Tobias Schonwetter, Faculty of Law, University of Cape Town; Bassem Awad, Chief Judge at the Egyptian Ministry of Justice and IP Expert; Perihan Abou Zeid, Faculty of Legal Studies and International Relations, Pharos University; Pranesh Prakash, Programme Manager, Centre for Internet and Society; Jeremy Malcolm, Project Coordinator, Consumers International; and Lea Shaver, Associate Research Scholar and Lecturer in Law at Yale Law School.

This workshop was the result of the merger of workshops proposed by the African Copyright and Access to Knowledge project, and by Consumers International (to showcase their IP Watch List). Lea Shaver noted that the purpose of copyright law is to encourage creativity and the diffusion of creative works, and not as an industrial subsidy. If copyright law gets in the way of creativity and access to knowledge, then it is in fact going against its purpose. She asserted that copyright law should be assessed by touchstones of access, affordability and participation. “Copyright shapes affordability and access because as the scope of rights expands, the more control is centralised and the less competition. It also shapes participation, because under current law the amateur who wants to build upon existing works is at a disadvantage, and risks running afoul of others’ rights.” Rent-seeking behaviour is what is driving the expansion that we see globally in the coverage of copyright law, and not the costs of production and distribution (which are ever becoming cheaper).

Dr. Abou Zeid noted that technology grants copyright holders (and even non-holders) great control over knowledge, and that strong safeguards are required against this control in the form of limitations to technological protection methods (TPMs). Further, copyright law must take advantage of the benefits offered by technology, such as distance education, granting access to the disabled, and must extend present day E&L to cover these as well. Tobias Schonwetter presented the findings of the ACA2K project, and noted that most countries granted greater protection to rights holders than international law required. Amongst the survey countries, none dealt with distance and e-learning, and only one (Uganda) dealt with the needs of the disabled. He hoped that the extended dissemination phase would assist other projects to build on ACA2K’s work. Thus, “legal systems worldwide are not meeting consumers’ needs for access to knowledge. A better legal system, the research suggests, would support non-commercial sharing and reuse of material, which in turn would drive down costs and increase sales of licensed material, and could also increase consumers’ respect for the law overall.”

The present reporter started by asking why this abstract phrase “access to knowledge” is so important. A2K actually effects almost all areas of concern to citizens and consumers: education, industry, food security, health, amongst many more areas. Mark Getty notes that “IP is the oil of the 21st century”. By creating barriers through IP, there is less scope for expansion and utilization of knowledge, and this most affect “IP poor” nations of the South. In India, there is a new copyright amendment that will introduce DRMs, even though India is not bound by international law to do so. There is also a very worrisome movement to pass state-level criminal statutes that class video pirates in the same category as “slum lords, drug peddlers and goonda”, which includes measures for preventative detention without warrant.

One tool to help change the mindsets of the public is the Consumers International IP Watch List, which can help policy makers and academics and advocates compare the best and worst practices of various countries. At an earlier session, Carlos Affonso of FGV had used the Watch List to demonstrate the weakness of Brazil’s copyright law on the educational front. Copyright is often characterised as a striking of balance between the interests of creators and consumers, but this rhetoric might be misplaced. In fact creators often benefit from freer sharing by users. Knowledge is an input into creation of works, not just an output from it. Given this, it is important to counter IP expansionism by using laws promoting freedom of speech, competition law, consumer law, privacy law, while framing them within the context of development (as appropriate in various countries), to eventually produce a change in mindsets of people.

Stock-Taking

As Jeremy Malcolm of Consumers International notes in his response to the formal stock-taking process, “the IGF is yet to develop from a simple discussion forum into a body that helps to develop public policy in tangible ways.” This reporter, writing for the Dynamic Coalition on Open Standards, also voted for the continuation of the IGF, “in order to ensure that the WSIS Declaration of Principles, specifically in the important area of open standards, be realised through a multi-stakeholder process.” The IGF is, in a sense, the least bureaucratic of the UN’s endeavours. But certain rules, evolved in inter-governmental settings, might require careful reconsiderations to suit the multi-stakeholder approach that the IGF embodies. The IGF also needs to reach out from being a conference for a few to becoming a place/process for the many.

General Reflections

While this year there were more remote participation hubs (13) than last (11), and the Remote Participation Working Group seems to have done much work and some serious reflection on that work, individual experiences sometimes did not match up with what was perceived as the collective experience (via RPWG’s feedback survey). As a workshop organizer, this reporter was not provided any information about the remote participation tools, nor was there any screening of remote participants’ comments. With the shift from a single (open-source) product DimDim, to two products, WebEx (sponsored by Cisco) and Elluminate, much confusion was created even amongst those in the know since there were two separate tools being used. It is this reporter’s perception that live captioning from the main sessions has been a great success, and will have to be used much more extensively, especially if places where the bandwidth to download streaming video does not exist. Further, they help create very useful quasi-official records of the various workshops and open fora that are held at the IGF. That apart, the suggestions offered by the
RPWG (live video feedback from the remote hubs, dedicated remote participation chair in each workshop,
etc.) should be worked upon this year to enable those who cannot travel to Vilnius to participate more effectively.

All the sessions that happened around intellectual property rights were highly critical of the present state of IP laws around the world, and were calling for a reversal of the IP expansionism we see from various perspectives (access to knowledge, competition law, etc.) However, it was often felt by this reporter that these workshops were cases of the choir being preached to. Of course, many new people were being introduced to these ideas, but generally there was appreciation but not as much opposition as one is used to hearing outside the IGF. An exception (in the IP arena) was the workshop on open standards, in which there was much heat as well as illumination. Perhaps, a greater effort could be made to engage with people who are critical of the Access to Knowledge movement, those who are critical of privacy being regarded as a fundamental right, and those who believe that cultural relativism (for instance) must find a central place while talking about the right to free speech. After all, when one leaves the IGF, these voices
are heard. Those voices must be engaged with at the IGF itself, and a way forward (in terms of concrete policy recommendations, whether at the local level or the international level) must be found. Of course, the problem with the above suggestion is that many of these values are embedded in the WSIS principles, and are taken as a granted. But, still, if such debate is not had at the IGF, it might become something much worse than a ‘talking shop’: a forum where not much meaningful talk happens.

Appendix I: Tweets and Dents During the IGF

This is list of some posts made by the reporter on the microblogging sites Twitter
(http://twitter.com/pranesh_prakash) and Identi.ca (http://identi.ca/pranesh) during the IGF.
# @leashaver: Recording of yesterday’s session by the Access to Knowledge ♺ Global Academy:
http://trunc.it/3dldl #a2kga #IGF09 #yaleisp 8:55 PM Nov 18th, 2009
# “Great possibilities of #foss, but a disabling, anti-competitive environment has stunted growth of
open source software in #Egypt.” #igf09 6:47 PM Nov 17th, 2009
# Excellent set of resources on Access to Knowledge, from @YaleISP: http://tr.im/F8At #igf09 6:37 PM
Nov 17th, 2009
# “Tecno brega in Brazil can only be bought from street vendors: good relationship between artists
and street vendors.” #igf09 6:30 PM Nov 17th, 2009
# “There is not even a private copying exception in Brazil”, but is still part of “axis of IP evil” for
rightsholders #igf09 6:26 PM Nov 17th, 2009
# Tobias: “Even though s/w patents are not allowed by SA law, some large MNC s/w comps found
ways of bypassing that & getting patents” #igf09 6:19 PM Nov 17th, 2009
# Case studies from SA: CommonSense project, Freedom to Innovate SA, OOXML v. ODF struggle #igf09
6:18 PM Nov 17th, 2009
# 2 new studies on #a2k from Brazil (http://tr.im/F8tI)and SA (http://tr.im/F8uJ). Also see ACA2K’s
outputs: http://tr.im/F8uQ #igf09 6:13 PM Nov 17th, 2009
# ♺ @sunil_abraham: RT @mathieuweill: #igf09 Dardailler : Internet standards are open standards
and that makes a difference! 3:57 PM Nov 17th, 2009
# Oops. Wrong URL. It should be: http://threatened.globalvoicesonline.org/ #igf09 3:46 PM Nov 17th,
2009
# Mogens Schmidt of UNESCO praises Global Voices Online. Says defamation & libel laws should not
be *criminal* offences. #igf09 3:40 PM Nov 17th, 2009
# http://threatened.globalvoices.org/ helps report on FoE issues with bloggers through crowdsourcing.
#igf09 3:24 PM Nov 17th, 2009
# “Along with the right to give out information and opinion is the right to receive information and
opinion”: Frank La Reu #a2k #igf09 3:13 PM Nov 17th, 2009
# Schneier: “Before we die, we will have a US President who’ll send a lolcat to the Russian PM” #igf09
2:06 PM Nov 17th, 2009
# Privacy vs. security is a false dichotomy. But any privacy that is taken away in name of security
must be turned into accountability. #igf09 1:50 PM Nov 17th, 2009
# All wireless networks now have to be registered in India, and we talk of privacy? @schneier #igf09
1:47 PM Nov 17th, 2009
# RT @rmack Free Expression Online dynamic coalition meeting at 11:30am Egypt time in Siwa Room.
http://dcexpression.ning.com #igf09 1:36 PM Nov 17th, 2009
# @OWD: E Daniel, (http://bit.ly/3oFYqu), takes on the myth of the Digital Native, ♺ reveals the shallowness
of their native knowledge. #igf09 12:05 AM Nov 17th, 2009
# Commonwealth IGF’s follow-up meeting took time to find out its raison d’etre, but ended on a productive
note. #igf09 11:34 PM Nov 16th, 2009
# #schneierfact : Bruce Schneier actually exists! I can see him! 6:53 PM Nov 16th, 2009
# @timdavies: You might then be interested at a report by @cis_india on a different take at DNs:
http://tr.im/F3tk 3:29 PM Nov 16th, 2009 from Gwibber in reply to timdavies
# Estonia & Georgia DDoS are famous, but individual NGOs are also being targetted by DoSes. #igf09
3:08 PM Nov 16th, 2009
# Now more online journalists are behind bars than offline ones. #freespeech #igf09 3:07 PM Nov 16th,
2009
# ♺ @aslam: if you get an email from nigeria people will block it because they think that it is spam -
reputation #fail #igf09 2:14 PM Nov 16th, 2009
# Many are saying: listen to children; document and share best ICT practices and examples; bridge
rural-urban divide as also devel’d-devel’g. 1:57 PM Nov 16th, 2009
# Several British Parliamentarians in the room at the Commonwealth IGF event #igf09 1:56 PM Nov
16th, 2009
# CIGF should look at gaps at IGF and speak to them. Our common legal systems allow for focus on legislations
(ie, on data protection) #igf09 1:36 PM Nov 16th, 2009
# “We need to get to a point where access to the Internet is seen as a human right” #igf09 1:27 PM
Nov 16th, 2009
# “Intellectual property issues need developing countries to speak in one voice at intl fora. Commonwealth
IGF might allow that.” #igf09 1:24 PM Nov 16th, 2009
# “Music aspects of the Internet debates, which gets so much focus, doesn’t have as much relevance
in W. Africa as education & health.” #igf09 1:21 PM Nov 16th, 2009
# Commonwealth covers more than 2 billion people. Some whole regions, like E. & W. Africa “have no
voice in Geneva & global IGF” #igf09 1:18 PM Nov 16th, 2009

 

Does the Safe-Harbor Program Adequately Address Third Parties Online?

by Rebecca Schild last modified Aug 02, 2011 07:19 AM
While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online.   As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law.  This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach.  While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties.  Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.  First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices.  Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1].  The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU.  After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly. 

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU.  Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2].  Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].  

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU.  Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law.  Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce. 

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas.  While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally.  In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program.  The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector.  TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites. 

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed.  These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement.   The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure. 

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected.  The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused.    Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate.  The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities.  The privacy policies of most social networking services have become increasingly clear and straightforward since their inception.  Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used.  The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.    

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services.  For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members.  In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs.  This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites.  Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program.  The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices.  The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites.  This had included, for example, the movie rentals a user had made through the Blockbuster website. 

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information.    The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information.  Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues.  Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program.  For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies.  Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy.  It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources.  Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”?  The right to review information held by a social networking site is an important one that should be upheld.  This is most notable as supplementary information from outside social networking services is employed  to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program.   It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program.  While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program.  Facebook itself as a first party site may adhere to the Safe Harbor Program.  However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party.  Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive.  Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles.  Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program.  This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC.  The safe harbor website also explicitly notes that the program does not apply to third parties.  Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook.  The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”.   Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information.   Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”.  Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles.  In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector.  However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise.  Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate.  However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles.  Therefore, it remains questionable as to where responsibility for third parties exactly lies.  When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from? 

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed  is worrisome.  Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do.  However, in practice, this has yet to become the case.  A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5].  For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”. 

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6].  After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites.   This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above.  In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles. 

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”.  This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service.  Electronic Arts also maintains similar provisions for data retention in its privacy policy.   Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held.  This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games.   It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program. 

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model.  Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications.   This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context.  Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches.  The same is likely to be true for governments, too.  As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7]. 

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate.  While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook.  This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern.    If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.  

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively.  Imposing more stringent responsibilities on safe harbor participants could be a positive step.  It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties.  However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body.  If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices.  The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.


[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically  opt out of this practice.

[7]See  Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .


 

 

 

Feedback to the NIA Bill

by Elonnai Hickok last modified Mar 21, 2012 10:14 AM
Malavika Jayaram and Elonnai Hickok introduce the formal submission of CIS to the proposed National Identification Authority of India (NIA) Bill, 2010, which would give every resident a unique identity. The submissions contain the detailed comments on the draft bill and the high level summary of concerns with the NIA Bill submitted to the UIDAI on 13 July, 2010.

The UID draft bill is a proposed legislation that authorizes the creation of a centralized database of unique identification numbers that will be issued to every resident of India.  The purpose of such a database is characterized as ensuring that every resident is provided services and benefits. The UID project was first set up and introduced to the public in February 2009 by the planning committee.    In June 2010, a draft bill was proposed which attracted public debates and opinions for over two weeks. Currently the bill is being considered by Parliament in the winter session (July-August 2010). If the Parliament of India approves the bill, it may be enacted during Winter 2010.

CIS has closely followed the UID project and reviewed the bill right from the time when it was first issued. and has worked to initiate and contribute to a public debate including attending of workshops in Delhi on 6 May, 2010 and in Bangalore on 16 May, 2010.

We respect the fact that civil society has many voices. That said, in our criticisms, suggestions, and analysis of the UID draft bill, we are asking for a simple, well-defined document, the language and structure of which expressly precludes abuse of a centralized identification database. The document should provide solely for its stated purpose of enabling the provision of benefits to the poor. Along with this mandate we believe the document should give clear rights of choice, control, and privacy to the Aadhaar number holder. Below is a summary of our general comments with citations to specific sections of the draft bill. A detailed section by section critique is attached along with our high level summary of concerns. The compilation and synthesis of detailed critiques was done by Malavika Jayaram.

Summary of High Concerns 

Clarity of Definition and Purpose

Most importantly we find that in order to adhere to the stated purpose of the bill there is a need to limit and better define language in the relevant sections of the bill. This includes the powers and purpose of the Authority and the overarching scheme of the bill. We are concerned that the over-breadth and generality of the language will open up the opportunity for more information to be collected than originally stated. Further, definition will act to prevent uncontrolled or unwanted change in the project’s scope, and will clearly limit the usage of the Aadhaar numbers to the facilitation of the delivery of social welfare programs.

For the bill to be in line with its original purpose of reaching out to the poor, we also believe the issue of fees must be addressed. We find that there is an inadequate definition in the bill of what fees shall be applied for authentication of Aadhaar numbers.  Also we find that it is incompatible with the bill’s stated purpose to require an individual to pay to be authenticated. The bill should provide that no charges will be levied for authentication by registrars and other service providers for certain categories of Aadhaar number holders (BPL, disabled, etc.), and that charges will be limited/capped in other cases. This will bring the bill in line with the statement in Chapter II 3 (1) “Every resident shall be entitled to obtain an Aadhaar number on providing his demographic information and biometric information to the Authority in such a manner as may be specified by regulations”  and Chapter 3 (10 ) “The Authority shall take special measures to issue Aadhaar numbers to women, children, senior citizens, persons with disability, migrant unskilled and unorganized workers, nomadic tribes or such other persons who do not have any permanent dwelling house and such other categories of individuals as may be specified by regulations. If a fee must be permitted, a cap/safeguard should be put in place to ensure that the fee does not become a mechanism of abuse.

Protection of the Citizen

The bill should ensure the protection of  citizens’ rights to privacy and freedom of choice. To do this it is important that the bill is voluntary, allows for the protection of anonymity, and is clear on how data will be collected, stored and deleted. Measures should be taken towards ensuring that the Aadhaar number is truly voluntary. Accordingly, a prohibition against the denial of goods, services, entitlements and benefits (private or public) for lack of a UID number – provided that an individual furnishes equivalent ID is necessary.  The bill should also spell out the situations in which anonymity will be preserved and/or an Aadhaar number should not be requested such as a person’s sexuality/sexual orientation and marital status/history. Furthermore, the bill should require the Authority, registrars, enrolling agencies and service providers to delete/anonymize/obfuscate transaction data according to defined principles after appropriate periods of time in order to protect the privacy of citizens.

Motivations of the UID Bill

Since the submission of the high level summary, we note that a list of 221 agencies empanelled by the UIDAI has been uploaded onto the website (by a memo dated 15 July, 2010). A swift reading reveals that most of the agencies who are going to help enroll people into the UIDAI system are not NGOs, CSOs or other welfare oriented not-for-profit entities; rather, they are largely IT companies and commercial enterprises. This begs the question as to whether the UID scheme/Aadhaar is truly geared towards delivery of benefits and inclusivity of the poor and marginalized. Already concerns have been voiced that the “ecosystem” of registrars and enrolling agencies contemplated by the scheme, to the extent that it envisages a public-private partnership, could firstly, be “hijacked” or “captured” by commercial motives and result in sharing of data, security breaches, compromised identities, loss of privacy, data mining and customer profiling, and secondly, end up neglecting the very sections of society that the scheme allegedly most wants to help. The list of empanelled companies makes this even more likely and imminent a concern. Without casting aspersions on any of those entities, we would like to highlight that this sort of delegated structure raises several concerns.

Additionally, we find the speed and efficiency with which the UIDAI juggernaut is signing MoUs with states, banks and government agencies on the one hand, and issuing tenders, RFPs, RFQs and otherwise seeking proposals and awarding contracts to private entities – in the absence of any Parliament-sanctioned law (the bill is still a draft, and yet to even be placed before the Parliament) to be alarming. Along with news of the increasing costs of the project and doubts about how foolproof the technology will be, it is staggering to imagine that something that raises so many concerns is being pushed through without a more serious debate. The lack of formal procedures and open debates makes one wonder how democratic the actual process is.

Conclusion

To conclude, CIS believes that the UID bill threatens the rights of citizens in India, and appeals to the citizen to think critically of its implications and consequences.

1. Detailed Summary pdf (159kb)

2. High Level Summary (77kb)

Civil Liberties and the amended Information Technology Act, 2000

by Malavika Jayaram — last modified Mar 21, 2012 10:13 AM
This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.

After close to a decade of dealing with English statutes, European directives and pan-European regulations, I was struck anew by the antique style of Indian draftsmanship on my return. Much of the world is moving away from stiff legal speech and   towards plain English. Even England has converted to a simpler, more concise legal rhetoric. India, however, has a peculiar genius for imprecision and euphemism that makes the purpose and implications of the law hard to understand and apply. While it may seem quaint, to pepper a law with terms like ‘inconvenience’, ‘nuisance’ or ‘annoyance’, the language fails to convey  the  seriousness of the offences being defined. A reading of the Information Technology Act, 2008, in its new incarnation incorporating the latest amendments and rules (ITA), is a case in point.

Legal draftsmen inevitably wrestle with the age-old dilemma of the generic versus the specific, the potential dangers of a broad definition versus the built-in obsolescence of a narrow spotlight. The crafters of the ITA, in their admittedly admirable attempts to redress some of the gaps and ambiguity in the original law, appear to have struggled in their efforts to strike a balance between clarity and flexibility. While the new avatar is certainly an improvement in some areas, one can’t help but regret the missed opportunity to make necessary changes. Most importantly is the negative impact of the occasionally sloppy and sometimes overly wide drafting on deeply cherished fundamental rights and personal liberties.

Among other things, the ITA has sought to address and improve aspects such as technology neutrality, data protection, phishing and spam, child pornography, the liability of intermediaries and cyber terrorism. While many of these amendments are a step in the right direction, the actual drafting that implements the high level objectives suffers in many respects. For example, the previous emphasis on ‘digital signatures’ has shifted to the technologically neutral ‘electronic signatures’ but the changes have not been carried out thoroughly enough to expunge the old concept entirely. The current law is a bit of an abnormal document in that it contains elements of both concepts, which some attention to detail could easily have averted. Another example is that the provisions meant to combat spam and phishing end up using the dreaded ‘annoyance’ and ‘inconvenience’ terminology with the effect of casting the net of criminality over far more than is appropriate. For example, mail sent with the purpose of causing ‘annoyance’ or ‘inconvenience’ (not exactly the worst offence in the offline world) could put someone behind bars.

An important set of well intentioned but woefully inadequate provisions are those relating to the protection of data. The absence of a specific law on data protection had, in itself, garnered much criticism both within the country as well as in the context of international transactions and outsourcing. The old Act offered the feeble protection of a single provision (section 43) that dealt with unauthorised access and damage to data. In an attempt to meet industry demands and international market standards, the ITA introduced two sections that address civil and criminal sanctions. While this exercise understandably falls far short of a comprehensive law relating to data (being squeezed into an omnibus piece of technology related legislation, rather than one geared up only to deal with data), there was considerable anticipation of its role in papering over the existing cracks and provide a workable, if temporary, data protection regime.

However, the attempt is such a limited one, and so replete with shortcomings that the need for a ‘proper’ data protection law still stands. Given the proposed initiation of the UID scheme, in particular, there is a compelling need for a robust and intelligent law in this regard. Most other countries’ regimes clearly do at least the following:

  • define and classify types of data (for example, in most European countries, ‘personal data’ is any data that identifies an individual, ‘sensitive personal data’ is data that reveals details of ethnicity, religion, health, sexuality, political opinion, etc.),
  • fine-tune the nature of protection to the categories of data (i.e., greater standards of care around sensitive personal data), 
  • apply equally to data stored offline and manually as to data stored on computer systems, 
  • distinguish between a data controller (i.e., one who takes decisions as to data) and a data processor (i.e., one who processes data on the instructions of the data controller), 
  • impose clear restrictions on the manner of data collection (for example, must be obtained fairly and lawfully),
  • give clear guidelines on the purposes for which that data can be put to and by whom (often involving a consent requirement that gives the individual a great degree of control over their data),
  • require certain standards and technical measures around the collection, storage, access to, protection, retention and destruction of data, 
  • ensure that the use of data is adequate, relevant and not excessive given the purpose for which it was gathered,
  • cater for opt-in and opt-out type regimes, again to provide individuals with a measure of control over the use of their data even after the stage of initial collection (which has a huge impact on invasive telemarketing or unsolicited written communication)
  • impose a knowledge requirement and procedures for allowing individuals to seek information on what data is held on them, and
  • create safeguards and penalties that are well tailored to breaches of any of the above.

Unfortunately, and perhaps understandably, the ITA barely begins to scratch the surface of what a good data protection regime entails. The provisions that it does introduce (sections 43-A and 72-A) have glaring inadequacies. Briefly:

  • the term ‘sensitive personal data or information’ is used indiscriminately without any definition,
  • the provisions only cover electronic data and records, not data stored in non-electronic systems or media,
  • they offer no guidance on most of the principles set out above such as in relation to accuracy, adequacy, consent, purpose, etc.,
  • in the absence of the controller-processor distinction, liability is imposed on persons, who are not necessarily in a position to control data, even if it is in their possession,
  • civil liability for data breaches only arises where ‘negligence’ is involved (i.e., failure to have security procedures or failure to implement them correctly will not automatically result in damages unless negligence is proven),
  • similarly, criminal liability only applies to cases of information obtained in the context of a service contract, and requires an element of ‘wilfulness’, or a disclosure without consent or in breach of a lawful contract – this is a very limited remit aimed largely at preventing disgruntled or unscrupulous employees from dealing in company/customer data.

For these broad reasons, we can see that even the amended ITA disappoints those who expected a greatly improved regime in relation to data. It is widely anticipated that the UID scheme, which poses so many potential data protection issues, will serve as a catalyst for a standalone law that is on par with the more sophisticated regimes that function very well in other countries. One great feature common to most of those regimes is that they are consumer/individual focused. The freedom and privacy of the individual is the central concern of protection. Our ITA seems far more concerned with providing corporates with a stick to beat errant employees with, and with catering to the needs of the outsourcing and IT industries.  It remains to be seen whether the UID scheme will merely galvanise some targeted legal action covering UIDs rather than generating a broad based piece of legislation. 

In addition to the criticisms levelled at the data protection provisions, the other large subset of concerns has been in relation to the civil liberties implications of the ITA. There has been some horror expressed in various forums and media about the ITA contributing to the growth of a police state, to severe curtailment of the freedom of speech and expression, to the invasion of privacy, and to the disproportionate severity of penalisation for offences that are placed on crimes committed in cyberspace compared to crimes committed in the hear and now. Sadly, this is true to a large extent given the clunky treatment of ‘cyber terrorism’, the intolerable pre-censorship that is enabled by the blocking of websites, the broad approach to the monitoring and collection of data, and the demanding obligations of intermediaries to cooperate with interception, monitoring and decryption of data for poorly defined reasons.

While our Constitution’s fundamental rights chapter, which enshrines certain basic, democratic, and profound rights, might not have the same vocabulary of due process as we see in the US, it nevertheless requires restrictions to be reasonable. Precedents and the wider jurisprudence in the field have further developed the concepts of checks and balances, procedural safeguards and legitimacy of restraints that a functioning democracy like India must accord to its people. It can be argued that several provisions of the ITA cause significant tension with the right to freedom of speech and expression, the right against self-incrimination, the right to equality before the law, and  the right to practice a trade or profession. To briefly deal with the worst offenders in the IT Act, I have divided them into some broader topics:

Pre-censorship

Some of the most excessive provisions relate to the free hand with which public access to websites can be blocked. Previously, there was some hope that the rules yet to be formulated in connection with section 69-A would offer some procedural safeguards. The recently notified rules do contain details – in the bureaucratese that we have come to expect – of the process to be followed by the designated functionaries. They also permit the concerned person or intermediary to submit a reply and clarifications to the committee before the decision to block access is taken.

These rules are to a large extent undermined by rule 9 (“Blocking of information in cases of emergency”), which provides that, “…in any case of an emergency nature, for which no delay is acceptable…”, the process will turn into an internal escalation within the department of IT and interim directions relating to blocking access may be issued without giving (him) an opportunity of hearing. There are those who think that, given the events of 26/11, this is wholly justified but the prospect of abuse fills others with dread. The rules may offer detailed time-frames within which orders are made and approved, require reasons to be recorded in writing, provide that emergency orders may be revoked and information unblocked, etc. Regardless, the nature of the process (executive rather than judicial), the ease with which it can be abused, and the fact that the review committee will only meet once in two months to check for compliance, set aside incorrect orders and unblock information, does not offer much comfort. If a site is incorrectly blocked, it could take up to two months for this to be rectified, which could cause a great damage to the owner of the site, and indeed to the wider public that has an interest in uncensored, free speech. 

Given that any person can submit a request, it is not unreasonable to anticipate a certain level of frivolous and malicious requests for blocking sites, especially given that the grounds for blocking are very wide (the often repeated set that we are familiar with, namely, in the interest of sovereignty and integrity of India; relating to defence of India/ security of State/ friendly relations with foreign states/ public order and for preventing incitement to commission of any cognizable offences). Without a review committee constantly monitoring and policing the unbridled use of the provisions, the backlog of blocking decisions that may need to be reversed can become a mountain very quickly. The dangers of pre-censorship and the curtailment of dialogue, debate and free speech are even greater in a country with an increasingly thin-skinned populace. Faced with a volatile backdrop of great diversity of religion, political opinions, views on sexuality, morality, obscenity and other highly subjective values and beliefs, there is immense extra-legal pressure on free speech. Thus, there is now a need for greater vigilance so that the thought police do not wield the stick of harsh penalties under the ITA without reason and due process.

Privacy and surveillance

This topic pulls together concerns around the blanket monitoring and collecting of traffic data or information,  the interception and decryption (under duress) by intermediaries (now a large superset of ISPs, search engines, cyber cafes, online auction sites, online market places, etc.) and the wide definition of ‘cyber terrorism’ (which ludicrously even casts defamation as a terrorist activity).

Some of the broad concerns in relation to interception, monitoring and decryption in (section 69) are that:

  • there is no provision for a clear nexus between an intermediary and the information or resource sought to be monitored or intercepted,
  • the usual internationally recognised exception to liability where an intermediary operates purely as a conduit and has no control over data flowing through its network is not clearly spelt out,
  • the penalties for non-cooperation are extremely harsh, especially given the absence of a) and b) above,
  • these onerous penalties can be said to be in violation of Article 14 as they seem entirely disproportionate. Similar offences and remedies in the Code of Criminal Procedure or the Indian Penal Code prescribe less severe penalties, by an order of magnitude in fact. When the only difference between the offences is the medium in which information is contained, it seems arbitrary to impose a much harsher punishment on an online intermediary than on a member of the public who, for example, furnishes false information to the police in connection with a trial or enquiry.
  • the rules made in relation to monitoring, interception and decryption, offer some procedural safeguards, in that they impose a time limit on how long a directive for interception or monitoring can remain in force, a ceiling on how long data can be kept before it is required to be destroyed, etc. However, the effect of these is greatly diluted by exceptions “for functional requirements”, etc. The astonishing irony is that rule 20 requires the intermediary to maintain “…extreme secrecy…” and “…utmost care and precaution…” in the matter of interception, monitoring or decryption of information “…as it affects the privacy of citizens…”!!!!

In a similar vein, there are concerns around the monitoring and collection of traffic data (section 69B) as the section contains an unreasonably long list of grounds for monitoring. These include such extreme excesses as “forecasting of imminent cyber incidents”, “monitoring network application with traffic data or information on computer resource”, “identification and determination of viruses/computer contaminant”, and the catch-all “any other matter relating to cyber security”.

Finally, the main criticism of the ITA approach to ‘cyber terrorism’ is the very wide net that it seeks to cast, looking for a game that has little or nothing to do with the named offence. Amongst the cast of creatures unwittingly caught during this fishing expedition, we find some unlikely victims. In addition to the usual grounds of offence against sovereignty, national security, defence of India, etc., which we have seen in relation to other sections, the ITA considers the following as acts of cyber terrorism – broadly speaking, unauthorised access to information that is likely to cause:

  • injury to decency,
  • injury to morality,
  • injury in relation to contempt of court, and
  • injury in relation to defamation.

This would almost be laughable if these grounds were not enacted unto law, posing a threat to civil liberties by their very existence. Other countries have some notion of political ideology, religious case, etc. in their view of terrorism. That (a) to (d) above have been shoehorned into a clause that imposes the stiffest penalty within the entire ITA (life imprisonment) gives even more cause for concern.

In closing, I should reiterate that the ITA includes other deficiencies and worthwhile improvements alike, but an article focusing largely on the data protection and civil liberties aspects cannot reference them all.

 

UID Project in India - Some Possible Ramifications

by Liliyan — last modified Mar 21, 2012 10:13 AM
Having a standard for decentralized ID verification rather than a centralized database that would more often than not be misused by various authorities will solve ID problems, writes Liliyan in this blog entry. These blog posts to be published in a series will voice the expert opinions of researchers and critics on the UID project and present its unique shortcomings to the reader.

Researchers at CIS have been grappling with the UID project from research, advocacy, and legal standpoints though all approach it from their own perspective and opinions are rarely duplicated. In an attempt to make their expert opinions more accessible to readers, a series of blog posts, this being the first, will be put up. These posts will not, and cannot because of its length and format, try to address all the possible issues the UID poses. However, they will present the bare bones of the arguments and research questions that the independent voices at CIS see as crucial. These posts will also ask many more questions than they answer, in an attempt to spur further dialogue about the UID project.

Central to understanding the nature of the UID project and its possible ramifications is the idea that technology is not merely a tool to be used by an unchanging, monolithic state. In fact, its very adoption can create ripple effects throughout the apparatus of the state. When the state adoptsa mainstream and ubiquitous technology, the structure of the government and methods of governance change. These changes are not always so dramatic as to be immediately noticeable without some informed inspection, but if one considers the way the state and the citizen interact the significance of these changes becomes starkly apparent. Can we trust the government to use touch screen voting machines like the ones we see every day at the bank? Do government surveillance cameras make us safer or introduce worrisome intrusion into our privacy, or both? Technology is not as neutral as it appears. That is not to say that it is inherently good or bad, but that it is not inert, it is transformative in nature.

The nation state as we know it is built on the printed word, or at least analogue technology. The ways in which we codify, distribute, and assimilate information have, for centuries, been dominated by the printing press. With the introduction of “database governance” there will inevitably be a shift, and a radical one at that. The Indian government has announced its intention to move towards “SMART” (simple, moral, accountable, responsive and transparent) governance, and this implies both an acceptance of the neo-liberal philosophy of government and techno-governance. To achieve a new level of transparency, accountability, and responsiveness, the move towards e-governance could be a major turning point, but how does this shift complicate and change the citizen-state relationship in India? How does this change shift the relationship of India with the rest of the international community?

The UID and Shifts in the Citizen-State Relationship

One way that the citizen-state relationship will change with the shift towards techno-governance, specifically in regard to the UID project, is that the UID posits the state as both the safe-keeper and arbiter of identity. Proponents of the UID project are adamant that it is a voluntary program, but even the UID website states that “in time, certain service providers may require a person to have a UID to deliver services”. As the UID becomes increasingly ubiquitous, could not having a number mean being cut off from some or many of the basic privileges of citizenship if one's identity is becoming more difficult to verify? If having a UID number is the most prominent marker of identity, then it is through state definition, arbitration and upon the state's technical capacity that all will rely.

Moreover, how do we begin to address the privacy issues raised by technological advances in relation to non-changing legal structures? What does it mean to capture all this identity data without introducing a new privacy legislation to protect the citizen? Without new legal accommodation, otherwise benign processes like a statistical census can become a potent tool in a shift towards a police state. As state apparatus's shift, there must be some paradigmatic shift in law to accompany these new technologies and government roles.

If the state transforms through the integration of e-governance forms, then there will inevitably be a recalibration of the relationship between the state, the market, and the citizen. Traditionally the separation of these entities creates arbitration and within a development paradigm there is dynamic, active triangulation. One way we can see this triangulation is through government intervention in markets on behalf of the citizen. There are certain spaces of consumption, for example, such as a cinema where state intervention against discrimination creates a marker for citizenship. That is, because I am able to access a cinema without discrimination, as one of my constitutional rights, this demonstrates my citizenship. However, with the introduction of public- private partnerships, or PPPs, the fact of having multiple stake-holders of political economy allows for the state to disinvest in the production and delivery of certain public services.  Satisfying the needs of the citizen for services like sanitation, public education, delivery of power and clean water, maintenance of infrastructure like roads and bridges, can be handed over to corporate entities. The Indian government has enthusiastically embraced PPPs as a way to bring needed capital to the infrastructure demands that accompany their economic growth goals. However, how does this kind of task delegation affect transparency and accountability? If the state decides to stop producing or supplying a good or service, and instead turns this over to a corporation, can the mechanisms for state oversight realistically be trusted to make sure quality and accountability are not adversely affected and rectify the situation if they are? Where does the citizen come into all of this, in terms of what they stand to gain and lose? 

The Definition of Citizenship and the UID

As the state and the market enters into new relationships the definition of citizenship changes.  If the citizen is seen as the intended beneficiary of state programs, this new relationship between state and market begs the question “Who is subject to (or the subject of) the state?” When the corporate sphere creates micro-financing that helps farmers, they may help the people at the bottom of the economic pyramid manage their debt, but does it necessarily address the problems that created the debt in the first place? How does the market mediate the citizen-state dialogue? As the state and the market enter into new relationships there is a recalibration of the citizen-government relationship. Do market demands for an e-literate consumer put pressure on the state to create one where one did not exist before, and if so, can this not have profound implications for the definition of citizenship?

Part of the movement towards e-governance is signalled by the fact that there has been a shift away from state-sponsored literacy campaigns to e-literacy programs. Does this use of information and communications technology for development (or ITC4D) alienate significant portions of the population? Can such programs in fact widen the digital divide? With the introduction of e-governance the state asks the citizen to participate in governance by creating new avenues for civic participation, such as providing databases of information pertaining to the state that is freely accessible for analysis and manipulation by anyone with the skills to do so. But, if this makes it impossible for some portions of the citizenry to communicate effectively with the state, does this run the risk of making certain, traditional forms of citizenship redundant? How are people with low literacy and little or no access to the necessary technologies supposed to communicate with this new high-tech bureaucracy? Will those who cannot navigate the new systems be inadvertently relegated to second-class status?

This is of particular concern when thinking about the UID project. To properly manage and distribute social services, ID management in some form is crucial. However, when trying to make sure services are properly delivered to the uneducated poor the danger for digital-analogue slippage that is not in their favour increases, and accountability is not necessarily adequately addressed. For example, if I am an illiterate farmer entitled to a certain ration and the person conducting the transaction decides to defraud me, they can easily ask me to authenticate my biometrics, make it appear that they have been simply checking my identity when they have actually fooled me into authenticating the “completed” transaction and simply tell me the computer says, I've already received my share, that I'm only entitled to half of the normal amount, or some other such lie. In this scenario, how would I know this person wasn't telling me the truth? If they lie using a simple ledger, I can take the ledger itself or a copy of it to a literate friend and have them help me navigate the situation. I can seek redress and substantiate my claims more easily if I am not alienated by the technologies being used. Technologies can be empowering or dis-empowering depending on their application. How then, do we balance the demands of the market and the duties of the state against the rights of the citizen? Or rather, how do we apply technology in such a way that the demands of the market and the duties of the state mutually balance each other? 

Centralization and Cost-effectiveness of the UID 

While ID management is indisputably important, it does not require a centralized database. In the US there are multiple pieces of information, stored in separate databases that can be used to authenticate a transaction. No one can open a bank account with just a social security insurance number. You also need a separate form of ID, often two, that can be used to verify identity. In this way, the SSI number is a bit like a “username” and the other forms of ID, driver's license or passport, function like a corresponding “password”. With the UID project, however, the “username” (the number itself) and the “password” (the number holder's biometrics) are stored in the same place. Thereby, should the database be in some way compromised, all the information needed to verify and complete transactions would be available. If storing this information in a central database is really a good idea, then one must also accept the premise that merging all existing email servers into one monolithic server is also a good idea. Furthermore, centralization is not only more dangerous, it is totally unnecessary. Trillions of dollars worth of trade take place every year using PIN numbers issued by banks and verified without the verifying data being centralized. Having a standard for decentralized ID verification, rather than a centralized database would solve ID problems without creating a database that would be vulnerable to attack. 

There are lots of examples of governments implementing costly safety measures that don't actually make anyone safer. Take for example the cameras put up all over London to monitor the movements of people. Unfortunately, something as low-tech as a hooded sweatshirt can thwart these attempts at surveillance. Moreover, if I am a criminal, I am going to make it a priority to know where the cameras are so that I can strategically avoid them. Another example is the millions of dollar the U.S. government spent on putting an armed Federal Air Marshal on every flight, post 9/11. While traditional intelligence gather has thwarted other attempted attacks since 9/11, Air Marshals have not been responsible for stopping any. Simply because the UID project is more technologically advanced does not make it more effective. It seems to greatly increase the risk of fraud that there can be so many separate biometrics machines scattered in different places to verify so many transactions. Having the machines sequestered in private businesses where they will not be constantly monitored or regulated seems to be both costly and easily subject to tampering. It seems to make more sense to have, say, one central, monitored machine per so many people that could be used to settle identity disputes when they arise rather than making the technology a part of every transaction.

Infallibility and Circumvention of the UID

The UID is not infallible and circumvention will certainly be a problem with the project. We find an analogy in the field of digital rights management. If I copy an mp3 without permission or payment, that is illegal. Digital rights management law was introduced to stop this practice, but it was circumvented. This legislation has not stopped the first crime. It has merely created a second, that of circumventing the law.  The UID, in so far as it may be used to try to stop the crime of illegally siphoning resources such as, for example, grain intended to go to the poor, cannot stop people from circumventing the system. Circumventing the UID will be a crime. If doing so were truly impossible there would be no need to criminalize it. So, instead of preventing the initial crime of siphoning may not prevent the first crime, while introducing another.  

There are basically two possible types of circumvention that are possible, though they might present themselves in various different forms. “Type A” or “the Mission Impossible” kind of fraud  might involve fake thumb prints and contact lenses being worn by someone trying to fool the person conducting the biometric authentication. “Type B” occurs when the person operating the biometrics machine is working to defraud the system, most likely with one or many accomplices.

“Type A” involves one dishonest person, who is trying to access someone else's account or a ghost account, and there are various proposed methods to prevent against this type of fraud. To prevent against people using fake thumb prints, the biometrics machines will measure the heat of the thumb as well as the image of the thumb. With the iris scan, there will be a pulse of light to cause contraction in the iris so that a contact lens, which cannot adjust for light, can be detected. All of this will drastically raise the price of the machines in question. It is hard to imagine farmers and labourers defrauding the system with elaborate biometric defrauding devices, so these expensive machines are much more appropriate for monitoring the top of the economic pyramid, who steal in larger sums and have more sophisticated technology at their disposal.

“Type B” involves dishonesty either by the person in control of the biometric authentication, or both that person and others. This seems to be a much more likely and problematic scenario. Right now, bank accounts that are not connected to a name are regularly created so that people can cheat the tax man. Since the bank profits from these accounts, it's in the bank's interest to help people set up such accounts. Ghost ID numbers, and things like bank accounts that are connected to them, can still be produced with biometrics. How is this possible? Well, to make it possible for so many biometric authentications to happen every day, the whole set of ten finger prints won't be sent. That would be way too much data. So, instead of overwhelming the channels, only one thumb print will be sent. Even that many thumb prints would be an information overload, so each thumb print's image will be reduced to a set of 30 data points that will be compared against the original scans. So, where is there a possibility for fraud? When the scan of the finger is taken, and image is rendered. If someone wants to create a ghost ID they only have to manipulate this image, like with a Photoshop filter, and alter the data points. Once I've created a set of biometric markers that doesn't connect to anyone, I can conduct transactions for a ghost. One can easily imagine a market emerging for ghost IDs. People might start trying to pay foreign tourists for their biometric information, which could be sold to a local office. There are certain settings where biometrics works well, for example, at an airport. There, everything is under constant video surveillance. If someone were to tamper with or try to replace the machinery it would be quickly noticed by the cameras. Even if it weren't, different people would routinely be operating the same machine and this would be an added safe guard against fraud. However, at a bank, or any place where the machines used for verification are operated behind closed doors it is quite likely that the technology will be abused.  This abuse could easily go unnoticed, because the draft UID bill has proposed strict accountability measures for the Authority, and has conveniently overlooked extending these to collecting and enrolling agencies.

Digital/Analogue Slippage

There is always the possibility of digital/analogue slippage or, more simply put, the computer records not reflecting what actually happened even if no fake identity was used. This happens all the time in IT buildings in the form of tailgating. Four people go out to lunch together and as they re-enter the building they're supposed to each swipe their ID card individually. It is easier and faster for one person to swipe for everyone so, despite signs discouraging this behaviour, this is a common occurrence. If you were to try to analyse the data collected after a day of such comings and goings it would be indecipherable. 

I can also authenticate my biometrics, in order to authorize a transaction, without the transaction actually being complete. Let's say I'm a poor farmer entitled to a ration of 10 kilos of grain. The person who is supposed to give me the grain is not an honest person and insists that I authenticate the transaction before he or she gives me my ration. I do what I'm told but only receive 5 kilos. The computer record shows that I have gotten my full ration, so I have no grounds to contest. In this scenario, more complex technology does not necessarily mean greater accountability. Furthermore, even if I am illiterate, if there is a simple ledger that has recorded the transaction, I can physically take the ledger or a copy of it and show it to some literate person willing to help me. If the only record of the transaction is in a database that I can't access or can't understand it will be even more difficult for me to seek help. Moreover, if I don't understand the technology and the shop owner decides not to give me the grain at all they can simply say “Oh, I'm sorry, your account has been denied” or “The computer says you've already been given your ration” and I have little chance of successfully negotiating that situation. Built in to this example is the disadvantage that the illiterate and the computer illiterate face when dealing with this technology but, this is not necessarily always present in cases where digital/analogue slippage causes confusion or complication.

Commonly, things are bought by or registered to one person and used by another. For example, in a small office building, all the phone lines and computers may have been bought in the name of one person. Each office worker will not buy their own computer or equipment, but instead the computers will be bought in the name of the person who runs the organization or an administrator with financial authority. If someone in the office uses their computer to make a bomb or store child pornography, who is accountable? This is the problem when there is digital/analogue slippage.  There is the digital record of events and then things as they really are, which are not always identical, and there is no accountability or safeguard against mistake. In the context of the UID, the possibility of such slippage is too high, and will work against the goal of delivering benefits to the poor instead of facilitating it.

Does the Government want to enter our homes?

by Sunil Abraham last modified Mar 21, 2012 10:12 AM
When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August, 2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy and civil liberties of its citizens.

What? Me worry about the blackberry imbroglio?
If Pierre Trudeau were alive today, he would feel similarly about the Canadian innovation that is making news these days. But, given the Indian media's objective take on the ongoing BlackBerry tussle, one would assume that the media is unaffected.

Many internet observers say that  the very future of democracy and free media is at stake. If rogue politicians and bureaucrats are able to eavesdrop on the communications of media houses, wouldn't that sound the death knell for sting operations, anonymous informants and whistle-blowers?

And, consequently, free press and democracy? How can the media keep its calm when one of the last bastions of electronic privacy in India is being stormed?

Isn’t this a lost cause already?
Perhaps, our reporters and editors have remained complacent, because they do not want to swim against the tide. After all, governments across the world have used excuses like cyber-terrorism, organised crime, pornography, piracy etc. to justify censorship and surveillance regimes. 

The priveleged access that the governments of India, Saudi Arabia and UAE are demanding has already been provided to the governments of USA, Canada and Russia, for example.

We don't know how much they know about us!
The average reader might not be aware of the access that the Indian government has to his/her personal information. 

To be clear, the Indian government, like most other governments, is able to intercept, decrypt, monitor and record sms and voice call traffic by working in partnership with ISP and Telecom operators.

This is legalised through ISP licence agreements, which requires ISPs to provide monitoring equipment that can be used to by various law enforcement and intelligence agencies. There is no clear policy on data-retention policies.

Industry insiders say that SMS messages, telephone call logs, email headers, and web requests are archived from anywhere between three months and a year.

Do these ISPs and telecom operators then delete, anonymise or obfuscate this data? Or do they they retain it for posterity for market research?

In the absence of a privacy law — the Indian citizen can only make intelligent guesses.

Encryption is our friend
As a student, when I passed a love note to my lady-love in class, I would use a symmetric key encryption scheme. 

She would use the same key as I did to unencrypt the machine, ie, substituting the alphabet with the next/previous one.

If someone was able to intercept the key, then all communication between us in both directions would be compromised.

Asymmetric key encryption solves this problem by giving both parties two keys — a public key and a private key. I would use my lady-love’s public key to encrypt a message meant for her.

Only she would be able to unencrypt the message by using her private key. The size of the key — 40bit, 128bit, 256bit etc. determines the strength of the encryption.

The more bits you have, the longer it will take for someone to break through using a brute force method. The brute force method or dictionary method is when you try every single combination —just as you would with an old suitcase.

The time taken also depends on computing resources — whether you are a jealous boyfriend, or the FBI, or a corporation like Google. These days, governments depend on corporations for hardware and network muscle.

How does Blackberry encrypt differently?
Other smart phone providers like IPhone and Nokia make email and Internet traffic transparent to the ISP and telecom operator, making it easy for governments are able to keep track of Internet users on mobile phones just as they monitor dial-up or broadband users. 

Most mobile services come with a basic encryption. Blackberry is different because it introduces an additional level of encryption, and then routes traffic either through corporate servers or through its own servers in Canada and other parts of the world.

The fact that information is routed thus can pose a threat to the Indian government, if officials are using Blackberries to exchange highly classified information.

Then, GoI could be worried if western intelligence agencies are eavesdropping.

How will this end? Will Blackberry leave?
Blackberry has never exited a country, because in the end it has prioritised consumer privacy over commercial compulsions. For example Blackberry has now ‘resolved’ security probwith Saudi Arabia. 

I don’t think we should worry about deals or compromises. However, this is not to say that Blackberry should not be applauded.

They have taken a public stand against unrestricted governmental access to their clients’ information; one should always applaud corporates who fight hard for privacy and civil liberties.

What the Blackberry dilemma is showing us is the social cost of the electronic Big Brother will be steep, as it should be.

To protect citizens’ rights, civil society must resist and insist on suitable checks and balances like governmental transparency and fair judicial oversight.

Read the article in Pune Mirror

Control Shift?

by Pranesh Prakash last modified Aug 02, 2011 07:22 AM
The USA has ceded control of the Internet over to Icann, but only partially. (This post appeared as an article in Down to Earth, in the issue dated November 15, 2009.)

After dominating operations of the Internet for decades Washington has said it will relinquish some control. On September 30, the US department of commerce decided to cede some of its powers to the Internet Corporation for Assigned Names and Numbers (ICANN), the body which manages the net’s phone book—the Internet’s Domain Naming System (dns).

The system deals with online addresses: human understandable names (like google.com) are made to work with computer understandable names (81.198.166.2, for example). Managing this is critical because while Madras can be a city in both Tamil Nadu and Oregon, everyone wishing to go to madras.com must be pointed to the same place. For the Internet to work, everyone in the world must use the same telephone directory.

The Internet is not a single network of computers, but an interconnected set of networks. What does it mean, then, to control the Internet? For those wishing to access YouTube in late February 2008, it seemed as though it was controlled by Pakistan Telecom—the agency had accidentally blocked access to YouTube to the entire world for almost a day. For Guangzhou residents, it seems the censor-happy Chinese government controls the Internet. And for a brief while in January 1998, it seemed the net was controlled by one Jon Postel.

Postel was one of the architects of the Internet involved from the times of the net’s predecessor arpanet project, which the US department of defence funded as an attack-resilient computer network. He was heading the Internet Assigned Numbers Authority (iana), an informal body in de facto charge of technical aspects of the Internet, including the domain network system. But iana had no legal sanction. It was contracted by the department to perform its services. The US government retained control of the root servers that directed Internet traffic to the right locations.

On January 28, 1998, Postel got eight of the 12 root servers transferred to iana control. This was when the defence department was ceding its powers to the commerce department. Postal soon received a telephone call from a furious Ira Magaziner, Bill Clinton’s senior science adviser, who instructed him to undo the transfer. Within a week, the commerce department issued a declaration of its control over the dns root servers—it was now in a position to direct Internet traffic all over the world.

Soon after, the US government set up ICANN as a private non-profit corporation to manage the core components of the Internet. A contract from the department of commerce gave the organization in California the authority to conduct its operations. iana and other bodies (such as the regional Internet registries) now function under ICANN.

Right from the outset, ICANN has been criticized as unaccountable, opaque and controlled by vested interests, especially big corporations which manipulated the domain name dispute resolution system to favour trademarks. Its lack of democratic functioning, commercial focus and poor-tolerance of dissent have made ICANN everyone’s target, from those who believe in a libertarian Internet as a place of freedom and self-regulation, to those (the European Union, for instance) who believe the critical components of the Internet should not be in the sole control of the US government.

The department of commerce has from time to time renewed its agreement with ICANN, and the latest such renewal comes in the form of the affirmation of commitments (AoC). Through the AoC, the US government has sought to minimize its role. Instead of being the overseer of ICANN's working, it now holds only one permanent seat in the multi-stakeholder review panel that ICANN will itself have to constitute. But two days after the AoC, ICANN snubbed a coalition of civil society voices calling for representation; the root zone file remains in US control. It is too early to judge the AoC; it will have to be judged by how it is actualized.

CDT Provides Answers to Questions on Internet Neutrality

by Pranesh Prakash last modified Jun 04, 2012 05:56 AM
Pranesh Prakash of CIS asked David Sohn of CDT a few pointed questions on the emerging hot topic of 'Internet neutrality', and received very useful responses. Those questions and Mr. Sohn's responses are documented in this blog post.

As part of the Centre for Democracy and Technology's (CDT's) excellent "Ask CDT" initiative, we were provided the opportunity to clear up some of our doubts around "net neutrality" (which CDT prefers referring to as Internet neutrality rather than network neutrality) by asking an expert: David Sohn, CDT's Senior Policy Counsel.  Reproduced below are the questions that I asked (inset and in gray), and David's replies (provided below each question).  Some of the questions I asked below were doubts that I had, while some others are instances of donning the roles of devil's advocate.  We hope this will be helpful in clarifying doubts that some of the readers of this blog have had as well.

1a. "As far as I can understand, content distribution networks (CDNs) such as Akamai, don't really fall within your understanding of violations of Internet neutrality. Why not? In what cases is 'spending more to get faster speeds' permitted for content hosts? Since not only specialised companies like Akamai, but regular Tier 1 companies like Level3 and AT&T also engage in CDN-like behaviour, does it make it more liable to illicit/underhand/non-transparent service differentiation techniques?"

1a. That's correct, CDNs don't violate either Internet neutrality principles or the FCC's recent rules. I talked about this at some length in a blog post a couple years ago. The short answer is that Internet neutrality does not aim to guarantee that all online content and services will work equally well, but rather to prevent ISPs from exercising "gatekeeper" control with respect to their subscribers. Thus, content providers who have money can purchase various advantages -- for example, more or better servers, upgraded software, or caching services from a CDN such as Akamai. Significantly, things like servers and caching are available from competitive sources; no supplier has gatekeeper control. In contrast, priority treatment on the transmission facilities serving any given Internet user is an advantage that only that user's ISP could provide. Another difference is that when one content provider purchases caching, it doesn't slow anybody else's traffic (indeed, it could speed it up, since it may help reduce overall network congestion). By contrast, when an ISP designates favoured traffic for priority transmission, non-favoured traffic by definition is de-prioritized. Think about a line of "bits" waiting in a router queue -- if you let some bits "cut in line," it inevitably lengthens the wait for those who don't get to cut. Given CDT's general comfort level with CDNs and the existence of competitive offerings in the marketplace, I'm not too concerned about who provides the service (Akamai, Level3, AT&T, etc.). It doesn't seem to be a case of the ISP leveraging its unique control over access to subscribers.

1b. "A large part of the claims of Internet neutrality supporters are founded on the basis of 'dumb networks', which can also be seen as a reformulation of the end-to-end principle. A question arises, which is often posed by the likes of Dave Farber, Bob Kahn and Robert Pepper: why should we stick dogmatically to the end-to-end principle when embedding 'intelligence' in the core is/will soon be a viable option *without* jeopardising the simplicity of the Internet? If you are fine with CDNs, then are you fine with a partial supplanting of the dogmatism of the end-to-end principle (because, after all, CDNs are in a sense, intelligence in the core rather than in the edges)?"

1b. I don't think that supporting Internet neutrality requires a dogmatic opposition to any and all built-in "intelligence" in the network. Certainly a strong case can be made for handling certain network management matters, such as some cyber security issues, at the network level. I get concerned on neutrality grounds not by the mere existence of "intelligence" in the core, but by the use of that intelligence to make judgments and decisions about which applications and services are most important or most in need of special treatment -- as opposed to remaining application-agnositic or, in the alternative, leaving the decision to end users. Intelligence that is put in the service of end users, allowing the users themselves to make judgments about what to prioritize, does not concern me at all. But if the network-level intelligence results in broader reliance on centralized evaluation and categorization of the type or content of Internet communications, and centralized decisions about what to favor or disfavor, then I think it poses a neutrality problem. The bottom line is, the idea that networks could benefit from some built-in intelligence does not argue for giving ISPs unbounded discretion to discriminate among traffic. Indeed, a network that empowered users themselves to determine the relative priority levels of their traffic based on their individual needs would be far "smarter" than on in which ISPs make broad, across-the-board choices.

2. "What is the bright-line rule that separates some IP-based networks that are 'private' (and hence free to do as they please), and others that are part of the 'Internet' (and hence need to follow Internet neutrality)? Where does IPTV fall? (While answering that question, think not only of present-day IPTV, but keep in mind its potential applications.) Where do 'walled gardens' of the WWW fall?"

2. In CDT's view, Internet access service provides a general-purpose ability to send and receive data communications across the Internet. Other services could be exempt from neutrality rules if they serve specific and limited functional purposes and have limited impact on the technical performance of Internet traffic. CDT's comments to the FCC went into considerable detail -- see, for example, the comments we filed in October. The FCC rules took a similar but not identical tack, saying that Internet access services are services that provide the capability to send and receive data "from all or substantially all Internet endpoints" or that provide a functional equivalent of such a service. In any event, the question of how clear the line is between Internet access services that are subject to neutrality rules and other services that are not is an important one that will bear close watching over time. As for IPTV, it offers a specific function -- access to video programming -- rather than general purpose access to the entire Internet. So IPTV can be distinguished from Internet service. As for "walled gardens," it likely would depend how large the garden is. If the garden seeks to offer a wide enough variety of sites that it can be used as a substitute for Internet access, then the FCC could choose to apply neutrality rules. At some point, a garden can become big and general-purpose enough that it is effectively serving as a non-neutral version of an Internet access service. That kind of end-run around neutrality rules shouldn't be allowed.

3a. "Should Internet neutrality be kept at the level of non-enforceable (but still important) enunciation of principles, or should they be enforceable laws? In either case, who has the authority to regulate Internet neutrality, given the non-territoriality of the 'Internet' (and especially keeping in mind the direction that ICANN's been taking with things like the Affirmation of Commitments). Why should the FCC have such powers? Why should any American governmental body have such powers?"

3a. It is important to have some enforceable rules. The FCC enunciated principles back in its 2005 broadband Policy Statement -- but when the agency tried to act after Comcast violated those principles, a court ruled that the FCC had no ability to do so. Enunciated principles are of little value if ISPs are free to violate them without consequence. For U.S. Internet users, I think the FCC is an appropriate agency in which to lodge the authority to police neutrality violations; the FCC has a long history of working to ensure that providers of physical communications infrastructure do not abuse their position. And since the focus is on the provisions of physical communications connections, I don't the the territoriality issue you raise is a major problem. The United States has the authority to establish rules for companies providing last-mile communications links to U.S.-based subscribers. The Internet is of course a global medium, but the endpoint connections have a clear geographic location.

3b. "If Internet neutrality is really about ensuring fair competition (so an ISP doesn't promote one company's content), then why not just allow competition law / anti-trust law to ensure that fair competition? What are the lacunae in global competition laws that necessitate the separate articulation of 'Internet neutrality' principles/rules?"

3b. The ability of antitrust law to protect Internet openness is pretty limited. Absent a clear anticompetitive motive, network operators likely could curtail Internet openness in a variety of ways without running afoul of antitrust law. Antitrust’s prohibition against anticompetitive conduct is a far cry from any kind of affirmative policy to preserve the Internet’s uniquely open network structure. Nor can antitrust law take into account the major non-economic reasons for maintaining an open Internet, such as the impact on independent speech and civic empowerment. Finally, as a practical matter, antitrust cases tend to drag on for many years. Individual innovators and small startup companies – key beneficiaries of Internet openness – are unlikely to be in a position to bring antitrust cases against major network operators.

4a. "One of the strongest arguments of anti-Internet neutrality folks is that adoption of Internet neutrality principles/rules will ensure that it is only the consumers who foot the bill for bandwidth consumption, and bandwidth hogs (like NetFlix) don't ever pay. This, they say, is unfair on consumers. How do you respond to this?"

4a. First, I question the statement that "bandwidth hogs like NetFlix don't ever pay." For starters, NetFlix buys a huge amount of bandwidth connecting its servers to the Internet. Once on the Internet, its traffic is carried onward pursuant to peering agreements between the ISPs and backbone providers. When NetFlix traffic volume grows, it may trigger new payment demands between carriers, as we've seen in the recent dispute between Comcast and Level3. But the bottom line is, nobody is forced to carry any traffic they haven't contractually agreed to handle. Of course, it is true that NetFlix doesn't make payments to (for example) AT&T for delivering NetFlix traffic to AT&T's customers. That might seem unfair if you think of NetFlix as a "bandwidth hog" eating up AT&T's capacity. I believe that is the wrong way to think about it. NetFlix has no ability to forcefeed traffic onto AT&T's network. Every bit it sends was requested by an AT&T subscriber. So if there are "bandwidth hogs" here, they are the end users -- they are the ones that pull all those bits onto AT&T's network. And they have already paid AT&T for the ability to get those bits. I would add that when individual users choose to download huge volumes, I have no problem with the ISP charging them more. Second, you suggest that it may be unfair to ask consumers to foot the full bill for their connectivity. But the Internet is such an open and innovation-friendly platform precisely because it is so user-driven. This user-centric focus could change if ISPs start thinking of themselves as providing services not just to end user subscribers, but also to non-subscribers such as large online content providers to whom the ISPs do not directly provide bandwidth. The ISPs would then have divided loyalties; rather than just focusing on empowering users, they would be collecting fees to steer users in particular directions. Sure, in other contexts there are examples of "two-sided markets" in which end users foot only part of the bill. Newspapers are often cited. But including paid advertising in newspapers doesn't have much impact in how the overall product is perceived or presented to users. In contrast, ISPs charging content providers for special transmission priority would be akin to a newspaper in which advertisers pay not just to place ads, but also to influence where the substantive articles appear -- which ones go on the front page and which on the interior, for example. In turn, content providers of all stripes would need to think about striking deals with multiple ISPs -- something that is not necessary today. In the end, turning the Internet into a two-sided market would make the medium dramatically less open, less innovative, and less empowering of users.

4b. "If a consumer wants a faster connection (to access content faster), she can get that by paying the ISP more and getting more bandwidth. If a business wants a faster connection (to deliver content faster), it can get that by paying the ISP more bandwidth. However, certain kinds of paying for faster delivery of content are sought to be curbed. Where should we draw that line? And Why should we hold on so dearly to a certain model of accounting for costs?"

4b. Consumers and businesses should be able to pay their respective ISPs for more bandwidth. I think that is very different from paying other people's ISPs for preferential treatment. The latter arrangement turns ISPs into gatekeepers with respect to their subscribers -- because once the quality of delivery depends on which content providers have struck a deal with the subscribers' ISP, every content provider needs to negotiate with that ISP in order to keep up with its competitors. We hold on to the Internet's model of accounting for costs because it is part of what makes the Internet such an open, innovative environment: content providers and innovators don't face the hurdle of having to negotiate deals with all their users' ISPs.

We are anonymous, we are legion

by Sunil Abraham last modified Mar 21, 2012 09:38 AM
Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards. 

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm. 

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

Killing the Internet Softly with Its Rules

by Pranesh Prakash last modified Aug 20, 2011 12:51 PM
While regulation of the Internet is a necessity, the Department of IT, through recent Rules under the IT Act, is guilty of over-regulation. This over-regulation is not only a bad idea, but is unconstitutional, and gravely endangers freedom of speech and privacy online.

A slightly modified version of this blog entry was published as an op-ed in the Indian Express on May 9, 2011.

Over-regulation of the Internet

 

Regulation of the Internet, as with regulation of any medium of speech and commerce, is a balancing act. Too little regulation and you ensure that criminal activities are carried on with impunity; too much regulation and you curb the utility of the medium. This is especially so with the Internet, as it has managed to be the impressively vibrant space it is due to a careful choice in most countries of eschewing over-regulation. India, however, seems to be taking a different turn with a three sets of new rules under the Information Technology Act.

These rules deal with the liability of intermediaries (i.e., a large, inclusive, group of entities and individuals, that transmit and allow access to third-party content), the safeguards that cybercafes need to follow if they are not to be held liable for their users' activities, and the practices that intermediaries need to follow to ensure security and privacy of customer data.

Effect of not following the rules

By not observing any of the provisions of these Rules, the intermediary opens itself up for liability for actions of its users. Thus, if a third-party defames someone, then the intermediary can be held liable if he/she/it does not follow the stringent requirements of the Rules.

The problem, however is that, many of the provisions of the Rules have no rational nexus with the due diligence to be observed by the intermediary to absolve itself from liability.

What does the Act require?

Section 79 of the IT Act states that intermediaries are generally not liable for third party information, data, or communication link made available or hosted. It qualifies that by stating that they are not liable if they follow certain precautions (basically, to show that they are real intermediaries). They observe 'due diligence' and don't exercise an editorial role; they don't help or induce commission of the unlawful act; and upon receiving 'actual knowledge', or on being duly notified by the appropriate authority, the intermediary takes steps towards some kind of action.

So, rules were needed to clarify what 'due diligence' involves (i.e., to state that no active monitoring is required of ISPs), what 'actual knowledge' means, and to clarify what happens in happens in case of conflicts between this provision and other parts of IT Act and other Acts.

Impact on freedom of speech and privacy

However, that is not what the rules do. The rules instead propose standard terms of service to be notified by all intermediaries. This means everyone from Airtel to Hotmail to Facebook to Rediff Blogs to Youtube to organizations and people that allow others to post comments on their website. What kinds of terms of service? It will require intermediaries to bar users from engaging in speech that is disparaging', It doesn't cover only intermediaries that are public-facing. So this means that your forwarding a joke via e-mail, which "belongs to another person and to which the user does not have any right" will be deemed to be in violation of the new rules.  While gambling (such as betting on horses) isn’t banned in India and casino gambling is legal in Goa, for example, under these Rules, all speech ‘promoting gambling’ is prohibited.

The rules are very onerous on intermediaries, since they require them to act within 36 hours to disable access to any information that they receive a complaint about. Any 'affected person' can complain. Intermediaries will now play the role that judges have traditionally played. Any affected person can bring forth a complaint about issues as diverse as defamation, blasphemy, trademark infringement, threatening of integrity of India, 'disparaging speech', or the blanket 'in violation of any law'. It is not made mandatory to give the actual violator an opportunity to be heard, thus violating the cardinal principle of natural justice of 'hearing the other party' before denying them a fundamental right. Many parts of the Internet are in fact public spaces and constitute an online public sphere. A law requiring private parties to curb speech in such a public sphere is unconstitutional insofar as it doesn't fall within Art.19(2) of the Constitution.

Since intermediaries would lose protection from the law if they don't take down content, they have no incentives to uphold freedom of speech of their users. They instead have been provided incentives to take down all content about which they receive complaints without bothering to apply their minds and coming to an actual conclusion that the content violates the rules.

Cybercafe rules

The cybercafe rules require all cybercafe customers be identified with supporting documents, their photographs taken, all their website visit history logged, and these logs maintained for a year. Compare this to the usage of public pay-phones. Anyone can use a pay-phone without their details being logged. Indeed, such logging allows for cybercafe owners to blackmail their users if they find some embarrassing websites in the history logs—which could be anything from medical diseases to sexual orientation to the fact that you're a whistleblower.

The cybercafe rules also require that all of them install "commercially available safety or filtering software" to prevent access to pornography. In two cases along these lines in the Madras High Court (Karthikeyan R. v. Union of India) and the Bombay High Court (Janhit Manch v. Union of India), the High Courts refused to direct the government to take proactive steps to curb access to Internet pornography stating that such matters require case-by-case analysis to be constitutionally valid under Art.19(1)(a) [Right to freedom of speech and expression].

Such software tends to be very ineffective—non-pornographic websites also get wrongly filtered, and not all pornographic websites get filtered—and the High Courts were right in being wary of any blanket ban. They preferred for individual cases to be registered. If the worry is that our children are getting corrupted, it is up to parents to provide supervision, and not for the government to insist that software do the parenting instead.

Given that all of these were pointed out by both civil society organizations, news media, and industry bodies, when the draft rules were released, it smacks of governmental high-handedness that almost none of the changes suggested by the public have been incorporated in the final rules.

The Present — and Future — Dangers of India's Draconian New Internet Regulations

by Anja Kovacs last modified Aug 02, 2011 07:22 AM
The uproar surrounding India's Internet Control Rules makes clear that in the Internet age, as before, the active chilling of freedom of expression by the state is unacceptable in a democracy. Yet if India's old censorship regimes are to be maintained in this new context, the state will have little choice but to do just that. Are we ready to rethink the ways in which we deal with free speech and censorship as a society? Asks Anja Kovacs in this article, published in Caravan, 1 June 2011.

WHAT ACTUALLY DEFINES A DEMOCRACY? It is a trickier question than it first seems, and yet it is worthwhile, at least every now and then, to remind ourselves of what constitutes the political system we hold so dear. Free and fair elections; an independent legislative, executive and judiciary; and freedom of the press—these are all vital ingredients. But what may be democracy’s defining element, or at least its sine qua non, is the right to freedom of opinion and expression: without this equal right to “seek, receive and impart information”, as the universal declaration of Human Rights frames it, a system of governance of the people, for the people and by the people simply remains meaningless. Without a free flow of information, democracy does not exist. 

It is with good reason, then, that bloggers, tech enthusiasts and watchdogs from civil society have been up in arms over two new sets of rules, notified in April 2011, that will impact every Indian’s Internet use. Formulated by the Central Government under powers conferred to it by the IT (Amendment) Act 2008, one set governs what is known as the liability of intermediaries. This determines in which cases, and to what extent, companies ranging from Google and Facebook to local Internet service providers (ISPs) are legally responsible for the content that you upload. 

The second set of rules pertains to cybercafes. In a manner reminiscent of the licence Raj, there are new registration standards for these establishments, which go beyond the usual requirements for commercial enterprises and include detailed procedures to identify all users. Cybercafes will be required to maintain and submit, on a monthly basis, logs that detail the use of all computers in the cafe and to keep backups of all users’ browser histories, to be maintained for at least one year. 

There is much that is wrong with these rules, but what makes them such a particular threat to freedom of expression? Some effects are likely to be indirect: for example, the Internet has the potential to emerge as an important avenue for young people from disadvantaged backgrounds to express and discuss concerns so rarely taken into account by the mainstream media. But by putting into place stringent identification requirements for cybercafe users, who are likely to be less well-off, the access of underprivileged users in particular will be further constrained. Moreover, the combination of the need for identification with the requirement for cybercafes to keep a log of every user’s browser history means that anonymity online is now effectively made impossible in India. For whistleblowers, artists, writers or anyone desiring anonymity, there is no longer a place in Indian cyberspace. 

But the most troubling impact on freedom of expression of the new mandates remains direct: in their attempt to delineate the liability of Internet providers and websites, the new rules for “intermediary due diligence” actually add important new curbs on freedom of expression to Indian law. India’s Constitution recognises a fairly extensive list of so-called “reasonable restrictions” and these are more or less replicated in the Rules: “the sovereignty and integrity of India, the security of the State, friendly relations with foreign states, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence”. But the Rules, which were never vetted by Parliament, do not limit themselves to these Constitutional provisions. Rather surprisingly, they add a whole new slew of qualifications, many of which are so vague, moreover, that they leave the door wide open to abuse. Thus, for example, the Rules impose a blanket ban on impersonation and make it illegal to share any information that is “grossly harmful”, “harassing”, “blasphemous”, “disparaging” or “insulting any other nation”. None of these terms have been explained or defined. 

Lacking the precision that would allow citizens to precisely regulate their behaviour in line with the law, overly broad regulations such as these are widely believed to have a chilling effect: in order not to violate the law, people begin to censor themselves—to keep quiet rather than protesting or engaging. But in this particular case, the effects are likely to be particularly pernicious because of a second provision made by the Rules: wherever an intermediary receives a complaint claiming that any information they store, host or publish contravenes the provisions of the Rules, the intermediary is required to take down this information within 36 hours. Censorship, in other words, will effectively be privatised. 

The prospect is all the more depressing because the intermediaries have little incentive to resist participating in such censorship. Given the restrictions on free speech that are effectively enforced within Indian society by vigilante groups, especially in the last two decades, the possible impact of these rules is even more frightening. If Facebook has little reason to uphold your right to maintain a page that is critical of say, Gandhiji, what prevents vigilante groups from policing our lives online even more than they do offline? The only recourse available to the owner of the confiscated information will be going to court—meaning that defending one’s own freedom of speech online will require endless litigation. 

These are worrying omens, in other words, for those who believe that freedom of expression is the cornerstone of democracy. But to what extent do these new provisions represent a radical break with India’s existing restrictions on free speech? Since its founding, the independent Indian nation-state has wielded censorship as a tool to both contain the conflicts that emanate from India’s tremendous diversity and to ensure its homogeneous social, moral and political development. If the list of reasonable restrictions in the Constitution is fairly long, this is because the country’s lawmakers were clear at the time of Independence that freedom of expression would need to be subordinated to the social reforms necessary to put the country on Nehru’s path to development. India’s far-reaching anti-hate speech laws, too, derive from the desire to combat ill will and disharmony. Since the Internet now makes it so much easier to publish opinions that are hurtful, or indeed “grossly harmful” or “disparaging”, the new Rules can in many ways be seen as an attempt to continue this strategy in the Internet age. 

The problem, however, is that irrespective of the merits of such a strategy in the past, within the radically altered communicative context of the Internet, it is simply no longer feasible. As the Internet guru Clay Shirky has argued, earlier systems of media and communication worked on a “filter, then publish” principle. Because publishing a newspaper, for example, is expensive, editors and journalists take upon themselves the role of filtering out the “worthwhile” from the “not-so-worthwhile”. Without them making that vital differentiation between “news” and “information” on the one hand and “drivel” on the other, newspapers would simply not be viable. In the Internet age, however, this principle has been reversed. The arrival of social media especially has made it so easy and cheap for anyone to share their opinions that the mantra now is: first publish, then filter. The gatekeeper role of the traditional media stands much reduced. 

For the Indian government’s strategy of using censorship as a tool to mitigate social conflict, this shift has two important consequences. The first one is quantitative: it means that there are now far more speech acts to police. That undoubtedly has made the state’s task much more difficult. But there is also a second, qualitative difference: it also means that whether the government approves of this or not, there will now be a far wider range of people who will make their voices heard, and thus, a far wider range of opinions that will be expressed in the public sphere. And it is precisely to stop such a diversity from emerging that much censorship in India has been justified over the years. As a 1980 report of the Working Group on National Film Policy argued: “if the overall objective of censorship is to safeguard generally accepted standards of morality and decency, in addition to the well recognised interests of the State, the standards of censorship applicable to freedom of expression cannot be very much ahead of the standards of behaviour commonly accepted in society. Censorship can become liberal only to the extent society itself becomes genuinely liberal”. 

What such statements conveniently elide, of course, is the enormous diversity within Indian society itself. Whose standards of behaviour are they thinking of? Kashmiri, Manipuri, Chhattisgarhi? Gandhian, feminist, communist? Adivasi, Muslim, Dalit? Who represents this community of the nation? Censorship always benefits the status quo, and the Indian case has been no different. The rise of the Internet has merely revealed, with increasing frequency, cracks in the supposedly uniform moral, social and political development of India that the government envisioned. If the old censorship regime is to nevertheless be maintained in this new context, it will therefore increasingly require the active chilling of freedom of expression on the part of the state. What the uproar surrounding the Internet Control Rules makes clear is that in the Internet age, as before, this is an unacceptable route for a modern democracy. A new model to deal with diversity and dissent is urgently required. 

What makes our democracy? With the undeniable challenges that the Internet throws to our established ways of operating, it is time to reopen this debate as a society, rather than leaving it to politicians and bureaucrats. The open forum of the Internet may often offend, or rattle our sensibilities and beliefs, but it also presents new possibilities for engagement and debate. Will we take this opportunity? 

Read the original here

Big Brother is Watching You

by Sunil Abraham last modified Mar 21, 2012 09:32 AM
The government is massively expanding its surveillance power over law-abiding citizens and businesses, says Sunil Abraham in this article published by the Deccan Herald on June 1, 2011.

Imagine: An HIV positive woman calls a help-line from an ISD/STD booth. The booth operator can get to know who she called, when and for how long. But he would not have any idea on who she is or where she lives. 

Now, instead of a phone call, imagine that she uses a cyber café to seek help on a website for HIV positive people. The cyber-cafe operator would have a copy of her ID – remember that many ID documents have phone numbers and addresses. He may then take her photograph using his own camera. One can only hope that he will take only a mug-shot without using the zoom lens inappropriately. He would also use a software – to log her Internet activities and make a reasonable guess on her HIV status. 

The average Facebook page may have 50 different URLs to display the various images, animations and videos that are linked to that page. Each of those URLs would be stored, regardless of whether she scrolls down to see any of them. 

The cyber-cafe operator is obliged under the Cyber Cafe rules to store this information for a period of one year. But there are no clear guidelines on when and how he should dispose of these logs. An unethical operator could leak the logs to a marketeer, a spammer, a neighbourhood Romeo or the local moral police. A careless operator maybe vulnerable to digital or physical theft and before you know it, such logs could end up on the Internet. 

Ever since 26/11, cyber-cafes in metros have been photocopying ID documents – but so far not a single terrorist attack has been foiled or a crime solved thanks to this highly intrusive measure. But despite the lack of evidence to prove the efficacy of the current levels of surveillance, the government has decided to expand them exponentially.

Imagine again: A media organisation such as Deccan Herald is investigating a public interest issue with the help of a whistle-blower or an anonymous informant. Deccan Herald reporters may think that by turning the encryption on when using Gmail or Hotmail they are protecting their source. 

But the ISP serving Deccan Herald is obliged by the license terms to log all traffic be it broadband, dial-up or mobile users passing through it. Again, there are no clear guidelines on when to delete these logs and none of the Indian ISPs publicly publish a data retention policy. Besides retaining data, the ISPs have to install real-time surveillance equipment within their network infrastructure and make them available for government officials. If a government official wants to track who is talking to Deccan Herald reporters, he just has to ask.  

With ISPs and online service providers – all the police have to do is send an information request under Section 92 of the Code of Criminal Procedure. In other words, they don't even have to bother about a court order. Between January 2010 to June 2010 Google received 1,430 information requests from India.  Many other companies, for example, Microsoft, are not as transparent as Google about the state surveillance. So we will never know what they are subjected to. 

If the whistle-blower was using Blackberry, all traffic would be transferred from the device to the RIM's Network Operation Centre situated outside India in an encrypted tunnel before it travels onto the Internet. This prevents the government from learning which mail server is being used from the logs and surveillance equipment at the ISP premises. And that is why the government has been engaged in a five-year long public fight with RIM over access to Blackberry traffic. 

Now, thanks to the IT Act, the government can demand the service providers, including RIM, to hand over the decryption keys by accusing any individual of a variety of vague offenses -- for example engaging in communication that is ‘grossly harmful’ or ‘harms minors in any way’ –  under the IT Act. Refusal to hand over the keys is punishable with a jail term of three years. 

Finally, imagine that an Indian enterprise is developing trade-secrets or handling trade-secrets on behalf of their international partners. This enterprise is using a VPN or virtual private network for confidential digital communication. As per the ISP license all encryption above 40-bit is only permitted with written permission from DoT along with mandatory deposit of the decryption key. 

In the age of wire-tap leaks, only a miniscule minority of international business partners would trust the government of India not to leak or misuse the keys that have been deposited with them. Most individuals, SMEs and large enterprises routinely use encryption higher than 40 bit strength. For example, Gmail uses128 bit and Skype uses 256 bit encryption. Many services use dynamic encryption, that is generate  different keys for each session. 

So far I have not heard of anyone who has actually secured permission or deposited the keys. In other words, the Indian enterprise has two choices – either break the law to protect business confidentiality or obey it and lose clients. 

The IT Act (Amendment 2008) and its associated Rules, notified in April this year are a massive expansion of blanket surveillance on ordinary, law-abiding Indians. They represent a paradigm shift in surveillance and a significant dilution in privacy protections afforded to citizens under the Telegraph Act. 

This has terrifying consequences for our plural society, free media and businesses. Department of Information Technology in particular Dr. Gulshan Rai's office has so far only brushed aside these concerns and denied receiving feedback from the industry and civil society. If our media continues to ignore this clamp down on our civil liberties, we will soon have to furnish ID documents before purchasing thumb drives. After all, Bin Laden was found using them in his Abbottabad home. 

Read the original here

Wherever you are, whatever you do

by Sunil Abraham last modified Mar 21, 2012 10:12 AM
Facebook recently launched a location-based service called Places. Privacy advocates are resenting to this new development. Sunil Abraham identifies the three prime reasons for this outcry against Facebook. The article was published in the Indian Express on 23 August, 2010.

Privacy activists are up in arms again, at Facebook’s recent launch of a new location-based service called Places. But what’s the new issue here? For years, telecom operators have been able to roughly locate you by triangulating the signal strength between the three nearest cell towers. In India, geo-location is part of the call logs maintained by the operator. That is how the police was able to determine that Bangalore resident Sathish Gupta killed his wife Priyanka. He took her mobile with him during a jog with his friend and then faked a phone call as an alibi. He knew that the time-stamps on the call logs would corroborate his lies. But the location-data nailed him. So, in short, the state and telecom operators know where you are even if you don’t have a smartphone with GPS support.

For those who can afford it? GPS support provides greater accuracy and reliability, independent of telecom signal strength. The immediate and future benefits are huge. For parents, MyKidIsSafe.com, allows them to create a geo-fence and receive automatic notification when the child leaves the safety zone. In combination with RFID, businesses are able to provide their customers with accurate updates regarding status of deliveries. The Karnataka police is able to verify that the police inspector issuing the challan using a Blackberry for a traffic violation is not doing it from home. Seven hundred and fifty thousand gay men from 162 countries use a geo-social network called Grindr to find love. In the future, most car-pooling services will be GPS-enabled. Geo-location-based crowd-sourcing will be used to predict and avoid traffic jams by measuring the density and velocity of mobile phones on various routes.

Privacy advocates worry that after helping the police solve crimes and fight terrrorism, telecom companies retain the logs instead of deleting, anonymising or obfuscating them. Especially so in India, given the lack of privacy laws, telecom operators, web and mobile service providers could retain the logs for customer profiling or worse still, sell the raw data or analysis to third parties. Cyber-stalkers, child molesters and rapists benefit. Cat burglars will know when you are away and be able to clean out your house in a more relaxed fashion. Geo-surveillance by a state, obsessed with terrorism, will have negligible benefits while extracting a huge social cost and significantly undermining national security.

So why this particular outcry against the world’s most successful social networking website? There are three reasons that come immediately to mind. First, Facebook has a terrible record with privacy. In the last five years, the default settings have moved from one where no personal data was available for anonymous access to one with anonymous access to everything except birthday and contact information. And these are settings that affect the majority of the half a billion people who don’t bother changing default settings. So there is no guarantee that Facebook will not get more intrusive with its default geo-location privacy settings.

Second, a friend can geo-tag you without requiring you to approve or confirm this. Once you are geo-tagged, all your common friends will be notified through the friend-feed system. This is similar to the current system of photo sharing. A friend can upload a inappropriate photograph and tag you almost instantly all your work-mates who also happen to be your Facebook friends get a notification via the feed. Of course, you can always untag the photo, change the settings and defriend the culprit but by then the damage is usually done.

Third, the Facebook user-interface for privacy settings is notoriously complex and cumbersome. Many users will think that they have managed to bolt down the security settings when in fact their personal data will remain all up for grabs. The half a million third-party products available today on the Facebook platform only compounds this problem.

Read the original in the Indian Express

No UID Campaign in New Delhi - A Report

by Prasad Krishna last modified Jun 20, 2012 03:51 AM
The Unique Identification (UID) Bill is not pro-citizen. The scheme is deeply undemocratic, expensive and fraught with unforseen consequences. A public meeting on UID was held at the Constitution Club, Rafi Marg in New Delhi on 25 August, 2010. The said Bill came under scrutiny at the meeting which was organised by civil society groups from Mumbai, Bangalore and Delhi campaigning under the banner of "No UID". The speakers brought to light many concerns, unanswered questions and problems of the UID scheme.

Since 2009, when the UID Bill was presented to the general public by Nandan Nilekani, the project has been characterized as a landmark initiative that will transform India, bring in good governance, and provide relief and basic services for the poor.  The scheme is rapidly being put in place; the draft Bill has been put before the Parliament of India and the resident numbers and data have been collected.

The UID proposes to take the finger prints and iris scans of every resident of India for authentication of each individual. J. T. D'Souza, an expert in free software technology exposed the flaws of the entire technical aspect of the UID project.  He presented the risks and loopholes that technology such as iris and fingerprint scanners pose, and the risks in using a biometric system as a form of identification system.  Contrary to the claim of the UID authority, that a scheme based on biometrics is foolproof, he explained how fingerprints  are not unchanging, both fingerprints and iris scans can be easily spoofed (with a budget of only $10), and there are many ways in which the technology can break, be inconsistent, or be inaccurate.

From a human rights perspective the lack of democracy in the entire project was stressed. Usha Ramanathan reiterated the fact that  no white paper was issued, the Bill has not gone through the Parliament and yet citizens’ data is being collected, citizens were given only a two week period to comment on the Bill, and in practice the UID number will not be voluntary for individuals.

The UID authority has posited the scheme as bringing benefits to the poor, plugging leakages in the Public Distribution System and the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), as well as enabling inclusive growth by providing each citizen with a verifiable and portable identity. These claims were debunked. An identity number will not fix the waste of grain that takes place every day, the portability of the number raises new problems of accessibility and distribution of resources, and the MGNREGS system is already working to be financially inclusive with a majority of its members already having a bank account.

In response to hearing the presentations of the speakers and the comments by the audience, senior Member of Parliament of the Revolutionary Socialist Party of India (RSP), Abani Roy called for the launching of a massive campaign to resist this expensive and dangerous project through which several companies will gain massive contracts from the public exchequer.

The campaigners for No UID plans to hold further meetings across the country and lobby Parliamentarians in the coming months.

For more information contact: Mathew Thomas (Bangalore) [email protected], Elonnai Hickok (Bangalore) [email protected] , Sajan Venniyoor (Delhi): +91-9818453483 - Bobby Kunhu (Delhi): +91-9654510398

 

Summary of UID Public Meeting, August 25 2010

by Prasad Krishna last modified Aug 02, 2011 07:28 AM
A summary of the "No UID" public meeting that took place on Aug. 25th at the Constitution Club, New Dehli.

The Meeting and Project

  On August 25, 2010 in Delhi, a public meeting was organized by civil society groups from Mumbai, Bangalore, and Delhi to discuss and answer questions surrounding the UID, and to present the concerns of the public to members of parliament. The meeting was successful, with many important concerns raised by both the speakers and the audience. An action plan was developed, and  MPs were able to come, listen, and share their opinions. 

The Project

The UID is a project that is supported by the government of India, and is led by Nandan Nilekani, the former CEO of Infosys.  The project is being presented as a cure to the PDS system, as a mechanism to bring benefits to the poor, and as a project that will make India an inclusive society by providing every citizen with a verifiable identity. The draft National Identification Authority of India Bill will be placed before the Lok Sabha in the current session. If the Bill is approved by parliament, the official implementation of the Bill will take place in Winter 2010 -2011. 

Technological Flaws

Speaking first, Jude D'Souza, a free software professional, presented the entire technical aspect of the UID scheme. He became involved with the UID project through his work on biometrics, and he expressed shock that the UID scheme would rely on a deeply flawed system such as biometrics.  Flaws in such a system include -- but are not limited to -- duplication, verification problems, and the lack of infrastructure needed to collect biometrics properly. Explaining in detail how fingerprint and iris scanners work, he showed how both are actually very simple technologies.  An iris scanner is  essentially a camera coupled with auto-focusing. The camera focuses on one’s eye, takes a snapshot, and then divides the eye into concentric segments, conducts a type of numbering scheme for each segment, and then generates a number that represents the pattern. A fingerprint scanner works in a similar manner. First a  picture is taken of your finger-print,  the system then generates an inverted image of the finger, with darker areas representing more reflected light and lighter areas representing less reflected light. The image is then compared against the stored fingerprint.  Both technologies  are easily spoofed. Iris scanners cannot detect contact lenses, and a scientist in Japan found that fingerprint scanners can be “tricked” easily with materials costing under 10 dollars. D'Souza explained how all identification systems go through an enrollment and authentication process which includes: the capturing of the image, the processing of the image, extraction of features, the creation of a template, encryption, duplication and storage of the information. If a step in either the enrollment or authentication process goes wrong, the whole process is brought  back to square one – manual recording  of information. For instance, if a fingerprint is swiped, and the machine cannot read it because it has changed with age, or the machine is malfunctioning, or the fingerprint is logged with water (something that is not uncommon in India) – the person would either have to re-enroll, and then re-verify who they are manually. If this scenario applies to, say, someone coming into a hospital, the consequences of his/her fingerprints not being read are grave.

Another concern is the compromising of the system. Bogus templates can easily be created and switched with the real template, key duplication is possible, or the system could be hacked and a virus introduced. In general, it is dangerous when any database containing personal information is compromised; a database that contains biometrics is twice as dangerous. D'Souza closed his presentation by making the point that biometrics cannot be withdrawn – if your password (biometrics) is compromised, you are still stuck with it for life. Once you leave your  footprint through biometrics, it is irrevocable.

Civil Rights

The second speaker of the day was Usha Ramanathan, an internationally recognized expert on law and poverty, who spoke on human rights and the UID. From the beginning of her presentation she challenged the audience to think deeply about the question “Why would the government want to put this project in place?” She brought to the table many points about how the project violates human rights, including the fact that no type of feasibility study has been done on the technology or the financial cost of the project; a white paper was never issued at the genesis of the project; and Nandan Nilekani and other members of the authority refused directly to answer the concerns brought forth to them when they were approached.  To her, the corporatization of the project is also very clear. From the marketing of the scheme, to the implementation of the scheme, to the fact that the convergence of databases will allow business and corporate powers to network using individual’s data that they obtain from the database – the issuance of a Unique Identification Number provides opportunities for huge profits to be made by corporations and the government. What makes the consequences of a UID number even more powerful is the fact that even though the Authority says that the number is voluntary, businesses, shop owners, banks and hospitals have the ability to deny access if one does not have  number.  In this way, the number is at least de-facto compulsory. This number also threatens violations to an individual’s privacy.

Benefits to the Poor

When analyzing the benefits to the poor that the number promises, the picture begins to look less and less beneficial. The Authority has been stressing the benefit of the portability of a Unique Identification Number. The positive aspects of having a portable ID stem from the idea that a person living in one village could be traveling and would still be able to collect his or her rations from the Free Trade Shop in the location he or she is visiting. No longer would people have to return home to collect their rations.  Though this seems to be a useful benefit indeed, problems begin to arise if the Free Trade Shop in that village does not have enough grain in stock to provide for the unexpected visitor or if the biometric data malfunction.  Other complications that the poor might have with a unique ID number is that to enroll you must know your address and name, and be able to spell them correctly. When looking at if the UID will plug the leakages of the PDS system, it will perhaps make the delivery of grain more efficient – theoretically it could stop the use of fake ration cards etc, but it does not stop the waste of grain, and at the end of the day – it still only a number, it does not regulate the person authenticating the individual and distributing the grain. Other difficulties the rural populations face are power outages: what if the power goes out – no one can be authenticated, what if the notice that benefits are available are electronically transmitted and do not arrive? What if data are lost during power outages?

Response of the Audience 

After lunch the floor was opened up to discussion about steps that need to be taken in the future. It  was determined that  academics need to be  consulted, the NO UID campaign needs to be presented in a language that everyone can understand and relate to,  more political leaders need to be contacted, volunteers from Universities need to be recruited, petitions need to be written, and emails and contact information shared for open communication amongst each other. Another response from the audience was that privacy is an issue for the elite – the poor are concerned with surviving day to day. What is interesting, though, is how untrue that is. The issuance of a UID number brings privacy of the poor into the limelight. Privacy is a question of a person’s ability to control individual information, to know how it is being used, and by whom. A Unique Identification Number given to the poor suddenly places all of his or her personal data on the grid. It places it into networks, business databases, and governmental data banks. The current lack of data protection and lack of control an individual has over these data under the scheme creates a privacy crisis for anyone who has a number.  And, given the ability to deny services to someone who does not have a number, it creates a crisis for those who opt out as well.

The Opinion of the MPs

Many of the MPs were unable to come, but the two who did were in opposition to the UID. MP Syed Azeez Pasha (CPI)  commented on the need for a campaign to have started earlier, while Senior Member of Parliament from the Revolutionary Socialist Party of India (RSP) Abani Roy called for the launching of a massive campaign to resist this expensive and dangerous project through which several companies will gain massive contracts from the public exchequer.

Conclusion

As the UID project continues to unroll, it seems that  that Nandan Nilekani has imagined a new India – one that looks to technology as its solution to its political and social problems. If this is the case, a UID number that will work to shift the entire population onto a digital database could just be the beginning of many  other changes to come. Indian citizens should carefully consider if this is the India that they have imagined.

 Resources from the Meeting

D'Souza powerpoint presentation

UID Booklet

UID Appeal to MPs

UID in Hindi

Beyond Access as Inclusion

by Anja Kovacs last modified Aug 02, 2011 07:29 AM
On 13 September, the day before the fifth Internet Governance Forum opens, CIS is coorganising in Vilnius a meeting on Internet governance and human rights. One of the main aims of this meeting is to call attention to the crucial, yet in Internet governance often neglected, indivisibility of rights. In this blog post, Anja Kovacs uses this lens to illustrate how it can broaden as well reinvigorate our understanding of what remains one of the most pressing issues in Internet governance in developing countries to this day: that of access to the Internet.

One of the most attractive characteristics of the Internet – and perhaps also one of the most debated ones – is its empowering, democratising potential. In expositions in favour of access to the Internet for all, this potential certainly often plays a central role: as the Internet can help us to make our societies more open, more inclusive, and more democratic, everybody should be able to reap the fruits of this technology, it is argued. In other words, in debates on access to the Internet, most of us take as our starting point the desirability of such access, for the above reasons. But how justified is such a stance? Is an Internet-induced democratic transformation of our societies what is actually happening on the ground?

I would like to move away, in this blog post, from the more traditional approaches to the issue of access, where debates mostly veer towards issues of infrastructure (spectrum, backbones, last mile connectivity, …) or, under the banner of “diversity”, towards the needs of specific, disadvantaged communities (especially linguistic minorities and the disabled). To remind us more sharply of the issues at stake and of the wide range of human rights that need our active attention to make our dreams a reality, I would like to take a step back and to ask two fundamental questions regarding access: why might access be important? And what do we actually have access to?

Let me start, then, by exploring the first question: why, actually, is Internet access important? In his canonical work on the information age, and especially in the first volume on the rise of the network society, Manuel Castells (2000) has perhaps provided the most elaborate and erudite description of the ways in which new technologies are restructuring our societies and our lives. We are all all too familiar with the many and deep-seated ways in which the Internet changes the manner in which we learn, play, court, pay, do business, maintain relationships, dream, campaign. And yet, the exact nature of the divide created by the unequal distribution of technical infrastructure and access, despite being so very real, receives relatively little attention: this divide is not simply one of opportunities, it is crucially one of power. If in traditional Marxist analysis the problem was that the oppressed did not have access to the means of production, today, one could well argue, the problem is that they do not have access to the means of communication and information.

Indeed, the Internet is not something that is simply happening to us: there are people who are responsible for these new evolutions. And so it becomes important to ask: who is shaping the Internet? Who is creating this new world? Let us, by way of example, consider some figures relating to Internet use in India. So often hailed as the emerging IT superpower of the world, there are, by the end of 2009, according to official government figures, in this country of 1 billion 250 million people slightly more than 15 million Internet connections. Of these, only slightly more than half, or almost 8 million, are broadband connections – the rest are still dial-up ones (TRAI 2010). The number of Internet users is of course higher – one survey estimates that there are between 52 million and 71 million Internet users in urban areas, where the bulk of users is still located (IAMAI 2010). But while this is a considerable number, it remains a fraction of the population in a country so big. What these figures put in stark relief, then, is that the poor and marginalised are not so much excluded from the information society (in fact, many have to bear the consequences of new evolutions made possible by it in rather excruciating fashion), but rather, that they are fundamentally excluded from shaping the critical ways in which our societies are being transformed.

To have at least the possibility to access the Internet is, then, of central significance in this context for the possibility of participation it signals in the restructuring of our societies at the community, national and global level, and this in two ways: in the creation of visions of where our societies should be going, and in the actual shaping of the architecture of our societies in the information age.

If we agree that access attains great significance in this sense, then a second question poses itself, and that is: in practice, what exactly are we getting access to? This query should be of concern to all of us. With the increasing corporatisation of the Internet and the seemingly growing urges of governments on all continents to survey and control their citizens, new challenges are thrown up of how to nurture the growth of open, inclusive, democratic societies, that all of us are required to take an interest in.

Yet it is in the case of poor and marginalised people that the challenges are most pronounced.  Efforts to include them in the information society are disproportionately legitimised on the basis of the contribution these can make to improving their livelihoods. Initiatives, often using mobile technology, that allow farmers to get immediate information about the market prices of the produce they are intending to sell, are perhaps the most well-known and oft-cited examples in this category. Other efforts aim to improve the information flow from the government to citizens: India has set up an ambitious network of Common Service Centres, for example, that aim to greatly facilitate the access of citizens to particular government services, such as obtaining birth or caste certificates – and going by first indications, this also seems to be succeeding in practice. Only rarely, however, do initiatives to “include” the poor in the information society address them as holistic beings who do not only have economic lives, but political, emotional, creative and intellectual existences as well.  This is not to say that economic issues are not of importance. But by highlighting only this aspect of poor people's lives, we promote a highly impoverished understanding of their existences.

The focus on a limited aspect of the poor's identity - important as that aspect may be - has a function, however: it makes it possible to hide from view the extremely restrictive terms on which poor people are currently being integrated into the information society. Even initiatives such as the Common Service Centres are in fact based on a public-private-partnership model that explicitly aims to “align [..] social and commercial goals” (DIT 2006: 1), and in effect subordinates government service design to the requirements of the CSC business model (Singh 2008). The point is not simply that we need strong privacy and data protection policies in such a context – although we clearly do. There is a larger issue here, which is that efforts to include the poor in the information society, in the present circumstances, really seem to simply integrate them more closely into a capitalist system over which they have little control, or to submit them to ever greater levels of government and corporate surveillance. Their own capacity to give shape to the system in which they are “included”, despite the oft-heralded capacities of the Internet to allow greater democratic participation and to turn everybody into a producer and distributor, as well as a consumer, remains extremely limited.

Such tendencies have not gone unnoticed. For example, unlike in many other parts of the world, social movements in India fighting against dams, special economic zones or mining operations in forest areas - all initiatives that lead to large-scale displacement – have not embraced technology as enthusiastically as one might have expected. There are various reasons for this. Within Indian nationalism, there have always been strands deeply critical of technology, with Gandhi perhaps their most illustrious proponent. But for many activists, technology often also already comes with an ideological baggage: an application such as Twitter, for example, in so many of its aspects is clearly manufactured by others, for others, drawing on value sets that activists often in many ways are reluctant to embrace. And such connotations only gain greater validity because of the intimate connections that exist in India between the IT boom and neoliberalism: technology has great responsibility for many of the trends and practices these activists are fighting against. While the Internet might have made possible many new publics, most movements do not – as movements – recognise these publics as their own (Kovacs, forthcoming).

To some extent, these are of course questions of the extent of access that people are granted. But they also raise the important issue of the value structure of the Internet. Efforts at inclusion always take for granted a standard that is already set. But what if the needs and desires of the many billions that still need to be included are not served by the Internet as it exists? What if, for it to really work for them, they need to be able to make the Internet a different place than the one we know today? While it is obvious that different people will give different answers in different parts of the world, such debates are complicated tremendously by the fact that it is no longer sufficient to reach a national consensus on the issues under discussion, as was the case in earlier eras. The global nature of the Internet's infrastructure requires that the possibility of differing opinions, too, needs to be facilitated at the global level. What are the consequences of this for the development of democracy?

For access to the Internet to be substantively meaningful from a human rights perspective in the information age, it is crucial, then, that at a minimum, the openness of the Internet is ensured at all levels. Of course, openness can be considered a value in itself. But perhaps more importantly, at the moment, it is the only way in which the possibility of a variety of answers to the pressing question of what shape our societies should take in the information age can emerge. Open standards and the portability of data, for example, are crucial if societies are to continue to decide on the role corporations should play in their public life, rather than having corporations de facto rule the roost. Similarly, under no circumstances should anyone be cut off from the Internet, if people are to participate in the public life of the societies of which they are members. And these are not just concerns for developing countries: if recent incidents from France to Australia are anything to go by, new possibilities facilitated by the Internet have, at least at the level of governments, formed the impetus for a clear shift to the right of the political spectrum in many developed countries. In the developed world, too, the questions of access and what it allows for are thus issues that should concern all. In the information age, human rights will only be respected if such respect is already inscribed in the very architecture of its central infrastructure itself.

List of References

Castells, Manuel (2000). The Rise of the Network Society, 2nd edition. Oxford: Blackwell.

Department of Information Technology (DIT) (2006). Guidelines for the Implementation of Common Services Centers (CSCs) Scheme in States. New Delhi: Department of Information Technology, Government of India.

Internet and Mobile Association of India (IAMAI) (2010). I-Cube 2009-2010: Internet in India. Mumbai: Internet and Mobile Association of India.

Kovacs, Anja (forthcoming). Inquilab 2.0? Reflections on Online Activism in India (working title). Bangalore: Centre for Internet and Society.

Singh, Parminder Jeet (2008). Recommendations for a Meaningful and Successful e-Governance in India. IT for Change Policy Brief, IT for Change, Bangalore.

Telecom Regulatory Auhority of India (TRAI) (2010). The Indian Telecom Services Performance Indicators, October-December 2009. New Delhi: Telecom Regulatory Auhority of India.

 

Moldova Online: An Interview with Victor Diaconu

by Sudha Rajagopalan — last modified Mar 21, 2012 10:10 AM
In this interview for Russian Cyberspace, set up with the help of Sunil Abraham (Executive Director at the Centre for Internet and Society in Bangalore, India), computer software professional Victor Diaconu explains the nature of Internet use, state control and the development of blogging and social media platforms in Moldova. Victor works at Computaris in Chisinau. He is Moldova educated, and has travelled to several western countries (including lengthy stays to US, UK) to learn about and understand what there is to be done in Moldova. Sudha Rajagopalan interviewed Victor Diaconu.

SR: After the 2009 elections, there was some talk of reform in Moldova and greater transparency, but now one also hears contradictory reports of increasing authoritarian tendencies.  Is this ambivalence evident in the way the internet is regulated and used here? 

VD: I would not say the tendencies are authoritarian. The constitution says that the President should be voted in by a majority of 61 out of 101 members of the Parliament. If not, Parliament should be dissolved and re-elected. Well, this should happen twice a year at the most, and as such, after a second failed attempt to vote the President the authority of the Parliament and Government is somewhat questionable. The current Parliament has tried to change the rules of voting in the President - to make it by popular vote, for instance, but this is met with resistance from the Communist Party. 

As to transparency - I would say it has improved. Though, one should not expect too many changes from a Government with questionable authority and with so many systemic flaws inherited from the previous government. At the moment we've got a coalition government. As such, there are frictions and these are indeed visible. This gives a sense of comfort and truthfulness since it is normal to have frictions in any human endeavour. While the communist party was ruling - everything was "nice and dandy" both in media and in political affairs and one could not get anything but "fake" - fake news, fake results, fake improvements.

Internet control and filtering do not happen. In fact, we did have a "small revolt" on April 7, 2009, when it seemed the communist party had tried to steal the vote for the parliament. At that moment a few .md sites were blocked by the national Telecom operator, but most other sites were still available. In fact, news about the event was best available on twitter (might still be available under "pman" tags). There also were a few attempts to stifle free speech when authorities requested names/IP addresses of commenters on some forums. However, this is no longer conceivable ... 

SR: Given that the press and television are largely in the hands of the state and criticism of the state is considered defamation (and leads to the arrest of press people), does the internet play a special role as a space for alternative media and political blogs? Are these prevalent and influential? 

VD: Yes, national TV is largely state owned and it was worse before the change in power. Now it seems to have improved. There are a series of smaller TV stations but these have reduced coverage - mostly in bigger cities. I understand that they've started rolling out IP TV with packages of 50+ TV channels - local and international. The national Telecoms operator provides very good Internet coverage. Dial-up Internet at reasonable prices is available everywhere in the country. Broadband availability even in rural areas is very good. And it's not too expensive. As to the role of Internet - indeed its influence is increasing. A series of media portals are frequented by many, including me. http://unimedia.md/; http://m.protv.md/; http://jurnaltv.md/; http://forum.md/to mention a few. The news here is conveyed tersely  but I do my own editorializing if need be. Also, I can read the comments if I want to get a feeling about how others feel about some specific event. 

SR: Can you tell us about some of the popular bloggers and blogging platforms in Moldova? Live Journal is popular in Russia; can the same be said of Moldova? 

VD: I'm not aware of any significant blogger, more so, political blogger. I'd say we still need to wait for someone whose commentary is mature enough for people to care about him or her... As to the platform - those blogging attempts that I've seen were indeed on major blogging portals like Live Journal. 

SR: What can you tell us about the presence of social media in Moldova? Does Moldova prefer its own versions of global digital platforms, or are FB, My Space, Twitter popular here?  What is the role of the diaspora in this space?

VD: Global platforms are widely used. There are a few Russian popular platforms in wide use too, such as odnoklassniki.ru. We have up to 1 million Moldovans working in European countries, Russia and other places, since the pay is significantly higher over there. These people left a few years back and most of them intend to return. And they, indeed, rely on the available platforms to relate back to relatives and friends.

SR: Lastly, can you tell us about the linguistic landscape of Moldovan new media; I imagine the most widely used language on the internet is Moldovan/Romanian. Is Russian prevalent or is new media here a platform to assert their exclusive Moldovan identity? 

VD: The rules for language are that media should have at least 60-70% of content in "state" language and the law was often changed so that sometimes 'state language’ included Russian too.  In fact, in Moldova we are very comfortable with the Russian language, at least those a bit older (30+ years) since we were supposed to speak it well in the Soviet era.   

SR (with many thanks to Victor Diaconu and Sunil Abraham) 

About Sudha Rajagopalan

Sudha Rajagopalan is the deputy editor of Digital Icons: Studies in Russian, Eurasian and Central European New Media and co-blogger at Russian Cyberspace. Sudha is also a  Research Affiliate with the Media Studies Group at the University of Utrecht in the Netherlands. Her current research is on audience and fan communities on Runet (the Russian-language internet), with a special interest in identity, performativity and affect in online practices. Sudha obtained her PhD in Russian History from Indiana University, Bloomington (2005). She is the author of 'Leave Disco Dancer Alone: Indian Cinema and Soviet Movie-going after Stalin,' Yoda Press, 2008 ('Indian Films in Soviet Cinemas: The Culture of Movie-going after Stalin,' Indiana University Press, 2009).

Presentation of the UID project by Ashok Dalwai – A Report

by Elonnai Hickok last modified Mar 21, 2012 10:09 AM
On Tuesday, 7 September 2010, Ashok Dalwai, the Deputy Director General of the Unique Identification of India (UIDAI), gave a lecture at the Indian Institute for Science in Bangalore. Representing the UID Authority, his presentation explained the vision of the project and focused on the challenges involved in demographic and biometric identification, the technology adopted, and the enrolment process. Elonnai Hickok gives a report of his presentation in this blog post.

Privacy Concerns in Whole Body Imaging: A Few Questions

by Elonnai Hickok last modified Mar 21, 2012 10:09 AM
Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.

What is Whole Body Imaging?

Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons.  

How are These Technologies Being Used - Two News Items to Ponder:

News Item One 

In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.

Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.

Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear.  For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.

News Item Two

In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car.  Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car. 

Questions at the Heart of the WBI Debate:

Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating?  Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers?  Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts?  All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency.  Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?

How Have Other Countries Responded to Whole Body Imaging and How Should India Respond?

Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.

In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use.  It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further.  A Nigerian leader also pledged to use full-body scanners.

Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing.  From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.”  It is not clear which value would be given priority.

The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers.  Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies. 

DSCI Information Security Summit 2010 – A Report

by Elonnai Hickok last modified Mar 21, 2012 10:04 AM
On 2 and 3 December 2010, the DSCI Information Security Summit 2010 took place in the Trident Hotel, Chennai. The two day summit included a broad spectrum of speakers/panels and topics, ranging from Securing Data & Systems to how to leverage the Cloud. The key speakers were Mr. Gulshan Rai, Director General, CERT-In, DIT, Mr. Rajeev Kapoor, Joint Secretary, DoPT, Govt. of India, Mr. Vakul Sharma, Advocate, Supreme Court of India and Dr. Kamlesh Bajaj, CEO, DSCI. Elonnai Hickok attended the summit.

Day one commenced with keynote address given by Jeffery Carr, Principal, GreyLogic, US who spoke about the gravity and risk that businesses and countries are facing in the digital age. A prominent theme in every presentation throughout the day was that India is facing both serious changes and challenges in light of evolving technology and global standards.  A few specific challenges addressed were: encryption standards, the cloud, and securing business transactions. During the panel on encryption standards it was pointed out that India desperately needs a clear and comprehensive policy on encryption standards. Not only will this serve to facilitate transactions in India, but it will increase trade as foreign countries will have an enforced policy to ensure them that India is a safe destination to export to. The panel addressing the cloud focused on the challenges that businesses are facing in terms of the cloud in the Indian context. The three main challenges to the Cloud are: 

  • data security and privacy
  • compliance requirements
  • legal and contractual requirements 

It was pointed out that in particular the Indian legal environment is serving as an obstacle to businesses wishing to move to the cloud, because of policies such as 40 bit encryption, and the Indian Telecom licensing policy which do not permit data transfer outside the cloud. Discussed also were measures that organisations have adopted to address data protection challenges in the cloud including: Including security & privacy clauses in the contractual agreement, making the Cloud service provider liable for a data breach, and auditing the services of Cloud service providers. Further information about the Cloud in the Indian context can be found in the DSCI report on Data Protection Challenges in Cloud Computing: An Indian Perspective. In the session on Securing Business Transactions, the challenge of protecting data and transactions was addressed. Many approaches were presented which explained how securing systems has moved away from using security enables software to security embedded hardware. The first day concluded with a presentation of DSCI Study Reports, including their recent study on the State of Data Security and Privacy in the Indian BPO Industry, Service Provider Assessment Framework – A Study Report, and the DSCI Security Framework.

The second day included presentations and panel discussions on privacy, the economics of security, and security technologies.  The presentation on privacy presented many different viewpoints which ranged from the stance that India has been taking the right steps towards securing individuals privacy, and in contrast, that India has seen a dilution of privacy standards in the recent years. Contributing to the panel on privacy, Vakul Sharma, Supreme Court Advocate created a timeline of privacy in India, dispelling the popular belief that India does not have a history of privacy. Mr. Sharma closed his presentation with a challenge to those who believe that India does not have adequate privacy protections - to return to the clauses in the ITA, see if they are indeed being followed, and then assess if India does not have adequate privacy protection. The panel on the Economics of Security spoke about the rising costs of security in the wake of cyber crime, and the rising cost of not adequately protecting one’s business. In the session on Technology Challenges to Fight Data Breaches and Cyber Crimes a debate evoked on current measures taken by industry and government to fight cyber crime, and steps that still need to be taken. Opening the session was a presentation by Mr. West, member of the National Cyber Forensics Training and Alliance. His presentation introduced a new approach taken by the States in which key stakeholders including students and local law enforcement were engaged when tracking down cyber criminals. Mr. West demonstrated the success of the program, and explained how such an approach could be easily adapted in India. From different comments made by the panel and audience it was clear from this session that there is a need for the Indian government to be more invested in funding and supporting smaller cybercrime initiatives. Closing the day was a panel on E-Security for the next five years including the application and enforcement of DSCI’s best practices for a Security and Privacy Framework. 

The event was sponsored by: Trusted Computing Group, Computer Associates, McAfee, Verizon Business, Tata Consultancy Services, Deloitte, (ISC)2, BlackBerry, ACS, CSC, Microsoft, RSA, and Intel.

Jurisdictional Issues in Cyberspace

by Justice S Muralidhar — last modified Mar 21, 2012 10:00 AM
This article by Justice S Muralidhar was published in the Indian Journal of Law and Technology, Volume 6, 2010. It explores in detail the jurisdiction of courts when dealing with disputes arising from commercial transactions on the Internet.

Google Policy Fellowship Program: Asia Chapter

by Prasad Krishna last modified Aug 02, 2011 07:34 AM
For the ardent followers of free and open Internet and for those who love to debate on technology, media law and Internet-related policy issues, there is some good news. The Centre for Internet and Society, India is conducting a Google Policy Fellowship program this summer!

Offered for the first time in Asia Pacific, the Google Policy Fellowship offers successful applicants the opportunity to develop research and debate on issues relating to freedom of expression for a minimum of ten weeks from June to August 2011. The applicants will be selected in Australia, India and Hong Kong respectively.

The Centre for Internet and Society will select the India Fellow, and is accepting applications for the position before March 27, 2011. Google is providing a USD 7,500 stipend to the India Fellow, who will be selected by April 18, 2011. 

To apply, please send to [email protected]  the following materials:

  • Statement of Purpose: A brief write-up outlining about your interest and qualifications for the programme including the relevant academic, professional and extracurricular experiences. As part of the write-up, also explain on what you hope to gain from participation in the programme and what research work concerning free expression online you would like to further through this programme. (About 1200 words max).
  • Resume
  • Three references

More information about the focus of the work that the Google Policy Fellow will take on is described below1. More information about the Google Policy Fellowship program is available in the FAQ2.

Research Agenda  Outline

The research proposals, and the fellowship itself, are to be anchored in the reality of the growing threat to civil liberties in cyberspace, with the consequent curbs on free expression that arise. The aim of the research is to chart out a comprehensive map of the legal and policy frameworks relating to free expression within the Asia-Pacific region and also examine people’s attitudes and ground-level movements relating to the same. This second component will necessarily involve some amount of empirical research: the fellows across different regions (for 2011, there will be fellows from India, Australia and Hong Kong) will be expected to use a survey on similar lines, so that the results could be adequately contrasted.

The research would involve but not necessarily be limited to the following areas:

Understanding Dissent

This component would involve looking at how dissent is negotiated in the region by the legal system and the ways in which governments seek to stifle and control online dissent. Specific points of interrogation would include:

  1. The extent to which the constitution and other laws in the region protect freedom of expression and the extent to which they are enforced.
  2. Judicial decisions relating to free expression, censorship and dissent. Have they examined how speech and other activities on the Internet should be afforded free speech protection?
  3. The kind of material deemed objectionable and subject to censorship and/or penalization.
  4. The kind of penalties placed on writers, commentators and bloggers for posting objectionable materials on the Internet.
  5. Understanding the economic environment in which free expression operates: chains of media ownership, state restrictions on the means of journalistic production and distribution, and the levels of state control through allocation of advertising or subsidies would be part of this question.
  6. Further, what are the laws relating to encryption and telecom security, as well as to intermediary liability, and how do they affect free expression?

Understanding Free Expression

To be examined here is the question of how freedom of expression is perceived by people. What is the extent to which people believe the right is available to them — as balanced by conceivably conflicting rights such as privacy?

  1. One part of proceeding on this would be to track a set of activist bloggers, gauging their take on various issues.
  2. Another part would include tracking public opinion through comments pages on articles relating to free speech issues; taking a survey or coordinating focus group research. However, this is by no means the most reliable way to gauge the same and is, in particular, one area that will require an appropriate methodology to be developed by the fellows in consultation with the partner organizations.

Both these components are essential in being able to proceed with the third aspect, mentioned below.

Understanding and Facilitating Movements

This final aspect will involve looking at how free expression advocates come together, or fail to do so.

  1. Is there a defined activist community in the region?
  2. If not, what are the possible reasons behind failure of collaboration or organization? Have there been attempts towards the same?

Frequently Asked Questions

What is the Google Policy Fellowship program?

The Google Policy Fellowship program offers students interested in Internet and technology related policy issues with an opportunity to spend their summer working on these issues at the Centre for Internet and Society at Bangalore. Students will work for a period of ten weeks starting from June 2011. The research agenda for the program is based on legal and policy frameworks in the region connected to the ground-level perception of free expression.
Applications for the Fellowship should carry these:

  • Statement of Purpose: A brief write-up outlining about your interest and qualifications for the programme including the relevant academic, professional and extracurricular experiences. As part of the write-up, also explain on what you hope to gain from participation in the programme and what research work concerning free expression online you would like to further through this programme. (About 1200 words max).
  • Resume
  • Three  references

Important Dates
What is the program timeline?

 March 27, 2011:

Student application deadline; applications must be received by midnight 00:00 GMT. 

April 18, 2011:

 Student applicants are notified of the status of their applications.

 June 2011:

 Students begin their fellowship with the host organization (start date to be determined by students and the host organization); Google issues initial student stipends. 

 July 2011:

 Mid-term evaluations; Google issues mid-term stipends.

August 2011:

 Final evaluations; Google issues final stipends.

EligibilityI am an International student can I apply and participate in the program?

Are there any age restrictions on participating?

Yes. You must be 18 years of age or older by 1 January 2011 to be eligible to participate in Google Policy Fellowship program in 2011.

Are there citizenship requirements for the Fellowship?

For the time being, we are only accepting students eligible to work in India (e.g. Indian citizens, permanent residents of India, and individuals presently holding an Indian student visa. Google cannot provide guidance or assistance on obtaining the necessary documentation to meet the criteria.

Who is eligible to participate as a student in Google Policy Fellowship program?

In order to participate in the program, you must be a student. Google defines a student as an individual enrolled in or accepted into an accredited institution including (but not necessarily limited to) colleges, universities, masters programs, PhD programs and undergraduate programs. Eligibility is based on enrollment in an accredited university by 1 January 2011.

I am an International student can I apply and participate in the program?

In order to participate in the program, you must be a student (see Google's definition of a student above). You must also be eligible to work in India (see section on citizen requirements for fellowship above). Google cannot provide guidance or assistance on obtaining the necessary documentation to meet this criterion.

I have been accepted into an accredited post-secondary school program, but have not yet begun attending. Can I still take part in the program?

As long as you are enrolled in a college or university program as of 1 January 2011, you are eligible to participate in the program.

I graduate in the middle of the program. Can I still participate?

As long as you are enrolled in a college or university program as of 1 January 2011, you are eligible to participate in the program.

Payments, Forms, and Other Administrative Stuff

How do payments work*?
Google will provide a stipend of USD 7,500 equivalent to each Fellow for the summer.
  • Accepted students in good standing with their host organization will receive a USD 2,500 stipend payable shortly after they begin the Fellowship in June 2011.
  • Students who receive passing mid-term evaluations by their host organization will receive a USD 1,500 stipend shortly after the mid-term evaluation in July 2011.
  • Students who receive passing final evaluations by their host organization and who have submitted their final program evaluations will receive a USD 3,500 stipend shortly after final evaluations in August 2011.
Please note: Payments will be made by electronic bank transfer, and are contingent upon satisfactory evaluations by the host organization, completion of all required enrollment and other forms. Fellows are responsible for payment of any taxes associated with their receipt of the Fellowship stipend.

*While the three step payment structure given here corresponds to the one in the United States, disbursement of the amount may be altered as felt necessary. 

What documentation is required from students?

Students should be prepared, upon request, to provide Google or the host organization with transcripts from their accredited institution as proof of enrollment or admission status. Transcripts do not need to be official (photo copy of original will be sufficient).

I would like to use the work I did for my Google Policy Fellowship to obtain course credit from my university. Is this acceptable?

Yes. If you need documentation from Google to provide to your school for course credit, you can contact Google. We will not provide documentation until we have received a final evaluation from your mentoring organization.

Host Organizations

What is Google's relationship with the Centre for Internet and Society?

Google provides the funding and administrative support for individual fellows directly. Google and the Centre for Internet and Society are not partners or affiliates. The Centre for Internet and Society does not represent the views or opinions of Google and cannot bind Google legally.

CIS Para-wise Comments on Draft Reasonable Security Practices Rules, 2011

by Prashant Iyengar — last modified Dec 14, 2012 10:32 AM
On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011) in exercise of the powers conferred by Section 87(2)(ob), read with Section 43A of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.

A. Specific Objections

Rule 3

Sensitive personal data or information.— Sensitive personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :

Password;

...

Call data records;

Comment

We suggest that this list be expanded to include information such as sexual orientation, religion and caste. In addition, “electronic communication records” including emails, chat logs and other communications using a computer should be designated sensitive personal information.

Rule 4

Body Corporate to provide policy for privacy and disclosure of information.— (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle shall provide a privacy policy for handling of or dealing in user information including sensitive personal information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall provide for:

  • Type of personal or sensitive information collected under sub-rule (ii) of rule 3;

  • Purpose, means and modes of usage of such information;

  • Disclosure of information as provided in rule 6

Comment

We recommend that the privacy policy be made available for view to all individuals to whom the information held by the body corporate pertains. Currently the privacy policy will only be disclosed to the “providers of information” who may not be the individual concerned directly.

Rule 5

Collection of information.—

(1) Body corporate or any person on its behalf shall obtain consent of the provider of the information regarding purpose, means and modes of uses before collection of such information.

Comment

We recommend the substitution of the term “individual to whom the data pertains” instead of the phrase “provider of the information”.

(2) Body corporate or any person on its behalf shall not collect sensitive personal information unless—

the information is collected for a lawful purpose connected with a function or activity of the agency; and

the collection of the information is necessary for that purpose.

Comment

We recommend a blanket prohibition of collection of biometric data unless a heightened security interest is demonstrated.

(3) While collecting information directly from the individual concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of.

Comment

We recommend a simpler phrase like “The body corporate.. shall take reasonable steps to inform the individual concerned” instead of the current complex phrasing. Reasonableness has generally been interpreted by courts contextually. For instance, the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.

(4) Body corporate or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Comment

We recommend that this be converted into a mandatory obligation to delete or anonymise the information collected within a stipulated period (say 6 months) after the expiry of use for which it was collected.

(6) Body corporate or any person on its behalf shall permit the users to review the information they had provided and modify the same, wherever necessary.

Comment

Individuals should have the right to review and modify information pertaining to them whether or not they themselves had provided the information to the body corporate. This right should be provided to them wherever the information that pertains to them is incorrect.

(7) Body corporate or any person on its behalf shall provide an option to the provider of the information to opt-in or opt-out.

Comment

We recommend that the wording be changed to “individual to whom the data pertains” instead of “provider of information”.

CIS Para-wise Comments on Cyber Café Rules, 2011

by Prashant Iyengar — last modified Dec 14, 2012 10:32 AM
On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Guidelines for Cyber Cafe) Rules, 2011) in exercise of the powers conferred by Section 87(2) (zg), read with Section 79(2) of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para wise comments for the Ministry’s consideration.

A. General Objections

These rules have no nexus with their parent provision, namely s.79(2).  Section 79(1) provides for exemption from liability for intermediaries.  Section 79(2) thereupon states:

79. Intermediaries not to be liable in certain cases—
(2) The provisions of sub-section (1) shall apply if—
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or
(b) the intermediary does not—
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission;
(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

Therefore, by not observing any of the provisions of the Rules, the intermediary opens itself up for liability for actions of its users.  However, the provisions contained in these rules have no rational nexus with due diligence to be observed by the intermediary to absolve itself from liability for third-party actions.

While the government may have authority to regulate cybercafes, that regulation should not be promulgated as rules under s.79(2).  Doing so would be ultra vires s.79(2) itself.

Recommendation

These rules should be deleted in toto.

B. Specific Objections

These specific objections are in addition to the above-stated general objection, and do not detract from out recommendation that these rules should be deleted in their entirety.

Rule 2(c)

(c) “Cyber Cafe” means cyber café as defined in clause (na) of sub-section (1) of section 2 of the Act

Comment

The Act defines a cyber cafe as meaning “any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”.  This would include internet access provided in airports, in restaurants, and in many other places where the provisions of these rules (such as those about height of partitions, etc.) just will not be practicable.  Thus, this provision will have unintended consequences.

Rule 3

Agency for issuance of license: Appropriate government will notify an agency to issue license to cyber cafes.

Comment

Rule 3 requires the issuing of a license for the establishment of a cyber café. We believe this is unwarranted since cybercafes, like most commercial establishments are already subject to registration and licensing under the “Shops and Establishments Acts” which have been enacted in all states. These Acts already specify an elaborate procedure for the application, registration and monitoring of all establishments and there is no need to multiply the levels of permission a cyber café must obtain. The current rules do not specify an application procedure, fee, and a maximum or minimum time frame within which such a license must be granted or denied nor does it specify the criterion on which such license applications will be evaluated. We think that in the absence of such legislative guidance, this provision is likely to be abused.

Cyber cafes in India contribute greatly to India’s increasing internet penetration and inserting a licensing regime would greatly impede access to the internet.

We believe that cyber cafes should be allowed to be established in the same manner as other shops and establishments, without the requirement of a special license.

Rule 4(2)

...When an user cannot establish his/her identify to the satisfaction of the Cyber Café as per sub-rule (1), he/she may be photographed by the Cyber Café using a web camera installed on one of the computers in the Cyber Café for establishing the identity of the user.

Comment

Sub-Rule 4 (2) Requires that if an individual is unable to establish identity, their photograph must be taken if they wish to use cyber café facilities. We believe that an individual’s photograph should be taken only as a last resort, where identity has been established.

Rule 4(3)

Children without photo identity card shall be accompanied by an adult with any of the documents as prescribed in sub-rule (1).

Comment

We recommend that children below 18 years should be specifically exempt from proving their identities to cyber café owners. Children are usually the quickest to adopt technology, and the requirement of possessing a valid identity might prove to be a deterrent to their developing computer skills. Likewise, being accompanied by an adult is also an onerous obligation since children’s access to the internet would depend on the availability of an adult/parent who may be too busy to accompany the child on every occasion the child wishes to access the internet or use a computer.

To reiterate, we feel that the current provision specially and adversely targets children from poorer classes (since they are most likely to routinely access internet through cyber cafes) and denies them the opportunity of developing their computer skills which are crucial for the growth of the “knowledge economy” that India is trying to head towards.

In addition, we believe that children are more susceptible to exploitation and consequently have a heightened privacy expectation which must be honoured. We recommend that the current sub-rule be deleted and replaced with a clause which specifically exempts children from proving their identity and forbids taking photographs of them under any circumstance.

Rule 5(1)

... Log Register: After the identity of the user has been established as per sub-rule (1) of rule 4 above, the Cyber Café shall record and maintain the required information of each user in the log register for a minimum period of one year. Also, Cyber Café may maintain an online version of the log register.

Comment

Rule 5(1) Provides a minimum period of one year that Cyber Cafes must retain their log registers. The rule does not specify the details which the log register must provide. In the interests of minimising threats to privacy, we recommend that these details recorded be confined only to the name and duration of use.

In addition, we believe that there should also be a coinciding mandatory deletion clause for the log register requiring details to be purged after the minimum retention period.

Rules 5(3)and 6(2)

5(3): “The cyber café owner shall be responsible for storing and maintaining following backups of logs and computer resource records for at least six months for each access or login by any user :

·    History of websites accessed using computer resource at cyber cafe

·    Logs of proxy server installed at cyber café

·    Mail server logs

·    Logs of network devices such as router, switches, systems etc. installed at cyber café

·    Logs of firewall or Intrusion Prevention/Detection systems, if installed.”

6(2): “The screen of all computers, installed other than in Partitions or Cubicles, shall face ‘outward’, i.e. they shall face the common open space of the Cyber Café.”

Comment

We recommend deletion of this rule since it is an unreasonable intrusion into a person’s privacy and an indirect attempt to censor content which users may wish to access. There are many uses of the internet for which a user may legitimately require privacy: For instance, patients, including HIV patients and those with mental illness, may wish to obtain information about their condition. Similarly sexuality minorities may wish to seek support or reach out to a larger community. Enforcing the architecture stipulated in this rule would discourage their access to such vital information. In addition, this architecture would make it easier for cyber crimes such as identity theft to take place since it would be easier to observe the login details of other users at the cyber café.

Rule 7(1)

Inspection of Cyber Café : “An officer, not below the rank of Police Inspector as authorised by the licensing agency, is authorized to check or inspect cyber café and the computer resource or network established therein at any time for the compliance of these rules. The cyber café owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.

Comment

We recommend this clause be omitted since it confers unfettered and unsupervised powers on any Police Inspector to examine any cyber café premises he may choose without any restriction on time.

Additionally, the provisions of Shops and Establishments Acts of most states already prescribe a procedure for inspection of establishments and examination of records. The current rules merely add another layer of supervision to the existing laws without adequate safeguards.

Comment

Sub-Rule 5(3) holds cyber café owners responsible for the storage and maintenance of back up logs concerning the following information: history of websites, logs of proxy servers, mail server logs, logs of network devices, logs of firewalls installed. We believe that the maximum length for retention of this data should be defined and a mandatory deletion clause should be inserted requiring cyber café owners to delete these logs periodically. We further believe that access to the history of websites and mail server logs is a serious invasion of a person’s privacy, and should be omitted from the back up logs.

This is especially so when currently there is no requirement that cyber café owners maintain their logs under conditions of utmost secrecy and confidence.

 

 

CIS Para-wise Comments on Intermediary Due Diligence Rules, 2011

by Pranesh Prakash last modified Jul 11, 2012 10:27 AM
On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011) in exercise of the powers conferred by Section 87(2)(zg), read with Section 79(2) of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.

A. General Objections

A number of the provisions under these Rules have no nexus with their parent provision, namely s.79(2).  Section 79(1) provides for exemption from liability for intermediaries.  Section 79(2) thereupon states:

79. Intermediaries not to be liable in certain cases—

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

 

Therefore, by not observing any of the provisions of the Rules, the intermediary opens itself up for liability for actions of its users.  However, many of the provisions of the Rules have no rational nexus with due diligence to be observed by the intermediary to absolve itself from liability.

B. Specific Objections

Rule 2(b), (c), and (k)

(b) “Blog” means a type of website, usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Usually blog is a shared on-line journal where users can post diary entries about their personal experiences and hobbies;

(c) “Blogger” means a person who keeps and updates a blog;

(k) “User” means any person including blogger who uses any computer resource for the purpose of sharing information, views or otherwise and includes other persons jointly participating in using the computer resource of intermediary

Comments

 It is unclear why it is necessary to specifically target bloggers as users, leaving out other users such as blog commenters, social network users, microbloggers, podcasters, etc.  It makes the rules technologically non-neutral.

Recommendation

We recommend that these 3 sub-rules be deleted.

Rule 3(2)

3. Due Diligence observed by intermediary.— The intermediary shall observe following due diligence while discharging its duties.

(2) The intermediary shall notify users of computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that : —

(a) belongs to another person;

(b) is harmful, threatening, abusive, harassing,  blasphemous, objectionable, defamatory, vulgar, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c) harm minors in any way;

(d) infringes any patent, trademark, copyright or other proprietary rights;

(e) violates any law for the time being in force;

(f) discloses sensitive personal information of other person or to which the user does not have any right to;

(g) causes annoyance or inconvenience or deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(h) impersonate another person;

(i) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(j) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or  causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.

Comments

Firstly, such ‘standard’ terms of use [1] might make sense for one intermediary, but not for all.  For instance, an intermediary such as site with user-generated content (e.g., Wikipedia) would need different terms of use from an intermediary such as an e-mail provider (e.g., Hotmail), because the kind of liability they accrue are different.  This is similar to how the liability that a newspaper publisher accrues is different from that accrued by the post office.  However, forcing standard terms of use negates this difference.  Thus, these are impractical.

Secondly, read with the legal obligation of the intermediary to remove such information (contained in rule 3(3)), they vest an extraordinary power of censorship in the hands of the intermediary, which could easily lead to the stifling of the constitutionally guaranteed freedom of speech online.  Analogous restrictions do not exist in other fields, e.g., against the press in India or against courier companies, and there is no justification to impose them on content posted online. Taken together, these provisions make it impossible to publish critical views about anything without the risk of being summarily censored.

Thirdly, while it is possible to apply Indian law to intermediaries, it is impracticable to require all intermediaries (whether in India or not) to have in their terms of use India-specific clauses such as rule 3(2)(j).  Instead, it is better to merely require them to ask their users to follow all relevant laws.

Individual instances of how these rules are overly broad are contained in an appendix to this submission.

Recommendation

We strongly recommend the deletion of this sub-rule, except clause (e).

Rule 3(3)

(3) The intermediary shall not itself host or publish or edit or store any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2).

Comments

This sub-rule is ultra vires s.79 of the IT Act, which does not require intermediaries not to “host or publish or edit or store any information”.  If fact, s.79(2) merely states that by violating the provisions of s.79(2), the intermediary loses the protection of s.79(1).  It does not however make it unlawful to violate s.79(2), as rule 3(3) does.  This makes rule 3(3) ultra vires the Act.

Recommendation

This sub-rule should be deleted.

Rule 3(4)

(4) The intermediary upon obtaining actual knowledge by itself or been brought to actual knowledge by an authority mandated under the law for the time being in force in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity. Further the intermediary shall inform the police about such information and preserve the records for 90 days

Comments

This rule is also ultra vires s.69A of the IT Act as well as the Constitution of India.  Section 69A states all the grounds on which an intermediary may be required to restrict access to information [2].  It does not allow for expansion of those grounds, because it has been carefully worded to maintains its constitutional validity vis-a-vis Articles 19(1)(a) and 19(2) of the Constitution of India.  The rules framed under s.69A prescribe an elaborate procedure before such censorship may be ordered. The rules under s.69A will be rendered nugatory if any person could get content removed or blocked under s.79(2).

This rule requires an intermediary to immediately take steps to remove access to information merely upon receiving a written request from “any authority mandated under the law”. Thus, for example, any authority can easily immunize itself from criticism on the internet by simply sending a written notice to the intermediary concerned. This is directly contrary to, and completely subverts the legislative intent expressed in Section 69B which lays down an elaborate procedure to be followed before any information can be lawfully blocked.

If any person is aggrieved by information posted online, they may seek their remedies—including the relief of injunction—from courts of law, under generally applicable civil and criminal law.  Inserting a rule such as this one would take away the powers of the judiciary in India to define the line dividing permissible and impermissible speech, and vest it instead in the whims of each intermediary.  This can only have a chilling effect on debates in the public domain (of which the Internet is a part) which is the foundation of any democracy.

Recommendation

This rule should modified so that an intermediary is obliged to take steps towards removal of content only when (a) backed by an order from a court or (b) a direction issued following the procedure prescribed by the rules framed under Section 69A.

Rule 3(5) & (7) & (8) & (10)

(5) The Intermediary shall inform its users that in case of non-compliance with terms of use of the services and privacy policy provided by the Intermediary, the Intermediary has the right to immediately terminate the access rights of the users to the site of Intermediary;

(7) The intermediary shall not disclose sensitive personal information;

(8) Disclosure of information by intermediary to any third party shall require prior permission or consent from the provider of such information, who has provided such information under lawful contract or otherwise;

(10) The information collected by the intermediary shall be used for the purpose for which it has been collected.

Comments

These sub-rules have no nexus with intermediary liability or non-liability under s.79(2).  For instance, it is unreasonable to say that an intermediary may be held liable for the actions of its users if it does not inform its users about its right to terminate access by the user to its services.  Furthermore, not all intermediaries need be websites, as sub-rule 5 assumes.  An intermediary can even be an “internet service provider” or a “cyber cafe” or a “telecom service provider”, as per rule 2(j) read with s.2(1)(w) of the IT Act.

The requirements under sub-rules (7), (8), and (10) are rightfully the domain of s.43A and the rules made thereunder, and not s.79(2) nor these rules.

Recommendation

These sub-rules should be deleted, and sub-rules (7), (8), and (10) may placed instead in the rules made under s.43A.

Rule 3(9)

(9) Intermediary shall provide information to government agencies who are lawfully authorised for investigative, protective, cyber security or intelligence activity. The information shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a written request stating clearly the purpose of seeking such information.

Comments

This provision is ultra vires ss.69 and 69B.  Rules have already been issued under ss.69 and 69B which stipulate the mechanism and procedure to be followed by the government for interception, monitoring or decrypting information in the hands of intermediaries. Thus under the Interception Rules 2009 framed under Section 69, permission must first be obtained from a “competent authority” before an intermediary can be directed to provide access to its records and facilities. The current rule completely removes the safeguards contained in s.69 and its rules, and would make intermediaries answerable to virtually any request from any government agency. This is contrary to the legislative intent expressed in Section 69.

Recommendation

We recommend this sub-rule be deleted.

Rule 3(12)

(12) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

Comments

The rules relating to how and when the Indian Computer Emergency Response Team may request for information from intermediaries is rightfully the subject matter of s.70B(5) [3] and the rules made thereunder by virtue of the rule making power granted by s.87(2)(yd).  The subject matter of rule 3(12) is not liability of intermediaries for third-party actions, hence there is no nexus between the rule-making power, and the rule.

Recommendations

We recommend that this sub-rule be deleted.

Rule 3(14)

(14) The intermediary shall publish on its website the designated agent to receive notification of claimed infringements.

Comments

It is unclear what “infringements” are being referred to in this sub-rule.  Neither s.79 nor these rules provide for “infringements”.  The same reasoning applied for rule 3(4) would also apply here.  It would be better to require the intermediary to publish on its website a method of providing judicial notice.

Recommendations

Delete, and replace with a requirement for the intermediary to publish on its website a method of providing judicial notice.

Footnotes

  1. For instance, the Section B(1) of the World of Warcraft  Code of Conduct “When engaging in Chat, you may not: (i) Transmit or post any content or language which, in the sole and absolute discretion of Blizzard, is deemed to be offensive, including without limitation content or language that is unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, hateful, sexually explicit, or racially, ethnically or otherwise objectionable.

  2. It is only “in the interest of sovereignty and integrity of India. defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above” that intermediaries may be issued directions to block access to information.

  3. 70B(5) sates that the  The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed.

 

RTI Applications on Blocking of Websites

by Pranesh Prakash last modified Dec 21, 2012 06:34 AM
In recent weeks, an increasing number of incidents have come to light on government-ordered blocking of websites. In one case involving Zone-H.org, it is clear who has ordered the block (a Delhi district court judge, as an interim order), even though the block itself is open to constitutional challenge. In all others cases, including the TypePad case, it is unclear who has ordered the block and why. We at CIS have sent in two right to information requests to find out.

While under the law (i.e., s.69A of the Information Technology Act), the Department of Information Technology (DIT) has the power to order blocks (via the 'Designated Officer'), in some cases it has been noted that the ISPs have noted that the order to block access to the websites have come from the Department of Telecom (DoT).  Due to this, we have sent in RTI applications to both the DIT and the DoT.

RTI Application to Department of Information Technology

To

Shri B.B.Bahl,
Joint Director and PIO (RTI)
Office of PIO (RTI)
Room No 1016, Electronics Niketan
Department of Information Technology (DIT)
Ministry of Communications and Information Technology
6, CGO Complex, New Delhi

 

Dear Sir,

Subject: Information on Website Blocking Requested under the Right to Information Act, 2005

1. Full Name of the Applicant:
Pranesh Prakash

2. Address of the Applicant:
E-mail Address:
pranesh[at]cis-india.org

Mailing Address:
Centre for Internet and Society
194, 2-C Cross,
Domlur Stage II,
Bangalore – 560071

3. Details of the information required:

It has come to our attention that Airtel Broadband Services (“Airtel”) has recently blocked access to a blog host called TypePad (http://www.typepad.com) (“TypePad”) for all its users across the country. In this regard, we request information on the following queries under Section 6(1) of the Right to Information Act, 2005:

  1. Did the Department order Airtel to block TypePad under s.69A of the Information Technology Act (“IT Act”), 2000 read with the Information Technology (Procedures and Safeguards for Blocking Access of Information by Public) Rules, 2009 (“Rules”) or any other law for the time being in force? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel for blocking of websites in contravention of s.69A of the IT Act?

  2. Has the Department ever ordered a block under s.69A of the IT Act? If so, what was the information that was ordered to be blocked?

  3. How many requests for blocking of information has the Designated Officer received, and how many of those requests have been accepted and how many rejected? How many of those requests were for emergency blocking under Rule 9 of the Rules?

  4. Please provide use the present composition of the Committee for Examination of Requests constituted under Rule 7 of the Rules.

  5. Please provide us the dates and copies of the minutes of all meetings held by the Committee for Examination of Requests under Rule 8(4) of the Rules, and copies of their recommendations.

  6. Please provide us the present composition of the Review Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.

  7. Please provide us the dates and copies of the minutes of all meetings held by the Review Committee under Rule 14 of the Rules, and copies of all orders issued by the Review Committee.

4. Years to which the above requests pertain:
2008-2011

5. Designation and Address of the PIO from whom the information is required:

Shri B.B.Bahl,
Joint Director and PIO (RTI)
Office of PIO (RTI)
Room No 1016, Electronics Niketan
Department of Information Technology (DIT)
Ministry of Communications and Information Technology
6, CGO Complex, New Delhi

To the best of my belief, the details sought for fall within your authority. Further, as provided under section 6(3) of the Right to Information Act (“RTI Act”), in case this application does not fall within your authority, I request you to transfer the same in the designated time (5 days) to the concerned authority and inform me of the same immediately.

To the best of my knowledge the information sought does not fall within the restrictions contained in section 8 and 9 of the RTI Act, and any provision protecting such information in any other law for the time being in force is inapplicable due to section 22 of the RTI Act.

Please provide me this information in electronic form, via the e-mail address provided above.

This to certify that I, Pranesh Prakash, am a citizen of India.

A fee of Rs. 10/- (Rupees Ten Only) has been made out in the form of a demand draft drawn in favour of “Pay and Accounts Officer, Department of Information Technology” payable at New Delhi.


Date: Monday, February 28, 2011
Place: Bengaluru, Karnataka


(Pranesh Prakash)

 

RTI Application to Department of Telecom

To

Shri Subodh Saxena
Central Public Information Officer (RTI)
Director (DS-II)
Room No 1006, Sanchar Bhawan
Department of Telecommunications (DoT)
Ministry of Communications and Information Technology
20, Ashoka Road, New Delhi — 110001

 

Dear Sir,

Subject: Information on Website Blocking Requested under the Right to Information Act, 2005

1. Full Name of the Applicant:
Pranesh Prakash

2. Address of the Applicant:
E-mail Address:
pranesh[at]cis-india.org

Mailing Address:
Centre for Internet and Society
194, 2-C Cross,
Domlur Stage II,
Bangalore – 560071

3. Details of the information required:

It has come to our attention that Airtel Broadband Services (“Airtel”) has recently blocked access to a blog host called TypePad (http://www.typepad.com) (“TypePad”) for all its users across the country. Airtel subscribers trying to access this website receive a message noting “This site has been blocked as per request by Department of Telecom”. In this regard, we request information on the following queries under Section 6(1) of the Right to Information Act, 2005:

  1. Does the Department have powers to require an Internet Service Provider to block a website? If so, please provide a citation of the statute under which power is granted to the Department, as well as the the safeguards prescribed to be in accordance with Article 19(1)(a) of the Constitution of India.

  2. Did the Department order Airtel to block TypePad or any blog hosted by TypePad? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel for blocking of websites?

  3. Has the Department ever ordered the blocking of any website? If so, please provide a list of addresses of all the websites that have been ordered to be blocked.

  4. Please provide use the present composition of the Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.

  5. Please provide us the dates and copies of the minutes of all meetings held by the Committee constituted under rule 419A of the Indian Telegraph Rules, 1951, and copies of all their recommendations.

4. Years to which the above requests pertain:
2005-2011

5. Designation and Address of the PIO from whom the information is required:
Shri Subodh Saxena
Central Public Information Officer (RTI)
Director (DS-II)
Room No 1006, Sanchar Bhawan
Department of Telecommunications (DoT)
Ministry of Communications and Information Technology
20, Ashoka Road, New Delhi — 110001

 

To the best of my belief, the details sought for fall within your authority. Further, as provided under section 6(3) of the Right to Information Act (“RTI Act”), in case this application does not fall within your authority, I request you to transfer the same in the designated time (5 days) to the concerned authority and inform me of the same immediately.

To the best of my knowledge the information sought does not fall within the restrictions contained in section 8 and 9 of the RTI Act, and any provision protecting such information in any other law for the time being in force is inapplicable due to section 22 of the RTI Act.

Please provide me this information in electronic form, via the e-mail address provided above.

This to certify that I, Pranesh Prakash, am a citizen of India.

A fee of Rs. 10/- (Rupees Ten Only) has been made out in the form of a demand draft drawn in favour of “Pay and Accounts Officer (HQ), Department of Telecom” payable at New Delhi.

 

Date: Monday, February 28, 2011
Place: Bengaluru, Karnataka


(Pranesh Prakash)

 

Policy for Government's Presence in Social Media - Recommendations

by krithika — last modified Aug 02, 2011 07:37 AM
In pursuance of the Office Memorandum issued by the DIT dated March 4, 2011, the e-Governance Group of the DIT, convened on March 23, 2011, the first meeting of an exclusive group to propose guidelines for government presence on social networking and social media sites. The Centre for Internet and Society being one of the invitees to the meeting, has submitted its recommendations for a Policy for the Government's presence in social networking and social media sites.

1. Data Retention

The Government's communication to citizens via social media should follow the same data retention policy as its communication through other electronic and non-electronic channels.

Data portability compliance varies from one social media platform to another. Hence, privileged access may be mandated by the Government along the same lines “take down notices” and “information requests” currently being sent to social media and other platforms for intellectual property rights infringement and other offences.

2. Privacy

Yochai Benkler has famously stated that privacy is the protection of the weak from scrutiny by the powerful while transparency is the exposure of the powerful to scrutiny by the weak.1

It is critical that social media policy for the Government is compliant with existing law governing data protection and privacy.2 As Benkler said, privacy protection should be a function of power – ordinary citizens should be afforded greater protection than Government personnel. Each department of the Government may be recommended to publish their own set of additional protections to safeguard privacy of citizens while maintaining highest levels of transparency of Government bodies.

3. Certifying Official Accounts

Some social media platforms have the ability to certify or validate an official account. Such validation must be made mandatory for all Government presence across various social media platforms. The mere existence of official Government social media accounts does not mean that the Government officers cannot use their own personal unofficial social media accounts. However, there must be a very clear and discernable distinction between a Government officer's personal (individual) social media presence and the official social media presence of a Government department or Ministry.

While individual officers are encouraged to set up their own personal social media presences, the official accounts must be in the format: Ministry/Department (Acronym) along with Designation (Acronym) of the official, so that the fans/followers/friends accumulated during the tenure of a particular official can be handed over to the next person who takes the same office. In order that this process of handing over is smooth and uniform across various Government departments, it is recommended that the protocol for handing over of social media presences be clearly laid down and communicated to all the Government departments.

4. Social Media Integration with Government Portals

Social media must be integrated with the official websites. Ideally, the websites should use Free and Open Source Software (FOSS) content management system with full compliance with web accessibility guidelines such as W3C's Web Content Accessibility Guidelines (WCAG) so that the RSS feeds of newly added content can be broadcast via multiple social media presences. Therefore, social media is seen as an additional benefit accruing from already existing efforts and investments of the Governments in electronic publishing.

In fact, it would be greatly beneficial for citizens if a constitutent relationship management software with tracking number is used for all social media and email communication by the Government. This will bring about a higher level of transparency and accountability on part of the Government.

5. Security

Social media presences will be the target of malicious elements online. Government social media presences are, in fact, at a greater risk of being subject to such attacks. Therefore, Government security standards must be adhered to including change of passwords regularly for Government social media accounts.

6. Mass Outreach

In order to neutralise the pro-elite bias of social media, a special outreach to non-elites via mobile phones must be an integral part of the Government's social media strategy. Digitally enabled middle class activism can undermine true participatory democracy and this must be resisted.

7. Rude Accountability

Occasionally, citizens may resort to the use of inflammatory language and tone with Government authorities to claim public services and to sanction service failures. Such communications referred to as 'rude accountability' accompanied by trolling are common phenomena which the Government can expect around its social media presences. It is recommended that these incidents be ignored at the first instances instead of penalising them. The Department of Information Technology (DIT) should prescribe protocol for escalation in case of systemic trollers. It is to be noted that the lower threshold for freedom of speech as prescribed by the Information Technology Act and Information Technology Rules should not serve as the yardstick on Government social media presences for characterising citizens' behaviour as offences. It is important that the Government allows a greater space for citizens to communicate with the Government and exercise their freedom of expression.

8. Managing Expectations

Each Government Ministry/Department/Official should publicly manage expectations for their social media presences in the form of an explicit, published “social media” policy in which expectations surrounding integral aspects of communication with the public such as public comments, speed of response and procedure for escalation are clearly documented. This will ensure that citizens have fewer undue expectations from the social media presence of a particular Government authority.

9. Brevity of Communications

Social media particularly, micro blogging and SMS is based on brevity of communications. Therefore, when a social media presence is branded or named, it must be ensured that the name takes up least number of characters so that it enables viral propagation.

In order to standardise on the spellings employed for SMS slang common in micro blogging and SMSes, it is recommended that Government officials use modern clients with in-built support for such functionality to avoid being embarrassed online.

10. Official Logo

The official logo of the Government Ministry/Department should be an integral part of Government social media presences. The logo may also be published where applicable so that it could be the Public key. A link to the official website should be employed wherever appropriate in order to establish credibility of the social media presence.

11. Proactive Information Disclosure

Social media should be used as a means to uphold RTI obligations for proactive information disclosure and to drive traffic to the website which should ideally be an archive of such comprehensive proactive disclosures.

12. Alternative Open Platforms

Wherever free and open/ non-proprietary/ community-owned social media infrastructure exists, the Government will be obliged to use the alternative social media platform in addition to mainstream platforms. For instance, for every Government authority's presence on Twitter, the Government is obliged to ensure that such authority also has a presence on status.net.

13. Uniformity of Communication

Social media can only be used by the Government to communicate existing Government information and propagate official policy terms to the public. Great care must be taken to avoid propagation of unverified facts and frivolous misleading rumours which tend to circulate often through miscreants on social media platforms. It is recommended that any information published by the Government on a social media platform should be published only when such information can also be published through other existing Government channels.

If the Government has to be a good neighbour in social media, it should also contribute to viral dissemination of relevant public information by way of re-tweeting, commenting and liking. Considering that the Government might lend its credibility to dubious causes through such endorsement, a protocol should be in place as part of social media policy for the Government to ensure that baseless and dubious claims are not vouched for by the Government.

1See Yochai Benkler, “A Free Irresponsible Press: Wikileaks and the Battle over the Soul of the Networked Fourth Estate” (2011), forthcoming Harvard Civil Rights – Civil Liberties Law Review available at http://bit.ly/e84QhK.

2Existing laws covering data protection and privacy would include the Information Technology Act, the Information Technology Rules, The Telegraph Act and the Constitution of India.

The Draft Electronic Delivery of Services Bill, 2011 – Comments by CIS

by Prasad Krishna last modified Aug 02, 2011 07:37 AM
The Draft Electronic Delivery of Services Bill, 2011 (“Bill”) is a Bill to provide for delivery of government services manadatorily through electronic means by phasing out manual delivery of services. It is heartening to note that the Bill shifts the approach to electronic delivery of services by Government agencies to one as part of the citizens' right to service delivery through electronic means rather than a luxury or benefit doled out by the Government. The Bill introduces bodies exclusively accountable for ensuring that electronic delivery of services by the Government at the state and central levels. While this is a welcome move on the part of the Government there are a few comments we, at the Centre for Internet and Society, have on the present version of the Bill:
  1. Accessibility
    The Bill does not make it mandatory for all Government services to be accessible to all including persons with disabilities. The Bill refers to the term “access”, as defined in Section 2(1)(a) from the prespective of merely gaining physical access to the services or availability of such services1 rather than from the perspective of catering to the ability of a person with print (or other) disbilities from gaining access to the services in the normal format. It is very important that the electronic services are delivered in a format which is accessible to all persons including persons with disbilities, elderly persons etc. It should be mandatory for the Government to comply with Web Content Accessibility Guidelines (WCAG) and National Informatics Centre (NIC) guidelines for web accessibility. It is also important to ensure accessibility of all documents produced during service delivery by Government agencies.
  2. Linguistic Accessibility 
    Section 5(2)(b) of the Bill requires the Government to prescribe a framework for all its agencies to ensure web presence or enablement which refers to rendering electronic services in the language chosen by the user. In pursuance of the same, it is important for delivery of services to be available in all national languages of India to begin with in addition to the content being encoded in Unicode font for all languages. It is important to note that there are not many open fonts available for Indian languages. Hence, it must be ensured that the Government allocates sufficient funds to ensure linguistic accessbility of the services delivered, while ensuring implementation of the provisions of the Bill.
  3. Public Scrutiny 
    In order to ensure transparency of Government services and process of service delivery, it is essential that the Bill incorporates a provision to enable citizens to gain access to information provided by the Government as part of the service delivery process unless disclosing such information would amount to violation of any applicable law. Similarly, provision should be made for making public all RTI applications filed with the Government and responses to them.
  4. Use of Free and Open Source Software
    Considering that electronic service delivery by Government agencies is effected through public money, it is important that Governments are urged to use Free and Open Source Software (FOSS) for service delivery. This cuts costs to a great extent and also make the process more transparent and capable of customisation to varied needs of different departments. It is important to insert a provision requiring the Government to use FOSS as far as possible and in the event of any use of proprietary software, the Government should clearly explain the reason for such use, the costs incurred for the same, the additional benefit derived out of its use and other relevant details.
  5. Open Standards
    The Bill must stress on use of open standards for all computer resources and service delivery systems by Government agencies. As is the case with FOSS, such use brings down operation costs drastically and makes the service delivery process transparent and available for all to use. Use of ODF formats for documents, HTML for websites, ISA standards for hardware is recommended. It is also useful to ensure compliance with W3C guidelines by the concerned Government departments during implementation of the Bill.
  6. Whistleblower Exception
    The Bill does not contain any safeguards to ensure free and fearless disclosure of any wilful violation of the law impacting larger public interest. It is important to include a provision protecting any person exposing any violation of the provisions of the Bill or blowing the cover off any scam or farudulent activity decieving the public committed by service providers under the Bill. Such protection can be given by ensuring that the actions of such whistleblower, to the extent required for the exposure, does not constitute an offence under the provisions of the Bill.
  7. Penalties for Offences
    • Chapter 4 of the Bill gives a detailed list of acts constituting an offence under the Act including Section 15 which specifically relates to offences by companies. It is critical to ensure that the punishment and penalities for offences extend not only to citizens and companies but also to Government officials who misuse information they are privy to under the provisions of the Bill. In fact, a separate provision specifically applicable to the various offences which could be committed by Government officials under the Bill can reduce misuse of its provisions by the Government.
    • It is to be noted that several provisions listed under Chapter 4 of the Bill covering offences and penalties are a reproduction of the provisions for the same under the Information Technology Act, 2000 (“IT Act”). Such reprodution is unnecessary and acts which are already deemed to be offences and have punishments prescribed for them under the IT Act (or any other legislation for the time being in force in India) need not be covered again in the Bill. This will avoid duplication and confusion in the legislations.
    • Section 19(1) of the Bill provides that no alleged offence under the Bill can be tried in a court of law unless the Central Electronic Delivery of Services Commissioner (“Central Commissioner”) or the State Electronic Delivery of Services Commissioner (“State Commissioner”) authorises the same by issuing a complaint in this regard to the relevant court. This provision directly conflicts with a citizen's constitutional right to seek legal redress since it takes away his freedom to approach a court of law for redressal of his grievance without the permission of the Commissioners. It is recommended that the provision be either deleted or suitably modify so that it is not in violation of this constitutional right.
  8. Bottoms up Approach
    A decentralised approach should be adopted along the lines of the Panchayati Raj system giving the citizen a greater say in the framework and implementation of service delivery by Government agencies. Implementation can be at the Panchayat and District levels apart from State levels. Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent, access control to their information. This will automatically make them eligible or ineligible for various government services. 
  9. Charges for service delivery
    Section 4 of the Bill authorises the Government to allow service providers to collect charges for electronic service delivery while Section 3(2) provides for the Government to regulate the manner and method of payment of such charges. It is critical to ensure that such charges levied under the provisions of the Bill do not exceed the charges levied by the Government agency for manual delivery of services. Charges for manual service delivery may include charges for photocopy, printing, paper, postage etc., all of which are totally eliminated during service delivery through electronic means. Thus, levying the same charges, let alone greater charges for electronic service delivery is totally unnecessary and places an additional burden on the citizen ultimately defeating the very purpose of the Bill. 
  10. Security in payment of charges
    Section 3(2) of the Bill provides for the Government to regulate the manner and method of payment of charges for delivery of services.It is important that each transaction that takes place is done securely and without the exposure of an individuals confidential details. There are many ways to structure the transaction of payment of fees to achieve this goal. We reccommend that the SCOSTA smart card structure is used for completing and processing a transaction. 
  11. Data Security and Privacy
    Section 5(1)(e) of the Bill requires the Government to ensure integrity, security and confidentiality of data collected, preserved and retained. We recommend that in addition to this, the Government also ensures integrity, security and confidentiality of data or information that is transferred, accessed or deleted. We also recommend that the Bill requires the Government to prescribe a framework under Section 5(2) for agency privacy policies to ensure that they are interoperable and consistent between different departments of the Government. 
  12. Functions of the Central Commissioner
    Section 8 of the Bill grants the Central Commissioner the power to perform any or all of the functions listed in the provision including Section 8(f) which refers to the power of the State Commissioner in conducting the work of the State Government agencies. A Central Government authority may not have a say in all matters under the purview of the State Governments. This aspect has been left out for consideration while drafting this provision and hence it needs to be relooked at.
  13. Cut-off Date for Implementation
    While the Bill mandates a cut off period of 180 days for the Government to finalise on the scope, framework and manner of service delivery under its provisions, it states that the Government “may” prescribe a framework for implementation of the provisions. It is recommended, for the purpose of ensuring speedy implementation of the provisions, that the term “may” in Section 5(2) be replaced by “shall”.
  14. Transparency of Government Agencies
    Transparency and accountability of the Government towards the citizen is as important as the transparency of the citizen towards the Government. Therefore, the provisions of the Bill must ensure that the Government activities are transparent to the citizens by making available to the citizens, details of the responsible officials under the Bill, manner of service delivery and other relevant information in this regard.

Say 'Password' in Hindi

by Nishant Shah last modified Mar 21, 2012 09:18 AM
English might be the language of the online world, but it’s time other languages had their say, writes Nishant Shah. The article was published in the Indian Express on June 5, 2011.

On skype the other day, a friend narrated an incident that made the otherwise familiar terrains of the internet, uncanny. His grandmother, who had recently acquired a taste for Facebook, had signed off on a message saying “Love, Granny”. For people of the xoxo generation, this sounds commonplace, in fact it might even be archaic. However, for my friend, who had never thought of his emotions for his grandmother as “love”, it produced a moment of sheer strangeness.

In Gujarati, it would have been silly to think of your emotions for family as “love”. There are better nuances. The emotional connect between lovers is different from the affective relationship with parents. The fondness for siblings is different from the bond with friends. And it was unnerving, for him, to have this range of emotions suddenly condensed into “love”. Like many of us polyglots who work in the rapidly digitising world of the World Wide Web, he was experiencing the gap between the mother tongue and the other tongue. It is an experience that is quite common to non-native speakers of English, who have to succumb to de facto English language usage on the global web and often find themselves at sea about how to translate emotions, histories and experiences into a language which does not always accommodate them.

This experience only becomes more intense for people who are fluent neither in the English language nor in international online English. This question of localisation of language remains one of the biggest gating factors of the internet. It also remains, after literacy and skills, the biggest impediment to including people from non-mainstream geopolitics in discussions online. Several global linguistic majorities have dealt with this by producing different language webs. Spanish, Chinese, Japanese and German are among the largest non-English language internets which are in operation now. However, in post-colonial countries like India, where linguistic diversity is the order of the day, the efforts at localisation have been sporadic and not very popular.

There are many facets to the implementation of localisation practices. It requires developing local language fonts so that people don’t have to merely transliterate local words using an English language script. These fonts further need to be made translatable into other languages, identified by machine translations. Keyboards and hardware infrastructure, which grants ease of access to the users need to be built. Tool kits to de-Anglify the computer language, code, browser signs etc. are being developed. There are many attempts being made by public and private bodies in the country to produce this ecology of localisation, both at the level of hardware and software.

And yet, adoption of localisation tools, despite a growing non-urban user base, remains low. Most people engage with the digital and online services through English, even though their fluency with the language might be low. One of the reasons why localisation of Indic language content is facing so much resistance is because of a narrow understanding of localisation as linguistic translation. Most attempts at localisation in the country merely think of translating English terms like “browser”, “code”, or “password” into the regional languages. In many instances, the term is merely rewritten in the local script.

Such an approach to localisation ignores the fact that the language of technology does not only produce new expressions and words, but also new ways of thinking. While localising the English language content, care also has to be given to translating the contexts, which the words and phrases carry. Do a simple exercise. Take the word “Password”. Try and translate this into your local language so that it makes complete sense to a native speaker. You will realise that just saying “Password” doesn’t mean much and that it requires background information to make that word intelligible to a community.

The second is that localisation is not merely about giving rights to generate content online. While the Web 2.0 wave of user-generated content is ruling the internet now, we must realise that most people come online to consume as much, if not more than, what they generate. Policies that promote local language information production, translation projects etc. need to be in place so that the minimum threshold of information is available online in languages other than English. Government documents, state records, public artifacts, etc. need to be digitised and made available in local languages so that people can access data online.

Localisation is not only about language and translations. It is about changing the top-down approach; instead of forcing existing concepts on to material realities which don’t always fit them, it is time to see that the true power of digital technologies is in building bottom-up models where everyday practice can be captured through localised vocabularies that allow for users to say, “I love you,” to anybody, in a language, and meaning that makes sense to them.

Read the original here

Do You Want to be Watched?

by Sunil Abraham last modified Mar 21, 2012 09:11 AM
The new rules under the IT Act are an assault on our freedom, says Sunil Abraham in this article published in Pragati on June 8, 2011.

Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 Amendment of the Information Technology (IT) Act and their associated rules notified April 2011 proposes to eliminate whatever little privacy Indian netizens have had so far. Already as per the internet service provider (ISP)  license, citizens using encryption above 40-bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station. With the IT Act’s latest rules things get from bad to worse. (For an analysis of the new rules under the IT Act, see the In Parliament section of this issue).

Now imagine my daughter visits the neighborhood cybercafe, the manager would now be entitled to scan her ID document and take a photograph of her using his own camera. He would also be authorised to capture her browser history including unencrypted credentials and authentication factors. He would then store this information for a period of one year and provide them to any government entity that sends him a letter. He could continue to hold on to the files as there would be no clear guidelines or penalties around deletion. The ISP that provides connectivity to the cybercafe would store a copy of my daughter’s Internet activities for two years. None of our ISPs publish or provide on request a copy of their data retention policies.

Now suppose my daughter used an online peer-production like Wikipedia or social-media platform like MySpace to commit an act of blasphemy by drawing fan-art for her favorite Swedish symphonic black metal band. A neo-Pentecostal Church sends a takedown notice to the website hosting the artwork. Unfortunately, this is a fringe Web 2.0 platform run by Indian entrepreneur who happens to be a friend of yours. When the notice arrived, our entrepreneur was in the middle of a three-week trek in the Himalayas. Even though he had disabled anonymous contributions and started comprehensive data retention of user activity on the site, unfortunately he was not able to delete the offending piece of content within 36 hours. If the honourable judge is convinced, both your friend and my daughter would be sitting in jail for a maximum of three years for the newly christened offence of blasphemous online speech.

You might dismiss my misgivings by saying “after all we are not China, Saudi Arabia or Myanmar”, and that no matter what the law says we are always weak on implementation. But that is completely missing the point. The IT Act appears to be based on the idea that the the Indian public can be bullied into self-censorship via systemic surveillance. Employ tough language in the law and occasionally make public examples of certain minor infringers. There have been news reports of young men being jailed for using expletives against Indian politicians or referring to a head of state as a “rubber stamp.” The message is clear—you are being watched so watch your tongue.

Surveillance capabilities are not a necessary feature of information systems. They have to be engineered into these systems. Once these features exists, they could potentially serve both the legally authorised official and other undesirable elements. Terrorists, cyber-warriors and criminals will all find systems with surveillance capabilities easier to compromise. In other words, surveillance compromises security at the level of system design. There were no internet connections or phone lines in the bin Laden compound—he was depending on store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via master key would have lead the investigators to him earlier? Has the ban on public wi-fi and the current ID requirements at cyber-cafes led to the arrest of any terrorists or criminals in India? Where is the evidence that resource hungry blanket surveillance is providing return on investment? Intelligence work cannot be replaced with resource-hungry blanket surveillance. Unnecessary surveillance distracts the security with irrelevance.

Increase in security levels is not directly proportional to increase in levels of surveillance. A certain amount of surveillance is unavoidable and essential. But after the optimum amount of surveillance has been reached, additional surveillance only undermines security. The multiple levels of data retention at the cybercafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of personal sensitive information only acts as multiple points of failure and leaks—in the age of Niira Radia and Amar Singh one does not have be reminded of authorised and unauthorised surveillance and their associated leaks.

Finally, there is the question of perception management. Perceptions of security does not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems—one, where the fundamental organising principle is trust or second, where the principle is suspicion. Systems based on suspicion usually gives rise to criminal and corrupt behavior. If the state were to repeatedly accuse its law-abiding citizens of being terrorists and criminals, it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies—they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the internet just to download encryption tools and other privacy enabling software. Like the prohibition, this will only result in further insecurity and break-down in the rule of law.

Read the original here

Snooping Can Lead to Data Abuse

by Sunil Abraham last modified Mar 21, 2012 10:39 AM
THE NATGRID, aiming to link databases of 21 departments and ministries for better counter-terror measures, adopts blunt policy approach, subjecting every citizen to the same level of blanket surveillance, instead of a targeted approach that intelligently focuses on geographic or demographic areas that are currently important, writes Sunil Abraham in this article published by Mail Today on June 9, 2011.

THE NATGRID, aiming to link databases of 21 departments and ministries for better counter- terror measures, adopts blunt policy approach, subjecting every citizen to the same level of blanket surveillance, instead of a targeted approach that intelligently focuses on geographic or demographic areas that are currently important.

All you manage to do with the current approach help software, hardware and biometric equipment vendors achieve their sales targets. It is quite unlikely that security agencies will learn anything insightful by putting everybody under the same degree of surveillance. There is no scientific evidence to show that we will be a safer nation if the government eavesdropped into all aspects of a citizen’s life. Targeted surveillance, on the other hand, is like good old- fashioned detective work. Put a particular section — of potential troublemakers — under surveillance and leave the others alone.

With round- the- clock, 100- per cent, 360- degree surveillance, all the data is scrutinised all the time. The more effective approach is to sample and collect data while maintaining data trails. If anything suspicious is noticed, the rest of the trail can be dug up. Blanket surveillance only leads to leaks and abuse and tremendous distraction. The surveillance infrastructure will be overburdened as 99 per cent of the records and files scanned will be of no interest terms of fighting terrorism, etc.

The 21 databases need to be opened only when there is anything suspicious in any of the extracted and scrutinised samples or subsets. If there is a suspicious pattern, it should lead to opening of subsets in all the databases. Obviously, there should be ways in which the databases can talk to each other — demand for a particular subset, and not for all the records to be available to agencies all the time.

The NATGRID has to be able to let investigators selectively go in and out of the necessary subsets data. No one should be able to have a 360 degree view of all activities of all Indians. AS OF now, the NATGRID design does not appear to have a safeguard for data abuse. And no matter what you see Hollywood movies, this configuration does not exist in Europe or the US. Two important forms of protections that should be available in democracies with robust privacy laws are missing in India. The first is breach notification.

If intelligence agencies and the police have looked up your files, you have a right to be informed. Secondly, you can request for a copy of the information that is maintained on you and request modifications if the data is inaccurate, so as to prevent harassment. Such checks and balances are necessary an intelligent and appropriate surveillance regime.

Merging all 21 databases for 1.2 billion people into a single system only provides a juicy target for any internal or external enemy. From the perspective national security, it is a foolish thing to do. Terrorist groups will be able to target a single failure point destroy over a billion lives. Since the current configuration of the NATGRID only undermines national security, one is forced conclude that national security is a false pretext.

This explains the deep scepticism among many the intelligence agencies involved. The real purpose of the project is to scare citizens in the age of Arab springs. The NATGRID is a disciplinary measure aimed at social engineering of citizens’ behaviour. Unfortunately, our media has been misled by the corporate cheerleaders of this humongous waste of money.

The writer is executive director at the Centre for Internet and Society in Bangalore.
( As told to Max Martin)

Follow on Mail Today

Download the original here

Privacy and Security Can Co-exist

by Sunil Abraham last modified Mar 21, 2012 09:05 AM
The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

You Have the Right to Remain Silent

by Anja Kovacs last modified Aug 02, 2011 07:55 AM
India has a long history of censorship that it justifies in the name of national security. But new laws governing the Internet are unreasonable and — given the multitude of online voices — poorly thought out, argues Anja Kovacs in this article published in the Sunday Guardian on 17 April 2011.

In March 2011, Indian media - both social and traditional - was ablaze with fears that a new set of rules, proposed to complement the IT (Amendment) Act 2008, would thwart the freedom of expression of India's bloggers: contrary to standard international practice, the Intermediary Due Dilligence Rules seemed intent on making bloggers responsible for comments made by readers on their site. Only a few weeks earlier, the threat of online censorship had manifested itself in a different form: although the block was implemented unevenly, mobile applications market space Mobango, bulk SMS provider Clickatell, hacking-related portal Zone-H.com and blogs hosted on Typepad were suddenly no longer accessible for most Indian netizens, without warning or explanation.

Censorship in India is nothing new. At the time of Independence, there was widespread fear among its lawmakers that unrestricted freedom of expression could become a barrier to the social reforms necessary to put the country on Nehru's path to development – particularly as the memory of Partition continued to be vivid. Although freedom of expression is guaranteed by the Constitution, it is therefore subject to a fairly extensive list of so-called "reasonable" restrictions: the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence. But while this long list might have made sense at the time of Partition, in the mature democracy that India has now become, its existence, and the numerous opportunities for censorship and surveillance that it has enabled or justified, seems out of place. Indeed, though all these restrictions in themselves are considered acceptable internationally, there are few other democratic states that include all of them in the basic laws of their land.

An appetite for censorship does not only exist among India's legislature and judiciary, however. Especially since the early nineties, instances of vigilante groups destroying art, preventing film screenings, or even attacking offending artists, writers and editors have become noteworthy for their regularity. But it is worth noting that even more progressive sections of society have not been averse to censorship: for example, section of the Indian feminist movement have voiced strong support for the Indecent Representation of Women Act that seeks to censor images of women which are derogatory, denigrating or likely to corrupt public morality.

What connects all these efforts? A belief that suppressing speech and opinions makes it possible to contain the conflicts that emanate from India's tremendous diversity, while simultaneously ensuring its homogenous moral as much as political development. But if the advent of satellite television already revealed the vulnerabilities of this strategy, the Internet has made clear that in the long term, it is simply untenable. It is not just that the authors of a speech act may not be residents of India; it is that everybody can now become an author, infinitely multiplying the number of expressions that are produced each year and that thus could come within the Law's ambit. In this context, even if it may still have a role, suppression clearly can no longer be the preferred or even dominant technology of choice to manage disagreements. What is urgently needed is the building of a much stronger culture of respectful disagreement and debate within and across the country's many social groups. If more and more people are now getting an opportunity to speak, what we need to make sure is that they end up having a conversation.

Yet the government of India so far has mostly continued on the beaten track, putting into place a range of legislations and policies to meticulously monitor and police the freedom of expression of netizens within its borders. Thus, for example, section 66F(1)(B) of the IT (Amendment) Act 2008 defines "cyberterrorism" so broadly as to include the unauthorised access to information on a computer with a belief that that information may be used to cause injury to...decency or morality. The suggested sentence may extend to imprisonment for life. The proposed Intermediary Due Dilligence Rules 2011 privatise the responsibility for censorship by making intermediaries responsible for all content that they host or store, putting unprecedented power over our acts of speech into the hands of private bodies. The proposed Cyber Cafe Rules 2011 order that children who do not possess a photo identity card need to be accompanied by an adult who does, constraining the Internet access of crores of young people among the less advantaged sections of society in particular. And while the US and other Western countries continue to debate the desireability of an Internet Kill Switch, the Indian government obtained this prerogative through section 69A of the IT (Amendment Act) 2008 years ago.

Such measures are given extra teeth by being paired with unprecedented systems of surveillance. For example, there are proposals on the table that make it obligatory for telecommunication carriers and manufacturers of telecommunications equipment to ensure their equipment and services have built-in surveillance capabilities. While at present, records are only kept if there is a specific requirement by intelligence or security agencies, the Intelligence Bureau has proposed that ISPs keep a record of all online activities of all customers for at least six months. The IB has also suggested putting into place a unique identification system for all Internet users, whereby they would be required to submit some form of online identification every time they go online.

Proponents of such legislation often point to the new threats to safety and security that the Internet poses to defend these measures, and it is indeed a core obligation of any state to ensure the safety of its citizens. But the hallmark of a democracy is that it carefully balances any measures to do so with the continued guarantee of its citizens' fundamental rights. Despite the enormous changes and challenges that the Internet brings for freedom of expression everywhere, such an exercise seems to sadly not yet have been systematically undertaken in India so far.

The recent blocking of websites with which we started this article reflects the urgent need to do so. In response to RTI applications by the Centre for Internet and Society and Medianama, the Department of Information Technology, which is authorised to order such blocks, admitted to blocking Zone-H, but not any of the other websites affected earlier this year. In an interview with The Hindu, the Department of Telecommunication too had denied ordering the blocking of access, despite the fact that some users trying to access Typepad had reported seeing the message "this site has been blocked as per request by Department of Telecom" on their screen. In the mean time, Clickatell and Mobango remain inaccessible for this author at the time of writing. That we continue to be in the dark as to why this is so in the world's largest democracy deserves to urgently become a rallying point.

 

i4D Interview: Social Networking and Internet Access

by Nishant Shah last modified Sep 22, 2011 12:51 PM
Nishant Shah, the Director for Research at CIS, was recently interviewed in i4D in a special section looking at Social Networking and Governance, as a lead up to the Internet Governance Forum in December, in the city of Hyderabad.

Mechanism of Self-Governance Needed for Social Networks

Should social networking sites be governed, and if yes, in what way?

Nishant ShahA call for either monitoring or censoring Social Networking Sites has long been proved ineffectual, with the users always finding new ways of circumventing the bans or the blocks that are put into place. However, given the ubiquitous nature of SNS and the varied age-groups and interests that are represented there, governance, which is non-intrusive and actually enables  a better and more effective experience of the site, is always welcome. The presumed notion of governance is that it will set processes and procedures in place which will eventually crystallise into laws or regulations. However, there is also another form of governance - governance as provided by a safe-keeper or a guardian, somebody who creates symbols of caution and warns us about being cautious in certain areas. In the physical world, we constantly face these symbols and signs which remind us of the need to be aware and safe. Creation of a vocabulary of warnings, signs and symbols that remind us of the dangers within SNS is a form of governance that needs to be worked out. This can be a participatory governance where each community develops its own concerns and addresses them. What is needed is a way of making sure that these signs are present and garner the attention of the user.

How do we address the concerns that some of the social networking spaces are not "child safe"? 

The question of child safety online has resulted in a raging debate. Several models, from the cybernanny to monitoring the child's activities online ,have been suggested at different times and have more or less failed. The concerns about what happens to a child online are the same as those about what happens to a child in the physical world. When the child goes off to school, or to the park to play, we train and educate them about things that they should not be doing -- suggesting that they do not talk to strangers, do not take sweets from strangers, do not tell people where they live, don't wander off alone -- and hope that these will be sufficient safeguards to their well being. As an added precaution, we also sometimes supervise their activities and their media consumption. More than finding technical solutions for safety online, it is a question of education and training and some amount of supervision to ensure that the child is complying with your idea of what is good for it. A call for sanitising the internet is more or less redundant, only, in fact, adding to the dark glamour of the web and inciting younger users to go and search for material which they would otherwise have ignored.

What are the issues, especially around identities and profile information privacy rights of users of social networking sites?  

The main set of issues, as I see it, around the question of identities, is the mapping of the digital identities to the physical selves. The questions would be : What constitutes the authentic self?  What is the responsibility of the digital persona? Are we looking at a post-human world where  online identities are equally a part of who we are and are sometimes even more a part of who we are than our physical selves? Does the older argument of the Original and the Primary (characteristics of Representation aesthetics) still work when we are talking about a world of 'perfect copies' and 'interminable networks of selves' (characteristics of Simulation)? How do we create new models of verification, trust and networking within an SNS? Sites like Facebook and Orkut, with their ability to establish looped relationships between the users, and with the notion of inheritance (¨friend of a friend of a friend of a friend¨), or even testimonials and open 'walls' and 'scraps' for messaging, are already approaching these new models of trust and friendship.

How do we strike a balance between the freedom of speech and the need to maintain law and order when it comes to monitoring social networking sites?

I am not sure if the 'freedom of speech and expression' and the 'maintaining of law and order' need to be posited as antithetical to each other. Surely the whole idea of 'maintaining law and order' already includes maintaining conditions within which freedom of speech and expression can be practiced. Instead of monitoring social networking sites to censor and chastise (as has happened in some of the recent debates around Orkut, for example), it is a more fruitful exercise to ensure that speech, as long as it is not directed offensively towards an individual or a community, needs to be registered and heard. Hate speech of any sort should not be tolerated but that is a fact that is already covered by the judicial systems around the world. 

What perhaps, is needed online, is a mechanism of self-governance where the community should be able to decide the kinds of actions and speech which are valid and acceptable to them. People who enter into trollish behaviour or hate speak, automatically get chastised and punished in different ways by the community itself. To look at models of better self-governance and community mobilisation might be more productive than producing this schism between freedom of speech on the one hand and the maintenance of law and order on the other.

Link to original article on i4donline.net

An Open Letter on Internet Governance to the UN Internet Governance Forum

by Sanchia de Souza last modified Aug 02, 2011 07:40 AM
This open letter brings up concerns of democratic deficit in internet governance worldwide, and is addressed to the UN Internet Governance Forum (IGF). It is to be delivered at the IGF's 3rd Annual Meeting at Hyderabad, India, from 3rd to 6th December, 2008. The signatories are Alternative Law Forum, Bangalore, Centre for Internet and Society, Bangalore, Delhi Science Forum, New Delhi, Free Software Foundation - India, IT for Change, Bangalore, and Knowledge Commons, New Delhi.

This open letter brings up concerns of democratic deficit in internet governance worldwide, and is addressed to the UN Internet Governance Forum (IGF). It will be delivered at the IGF's 3rd Annual Meeting at Hyderabad, India, from 3rd to 6th December, 2008.

The letter includes an information sheet exemplifying some of the problems of democratic deficit in internet governance.

The text of the letter is as follows:
-------------------------------------------------------------

The IGF must ACT NOW against the threat to the public-ness and the egalitarian nature of the Internet

The undersigned wish to express their deep concern that the UN Internet Governance Forum (IGF), created by the World Summit on the Information Society in 2005 as an Internet ‘policy dialogue’ forum, is largely failing to address key public interest and policy issues in global Internet governance – including that of democratic deficit.

Who shapes the Internet, as the Internet shapes our new social context?

The Internet represents the single most important technical advance of our society in a long time, so much so that it defines a new emerging social paradigm. The basic characteristics of the Internet determine the contours of the emerging social order in many important ways. The Internet was conceived as, and still largely is, an extensive communication system which is democratizing, and has little respect for established social hierarchies. Interactions and associations built over this new ‘techno-social’ system have, therefore, held the promise of a more egalitarian society.

The era of innocence of the Internet however appears to be fast approaching its end. Today, the Internet of the future – the very near future – is being shaped insidiously by dominant forces to further their interests. (See the fact-sheet on the following page for some illustrations of this.) Unfortunately, global policy forums have largely failed to articulate, much less act on, crucial Internet policy issues, which concern the democratic possibilities for our societies.

The IGF needs to act now!

As the Internet Governance Forum convenes for its third annual meeting, between 3rd and 6th December, 2008, in Hyderabad, India, it must take immediate steps to anchor and discuss important global public interest and policy issues involved in Internet governance. If it does not act now, it may get seen as a space that only provides an illusion of a public policy dialogue, and, consequently, as being co-opted in furthering the agenda of dominant forces that are shaping the Internet as per their narrow interests. We therefore strongly urge the IGF to directly address the following key global public interest and policy issues:

  1. Increasing corporatisation of the Internet
  2. Increasing proprietisation of standards and code that go into building the Internet
  3. Increasing points of control being embedded into the Internet in the name of security and intellectual property violations
  4. Huge democratic deficit in global Internet governance

We exhort the IGF to adopt clear directions for engaging with these crucial public policy issues. The IGF should come out with a clear work plan at its forthcoming meeting in Hyderabad to address the four key areas listed above.

The global community – comprising not only people who currently have access to the Internet, but also the un-connected billions who are being impacted by it nevertheless – will judge the meaningfulness and legitimacy of the IGF in terms of what progress it is able to make on these issues.

Alternative Law Forum, Bangalore
Centre for Internet and Society, Bangalore
Delhi Science Forum, New Delhi
Free Software Foundation - India
IT for Change, Bangalore
Knowledge Commons, New Delhi

Information Sheet
How the Public-ness and Egalitarian Nature of the Internet is Threatened
– Some Examples

Corporatisation of the Internet
Largely unsuspected by most of its users, the Internet is rapidly changing from being a vast ‘public sphere’, with a fully public ownership and a non-proprietary nature, to a set of corporatised privately-owned networks.

On the one hand, telecom companies are carving out the Internet into privately-owned networks – controlling the nature of transactions over these networks. They seek to differentially charge content providers, while also building wholly private networks offering exclusive content relay services. Developments like video/TV over Internet Protocol and the provision of controlled and selective Internet services over mobiles are contributing to increasing network-operators’ control over the Internet, with a corresponding erosion of its public-ness.

On the other hand, the commons of the Internet is also being overwhelmed and squeezed out by a complete domination of a few privately owned mega-applications such as Google, Facebook, Youtube etc.

Proprietarisation of standards and code that build the Internet

One of the main ways of appropriating the commons of the Internet is through the increasing use of proprietary and closed standards and code in building the Internet system. Such appropriation allows the extortion of illegitimate rent out of the many new forms of commons-based activities that are being made possible through the Internet.

Embedding control points in the Internet

A growing confluence of corporatist and statist interests has led to the embedding of more and more means of control into the Internet in a manner that greatly compromises citizens’ rights and freedoms. Whether it is the pressure on Internet
Service Providers to examine Internet traffic for ‘intellectual property’ violations; or imposition of cultural and political controls on the Internet by states within their boundaries; or ITU’s work on IP trace-back mechanisms; or the tightening of US
control over the global Internet infrastructure in the name of securing the root zone file and the domain name system, these new forms of controlling the Internet are being negotiated among dominant interests away from public scrutiny and wider public interest-based engagements.

Democratic deficit in global Internet governance
The current global Internet governance regime – a new-age privatized governance system professing allegiance mostly to a single country, the US – has proven to be an active instrument of perpetuation of dominant commercial and geo-political interests. Lately, OECD countries have begun some work on developing public policy principles that, due to the inherently global nature of the Internet, can be expected to become globally applicable. It is quite unacceptable that OECD countries shirk from discussing the same public policy issues at global public policy forums like the IGF that they discuss among themselves at OECD meetings. Apparently, developing countries are expected to focus on finding ways to reach connectivity to their people, and not burden themselves with higher-level Internet governance issues!

People’s and communities’ right to self-determination and participation in governance of issues that impact their lives should underpin global Internet governance.

---------------------------------------------

You can download the letter here (.pdf format).

Letter to ICANN on NCSG

by Pranesh Prakash last modified Aug 02, 2011 07:41 AM
The Centre for Internet and Society sent the following mail to ICANN regarding their attempt to impose their own charter for a Noncommercial Stakeholder Group (NCSG), instead of accepting the one drafted by the Noncommercial Users Constituency (NCUC).

Dear Sir or Madam,

Greetings from the Centre for Internet and Society - Bangalore. We are a Bangalore based research and advocacy organisation promoting consumer and citizen rights on the Internet. We currently focus on IPR reform, IPR alternatives and electronic accessibility by the disabled. Please see our website <http://cis-india.org> for more information about us and our activities.

It has come to our attention that ICANN is imposing the ICANN staff-drafted charter for a Noncommercial Stakeholder Group (NCSG) and ignoring the version drafted by civil society. As you know, the civil society version was drafted using a consensus process and more than 80 international noncommercial organizations, including mine, support it.

This is an unacceptable situation since the governance structures contained within the NCSG charter determine how effectively noncommercial users can influence policy decisions at ICANN in years to come. On behalf of Internet users in India - I would strongly urge you to reject the staff drafted version of the charter and adopt the version drafted and endorsed by civil society.

Best wishes,

Sunil Abraham
Executive Director
Centre for Internet and Society

Comments on the Draft Rules under the Information Technology Act

by Pranesh Prakash last modified Sep 21, 2011 06:13 AM
The Centre for Internet and Society commissioned an advocate, Ananth Padmanabhan, to produce a comment on the Draft Rules that have been published by the government under the Information Technology Act. In his comments, Mr. Padmanabhan highlights the problems with each of the rules and presents specific recommendations on how they can be improved. These comments were sent to the Department of Information and Technology.

Comments on the Draft Rules under the Information Technology Act as Amended by the Information Technology (Amendment) Act, 2008

Submitted by the Centre for Internet and Society, Bangalore

Prepared by Ananth Padmanabhan, Advocate in the Madras High Court

Interception, Monitoring and Decryption

Section 69

The section says:

  1. Where the Central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
  2. The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
  3. The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-

    (a) provide access to or secure access to the computer resource generating transmitting, receiving or storing such information; or

    (b) intercept, monitor, or decrypt the information, as the case may be; or

    (c) provide information stored in computer resource.
  1. The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.


Recommendation #1
Section 69(3) should be amended and the following proviso be inserted:

Provided that only those intermediaries with respect to any information or computer resource that is sought to be monitored, intercepted or decrypted, shall be subject to the obligations contained in this sub-section, who are, in the opinion of the appropriate authority, prima facie in control of such transmission of the information or computer resource. The nexus between the intermediary and the information or the computer resource that is sought to be intercepted, monitored or decrypted should be clearly indicated in the direction referred to in sub-section (1) of this section.


Reasons for the Recommendation
In the case of any information or computer resource, there may be more than one intermediary who is associated with such information. This is because “intermediary” is defined in section 2(w) of the amended Act as,

“with respect to any electronic record means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”. 


The State or Central Government should not be given wide-ranging powers to enforce cooperation on the part of any such intermediary without there being a clear nexus between the information that is sought to be decrypted or monitored by the competent authority, and the control that any particular intermediary may have over such information.

To give an illustration, merely because some information may have been posted on an online portal, the computer resources in the office of the portal should not be monitored unless the portal has some concrete control over the nature of information posted in it. This has to be stipulated in the order of the Central or State Government which authorizes interception of the intermediary. 


Recommendation #2
Section 69(4) should be repealed.


Reasons for the Recommendation
The closest parallels to Section 69 of the Act are the provisions in the Telegraph Rules which were brought in after the decision in PUCL v. Union of India, (1997) 1 SCC 301, famously known as the telephone tapping case.

Section 69(4) fixes tremendous liability on the intermediary for non-cooperation. This is violative of Article 14.  Similar provisions in the Indian Penal Code and Code of Criminal Procedure, which demand cooperation from members of the public as regards production of documents, letters etc., and impose punishment for non-cooperation on their part, impose a maximum punishment of one month. It is bewildering why the punishment is 7 years imprisonment for an intermediary, when the only point of distinction between an intermediary under the IT Act and a member of the public under the IPC and CrPC is the difference in the media which contains the information.

Section 69(3) is akin to the duty cast upon members of the public to extend cooperation under Section 39 of the Code of Criminal Procedure by way of providing information as to commission of any offence, or the duty, when a summons is issued by the Court or the police, to produce documents under Sections 91 and 92 of the Code of Criminal Procedure. The maximum punishment for non-cooperation prescribed by the Indian Penal Code for omission to cooperate or wilful breach of summons is only a month under Sections 175 and 176 of the Indian Penal Code. Even the maximum punishment for furnishing false information to the police is only six months under Section 177 of the IPC. When this is the case with production of documents required for the purpose of trial or inquiry, it is wholly arbitrary to impose a punishment of six years in the case of intermediaries who do not extend cooperation for providing access to a computer resource which is merely apprehended as being a threat to national security etc. A mere apprehension, however reasonable it may be, should not be used to pin down a liability of such extreme nature on the intermediary.

This would also amount to a violation of Articles 19(1)(a) as well as 19(1)(g) of the Constitution, not to mention Article 20(3). To give an example, much of the information received from confidential sources by members of the press would be stored in computer resources. By coercing them, through the 7 year imprisonment threat, to allow access to this computer resource and thereby part with this information, the State is directly infringing on their right under Article 19(1)(a).  Furthermore, if the “subscriber” is the accused, then section 69(4) goes against Article 20(3) by forcing the accused to bear witness against himself.

 

Draft Rules under Section 69

Rule 3
Directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the Information Technology (Amendment) Act, 2008 (hereinafter referred to as the said Act) shall not be issued except by an order made by the concerned competent authority who is Union Home Secretary in case of Government of India; the Secretary in-charge of Home Department in a State Government or Union Territory as the case may be. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or by an officer equivalent to rank of Joint Secretary to Government of India duly authorised by the Secretary in-charge of Home Department in the State Government or Union Territory, as the case may be:

Provided that in emergency cases –
(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or
(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible;

the required interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource shall be carried out with the prior approval of the Head or the second senior most officer of the Security and Law Enforcement Agencies (hereinafter referred to as the said Security Agencies) at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police or an officer of equivalent rank, at the State and Union Territory level. The concerned competent authority, however, shall be informed of such interceptions or monitoring or decryption by the approving authority within three working days and that such interceptions or monitoring or decryption shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the concerned competent authority is not received within the stipulated seven working days, such interception or monitoring or decryption shall cease and the same information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the concerned competent authority, as the case may be. 


Recommendation #3
In Rule 3, the following proviso may be inserted:

“Provided that in the event of cooperation by any intermediary being required for the purpose of interception, monitoring or decryption of such information as is referred to in this Rule, prior permission from a Supervisory Committee headed by a retired Judge of the Supreme Court or the High Courts shall be obtained before seeking to enforce the Order mentioned in this Rule against such intermediary.”


Reasons for the Recommendation
Section 69 and the draft rules suffer from absence of essential procedural safeguards. This has come in due to the blanket emulation of the Telegraph Rules. Additional safeguards should have been prescribed to ensure that the intermediary is put to minimum hardship when carrying on the monitoring or being granted access to a computer resource. Those are akin to a raid, in the sense that it can stop an online e-commerce portal from carrying out operations for a day or even more, thus affecting their revenue. It is therefore recommended that in any situation where cooperation from the intermediary is sought, prior judicial approval has to be taken. The Central or State Government cannot be the sole authority in such cases.

Furthermore, since access to the computer resource is required, an executive order should not suffice, and a search warrant or an equivalent which results from a judicial application of the mind (by the Supervisory Committee, for instance) should be required.


Recommendation #4
The following should be inserted after the last line in Rule 22:

The Review Committee shall also have the power to award compensation to the intermediary in cases where the intermediary has suffered loss or damage due to the actions of the competent authority while implementing the order issued under Rule 3.


Reasons for the Recommendation
The Review Committee should be given the power to award compensation to the loss suffered by the intermediary in cases where the police use equipment or software for monitoring/decryption that causes damage to the intermediary’s computer resources / networks. The Review Committee should also be given the power to award compensation in the case of monitoring directions which are later found to be frivolous or even worse, borne out of mala fide considerations. These provisions will act as a disincentive against the abuse of power contained in Section 69. 

 

Blocking of Access to Information

Section 69A

The section provides for blocking of websites if the government is satisfied that it is in the interests of the purposes enlisted in the section. It also provides for penalty of up to seven years for intermediaries who fail to comply with the directions under this section.
The rules under this section describe the procedure which have to be followed barring which the review committee may, after due examination of the procedural defects, order an unblocking of the website.

 

Section 69A(3)
The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

 

Recommendation #5
The penalty for intermediaries must be lessened.

 

Reasons for Recommendations
The penal provision in this section which prescribes up to seven years imprisonment and a fine on an intermediary who fails to comply with the directions so issued is also excessively harsh. Considering the fact that various mechanisms are available to escape the blocking of websites, the intermediaries must be given enough time and space to administer the block effectively and strict application of the penal provisions must be avoided in bona fide cases.

The criticism about Section 69 and the draft rules in so far as intermediary liability is concerned, will also apply mutatis mutandis to these rules as well as Section 69A.

 

Draft Rules under Section 69A

Rule 22: Review Committee
The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (16) are in accordance with the provisions of sub-section (2) of section 69A of the Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.


Recommendation #6
A permanent Review Committee should be specially for the purposes of examining procedural lapses. 


Reasons for Recommendation
Rule 22 provides for a review committee which shall meet a minimum of once in every two months and order for the unblocking of a site of due procedures have not been followed. This would mean that if a site is blocked, there could take up to two months for a procedural lapse to be corrected and it to be unblocked. Even a writ filed against the policing agencies for unfair blocking would probably take around the same time. Also, it could well be the case that the review committee will be overborne by cases and may fall short of time to inquire into each. Therefore, it is recommended that a permanent Review Committee be set up which will monitor procedural lapses and ensure that there is no blocking in the first place before all the due procedural requirements are met.

Monitoring and Collection of Traffic Data

Draft Rules under Section 69B

The section provides for monitoring of computer networks or resources if the Central Government is satisfied that conditions so mentioned are satisfied.

The rules provide for the manner in which the monitoring will be done, the process by which the directions for the same will be issued and the liabilities of the intermediaries and monitoring officers with respect to confidentiality of the information so monitored.


Grounds for Monitoring
Rule 4
The competent authority may issue directions for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource for any or all of the following purposes related to cyber security:
(a) forecasting of imminent cyber incidents;
(b) monitoring network application with traffic data or information on computer resource;
(c) identification and determination of viruses/computer contaminant;
(d) tracking cyber security breaches or cyber security incidents;
(e) tracking computer resource breaching cyber security or spreading virus/computer contaminants;
(f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security;
(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;
(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
(i) any other matter relating to cyber security.


Rule 6
No direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule (4).


Recommendation #7
Clauses (a), (b), (c), and (i) of Rule 4 must be repealed.


Reasons for Recommendations
The term “cyber incident” has not been defined, and “cyber security” has been provided a circular definition.  Rule 6 clearly states that no direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule 4. Therefore, it may prima facie appear that the government is trying to lay down clear and strict safeguards when it comes to monitoring at the expense of a citizens' privacy. However, Rule 4(i) allows the government to monitor if it is satisfied that it is “any matter related to cyber security”. This may well play as a ‘catch all’ clause to legalise any kind of monitoring and collection and therefore defeats the purported intention of Rule 6 of safeguarding citizen’s interests against arbitrary and groundless intrusion of privacy. Also, the question of degree of liability of the intermediaries or persons in charge of the computer resources for leak of secret and confidential information remains unanswered.

Rule 24: Disclosure of monitored data
Any monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, undertaken in course of his duty relating to the services provided by that intermediary, shall not be unlawful, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with :
(vi) Accessing or analysing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.


Recommendation #8
Safeguards must be introduced with respect to exercise of powers conferred by Rule 24(vi). 


Reasons for Recommendations
Rule 24(vi) provides for access, collection and monitoring of information from a computer resource for the purposes of tracing another computer resource which has or is likely to contravened provisions of the Act and this is likely to have an adverse impact on the services provided by the intermediary. Analysis of a computer resource may reveal extremely confidential and important data, the compromise of which may cause losses worth millions. Therefore, the burden of proof for such an intrusion of privacy of the computer resource, which is first used to track another computer resource which is likely to contravene the Act, should be heavy. Also, this violation of privacy should be weighed against the benefits accruing to the intermediary. The framing of sub rules under this clearly specifying the same is recommended. 


The disclosure of sensitive information by a monitoring agency for purposes of ‘general trends’ and ‘general analysis of cyber information’ is uncalled for as it dissipates information among lesser bodies that are not governed by sufficient safeguards and this could result in outright violation of citizen’s privacy.

 

Manner of Functioning of CERT-In

Draft Rules under Section 70B(5)

Section 70B provides for an Indian Computer Emergency Response Team (CERT-In) which shall serve as a national agency for performing duties as prescribed by clause 4 of this section in accordance to the rules as prescribed.
The rules provide for CERT-In’s authority, composition of advisory committee, constituency, functions and responsibilities, services, stakeholders, policies and procedures, modus operandi, disclosure of information and measures to deal with non compliance of orders so issued. However, there are a few issues which need to be addressed as under:


Definitions
In these Rules, unless the context otherwise requires, “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.


Recommendation #9
The words ‘or implied’’ must be excluded from rule 2(g) which defines ‘cyber security incident’, and the term ‘security policy’ must be qualified to state what security policy is being referred to.


Reasons for Recommendation
“Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization. 


Thus, the section defines any circumstance where an explicit or implied security policy is contravened as a ‘cyber security incident’. Without clearly stating what the security policy is, an inquiry into its contravention is against an individual’s civil rights. If an individual’s actions are to be restricted for reasons of security, then the restrictions must be expressly defined and such restrictions cannot be said to be implied.


Rule 13(4): Disclosure of Information
Save as provided in sub-rules (1), (2), (3) of rule 13, it may be necessary or expedient to so to do, for CERT-In to disclose all relevant information to the stakeholders, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence relating to cognizable offence or enhancing cyber security in the country.


Recommendation #10
Burden of necessity for disclosure of information should be made heavier. 


Reasons for the Recommendation
Rule 13(4) allows the disclosure of information by CERT-In in the interests of ‘enhancing cyber security’. This enhancement however needs to be weighed against the detriment caused to the individual and the burden of proof must be on the CERT-In to show that this was the only way of achieving the required. 


Rule 19: Protection for actions taken in Good Faith
All actions of CERT-In and its staff acting on behalf of CERT-In are taken in good faith in fulfillment of its mandated roles and functions, in pursuance of the provisions of the Act or any rule, regulations or orders made thereunder. CERT-In and its staff acting on behalf of CERT-In shall not be held responsible for any unintended fallout of their actions.


Recommendation #11
CERT-In should be made liable for their negligent action and no presumption of good faith should be as such provided for. 


Reasons for the Recommendation
Rule 19 provides for the protection of CERT-In members for the actions taken in ‘good faith’. It defines such actions as ‘unintended fallouts’. Clearly, if information has been called for and the same is highly confidential, then this rule bars the remedy for any leak of the same due to the negligence of the CERT-In members. This is clearly not permissible as an agency that calls for delicate information should also be held responsible for mishandling the same, intentionally or negligently.  Good faith can be established if the need arises, and no presumption as to good faith needs to be provided.

 

Draft Rules under Section 52

These rules, entitled the “Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009” are meant to prescribe the framework for the independent and smooth functioning of the Cyber Appellate Tribunal. This is so because of the specific functions entrusted to this Appellate Tribunal. Under the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, this Tribunal has the power to entertain appeals against orders passed by the adjudicating officer under Section 47.


Recommendation #12
Amend qualifications Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, to require judicial training and experience.


Reasons for the Recommendation
It is submitted that an examination of these rules governing the Appellate Tribunal cannot be made independent of the powers and qualifications of Adjudicating Officers who are the original authority to decide on contravention of provisions in the IT Act dealing with damage to computer system and failure to furnish information. Even as per the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, persons who did not possess judicial experience and training, such as those holding the post of Director in the Central Government, were qualified to perform functions under Section 46 and decide whether there has been unauthorized access to a computer system. This involves appreciation of evidence and is not a merely administrative function that could be carried on by any person who has basic knowledge of information technology.

Viewed from this angle, the qualifications of the Cyber Appellate Tribunal members should have been made much tighter as per the new draft rules. The above rules when read with Section 50 of the IT Act, as amended in 2008, do not say anything about the qualification of the technical members apart from the fact that such person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary or Joint Secretary or any equivalent post. Though special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs, has been prescribed in the Act as a requirement for any technical member.

 

Draft Rules under Section 54

These Rules do not suffer any defect and provide for a fair and reasonable enquiry in so far as allegations made against the Chairperson or the members of the Cyber Appellate Tribunal are concerned.

 

Penal Provisions

Section 66A

Any person who sends, by means of a computer resource or a communication device,
    (a) any information that is grossly offensive or has menacing character; or
    (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
    (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term which may extend to three years and with fine.
Sec. 32 of the 2008 Act inserts Sec. 66A which provides for penal measures for mala fide use of electronic resources to send information detrimental to the receiver. For the section to be attracted the ‘information’ needs to be grossly offensive, menacing, etc. and the sender needs to have known it to be false.

While the intention of the section – to prevent activities such as spam-sending – might be sound and even desirable, there is still a strong argument to be made that words is submitted that the use of words such as ‘annoyance’ and ‘inconvenience’ (in s.66A(c)) are highly problematic.  Further, something can be grossly offensive without touching upon any of the conditions laid down in Article 19(2).  Without satisfying the conditions of Article 19(2), this provision would be ultra vires the Constitution.


Recommendation #13
The section should be amended and words which lead to ambiguity must be excluded.


Reasons for the Recommendation
A clearer phrasing as to what exactly could convey ‘ill will’ or cause annoyance in the electronic forms needs to be clarified. It is possible in some electronic forms for the receiver to know the content of the information. In such circumstances, if such a possibility is ignored and annoyance does occur, is the sender still liable? Keeping in mind the complexity of use of electronic modes of transmitting information, it can be said that several such conditions arise which the section has vaguely covered. Therefore, a stricter and more clinical approach is necessary. 


Recommendation #14
A proviso should be inserted to this section providing for specific exceptions to the offence contained in this section for reasons such as fair comment, truth, criticism of actions of public officials etc. 

 

Reasons for the Recommendation
The major problem with Section 66A lies in clause (c) as per which any electronic mail or electronic mail message sent with the purpose of causing annoyance or inconvenience is covered within the ambit of offensive messages. This does not pay heed to the fact that even a valid and true criticism of the actions of an individual, when brought to his notice, can amount to annoyance. Indeed, it may be brought to his attention with the sole purpose of causing annoyance to him. When interpreting the Information Technology Act, it is to be kept in mind that the offences created under this Act should not go beyond those prescribed in the Indian Penal Code except where there is a wholly new activity or conduct, such as hacking for instance, which is sought to be criminalized.

Offensive messages have been criminalized in the Indian Penal Code subject to the conditions specified in Chapter XXII being present. It is not an offence to verbally insult or annoy someone without anything more being done such as a threat to commit an offence, etc. When this is the case with verbal communications, there is no reason to make an exception for those made through the electronic medium and bring any electronic mail or message sent with the purpose of causing annoyance or inconvenience within the purview of an offensive message.

 

Section 66F

The definition of cyber-terrorism under this provision is too wide and can cover several activities which are not actually of a “terrorist” character.
Section 66F(1)(B) is particularly harsh and goes much beyond acts of “terrorism” to include various other activities within its purview. As per this provision,
“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or is likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”

This provision suffers from several defects and hence ought to be repealed. 


Recommendation #15
Section 66F(1)(B) has to be repealed or suitably amended to water down the excessively harsh operation of this provision. The restrictive nature of the information that is unauthorisedly accessed must be confined to those that are restricted on grounds of security of the State or foreign relations. The use to which such information may be put should again be confined to injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mere advantage to a foreign nation cannot render the act of unauthorized access one of cyber-terrorism as long as such advantage is not injurious or harmful in any manner to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mens rea requirement should also be introduced whereby mere knowledge that the information which is unauthorisedly accessed can be put to such uses as given in this provision should not suffice for the unauthorised access to amount to cyber-terrorism. The unauthorised access should be with the intention to put such information to this use. The amended provision would read as follows:

“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, with the intention that such information, data or computer database so obtained may be used to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, commits the offence of cyber terrorism.”

 

Reasons for the Recommendation
The ambit of this provision goes much beyond information, data or computer database which is restricted only on grounds of security of the State or foreign relations and extends to “any restricted information, data or computer database”. This expression covers any government file which is marked as confidential or saved in a computer used exclusively by the government. It also covers any file saved in a computer exclusively used by a private corporation or enterprise. Even the use to which such information can be put need not be confined to those that cause or are likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, or friendly relations with foreign States. Information or data which is defamatory, amounting to contempt of court, or against decency / morality, are all covered within the scope of this provision. This goes way beyond the idea of a terrorist activity and poses serious questions.  While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.

To give an illustration, if a journalist managed to unauthorisedly break into a restricted database, even one owned by a private corporation, and stumbled upon information that is defamatory in character, he would have committed an act of “cyber-terrorism.” Various kinds of information pertaining to corruption in the judiciary may be precluded from being unauthorisedly accessed on the ground that such information may be put to use for committing contempt of court. Any person who gains such access would again qualify as a cyber-terrorist. The factual situations are numerous where this provision can be put to gross misuse with the ulterior motive of muzzling dissent or freezing access to information that may be restricted in nature but nonetheless have a bearing on probity in public life etc. It is therefore imperative that this provision may be toned down as recommended above.

IT Act and Commerce

by Pranesh Prakash last modified Aug 02, 2011 07:41 AM
This is a guest post by Rahul Matthan, partner in the law firm Trilegal, and widely regarded as one of the leading experts on information technology law in India. In this post, Mr. Matthan looks at the provisions in the amended Information Technology Act of interest to commerce, namely electronic signatures and data protection.

This post analyses the amendments brought about to the Information Technology Act, 2000 (“IT Act 2000”) through the recent 2008 amendments (“IT Act 2008”).

Definitions

The IT Act 2008 has introduced a few additional definitions to the list of definitions originally included in the IT Act 2000. These definitions have either amplified the existing provisions or been introduced in order to address new issues required to be defined in the context of the newly introduced provisions in the statute. Some of the significant definitions have been discussed below:

Computer Network

The definition of “computer network” has been amended to specifically include the wireless interconnection of computers. While wireless technology did fall within the scope of the IT Act under the rather generic head of “other communication media”, the Amendment Act clarifies the scope of the IT Act by expressly including the term “wireless”.

Communication Devices

The IT Amendment Bill, 2006, had provided an explanation for “communication devices” under Section 66A. This definition has been moved into the definition section and now applies across all sections of the IT Act 2008. “Communication devices” is defined to mean “a cell phone, personal digital assistance (PDA) device or combination of both or any device used to communicate, send or transmit any text, video, audio or image”.

There has been case law even under the IT Act that has held mobile phones to fall within the ambit of the IT Act, as a result of which all the provisions of the Act that apply to computers are equally applicable to mobile phones. This amendment only makes that position more explicit.

Electronic Signatures

One of the major criticisms of the IT Act 2000 was the fact that it was not a technology neutral legislation. This was specifically so in relation to the provisions in the IT Act 2000 relating to the use of digital signatures for the purpose of authentication of electronic records. The statute made specific reference to the use of asymmetric cryptosystem technologies in the context of digital signatures, and, in effect, any authentication method that did not use this technology was not recognised under the IT Act 2000.

The IT Act 2008 has attempted to make this more technology neutral. In doing so, the attempt has been to bring the law in line with the United Nations Commission on International Trade Law Model Law on Electronic Signatures (“Model Law”).

Replacement of Digital Signatures

The first significant change in the IT Act 2008 is the replacement of the term “digital signatures” with “electronic signatures” in almost all the provisions in the IT Act 2000. In some provisions, reference continues to be made to digital signatures, but the net effect of the amendments is to treat digital signatures as a subset (or an example of one type) of electronic signatures.

Electronic signatures have been defined as the authentication of an electronic record using the authentication techniques specified in the 2nd Schedule to the Act, provided they are reliable.  

The reliability criterion has been introduced, very much along the lines of the Model Law. However, the contents of the 2nd Schedule are yet to be stipulated, which means that despite the existence of a reliability standard, the only authentication method available at this point in time is the digital signature regime.

Dual Requirement

One significant implication of this amendment is the introduction of a dual requirement – to meet the reliability standard as well as to be included in the 2nd Schedule. However, structuring the authentication procedures in this manner offsets the objective tests of neutrality borrowed from the Model Law, since an authentication method may meet the reliability test but will not be deemed to be legally enforceable unless it is notified in the 2nd Schedule.

Additionally, there will be grounds for challenging electronic signatures that are notified to the 2nd Schedule, if it can be shown that the signature so notified is not reliable under the terms of the reliability criteria. This can act as an impediment to the recognition of electronic signatures by notification.

Emphasis on Digital Signatures

Another concern is the treatment of digital signatures in the post amendment statute. The IT Act 2008 continues to retain all the provisions relating to digital signatures within the main body of the statute. The term “digital signature” has not been uniformly substituted with “electronic signature” throughout the statute. In certain provisions this leads to a certain amount of absurdity, such as in those relating to representations made as to the issuance, suspension or revocation of digital signature certificates; due to the lack of uniformity, these principles now apply only to digital signatures and not to all types of electronic signatures.  

It would have been preferable if the provisions relating to digital signatures had been moved in their entirety to the 2nd Schedule. Then, digital signatures would have become just another class of electronic signatures listed in the Schedule. By omitting to do this, the authors ensure that digital signature-specific provisions remaining in the main body of the statute challenge the technology neutrality of the statute.

Certifying Authorities

The IT Act 2008 has made the certifying authority the repository of all electronic signatures issued under the statute. Given that there are, at present, multiple certifying authorities, this provision is impractical. Instead, the statute should have either referred to the Controller of Certifying Authorities or should have been worded to state that each certifying authority would be the repository for all electronic signature certificates issued by it.

Impact on Other Statutes

Since the enactment of the IT Act 2000, amendments have been carried out in other statutes, relying on the concept of digital signatures. For instance, the Negotiable Instruments Act, 1881, makes the use of a digital signature essential for an electronic cheque.1 While the IT Act 2008 has expanded the scope of the available authentication measures, by introducing the technologically neutral concept of electronic signatures, corresponding amendments in other statutes like the Negotiable Instruments Act, 1881, will need to be carried out, so that they are not limited in their application to digital signatures.

Data Protection

Prior to the passing of the IT Act 2008, the concept of 'data protection' was not recognised in India. The amendments have now introduced some amount of legal protection for data stored in the electronic medium. This chapter analyses the changes sought to be introduced and their impact on data protection law in India.

Data under the IT Act 2000

The only provision under the IT Act 2000, which dealt with unauthorised access and damage to data, was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.

Data under the IT Act 2008

Under the IT Act 2008, far-reaching changes have been made in relation to data. Two sections have been inserted specifically for that purpose – Sections 43-A and 72-A, one dealing with the civil and the other with the criminal remedies in relation to the breach of data related obligations.

The Civil Remedies for Data Protection

The newly introduced Section 43-A reads as follows:

Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.

Explanation - For the purposes of this section:

(i)  “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; and

(iii)  “Sensitive Personal Data or Information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

While at first this provision appears to address several long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.

Non-Electronic Data

In the first instance, there is no mention, under this provision, of non-electronic data. Most international data protection statutes recognise and protect data stored in any electronic medium or a relevant filing system (including, for instance, a salesperson's diary). The newly introduced provisions of the IT Act 2008 do not provide any protection for data stored in a non-electronic medium.

It could be argued that given the legislative focus of this statute (it has been called the Information Technology Act with a reason), it would be inappropriate to include within this statute protection for forms of data that do not relate to the digital or electronic medium. While that argument is valid to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions merely provide solutions for electronic data.

Classification of Data

Most international data protection statutes distinguish between different levels of personal data – specifying difference levels of protection for personal information and sensitive personal information. Depending on whether the data can be classified as one or the other, they have different levels of protection, as loss, unauthorised access or disclosure of sensitive personal information is considered to have a deeper impact on the data subject.  

The new provisions of the IT Act 2008 make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data not deemed to be sensitive is to be treated. In essence, personal information and sensitive personal information do not appear to be differentially treated in the context of data protection.

Consequences

Under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated.  

However, under the new provisions of the IT Act 2008, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act 2008 appears to have widened the net considerably.

Negligence in Implementing Security Practices

Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform.

There is a significant difference between the terms “negligence to implement” and “failure to implement”. The former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed; it has to be proved in addition that the body corporate was negligent.

Wrongful Loss and Gain

The Section appears to have been constructed on the basis that a breach has occurred in the event that any “wrongful gain” or “wrongful loss” was suffered. These terms have not been defined either under statutes or through any judicial precedents in the civil context. However, these terms do have a definition under criminal law in India. The Indian Penal Code, 1860 (“IPC”), defines “Wrongful Gain” to mean gain, by unlawful means, of property to which the person gaining is not legally entitled; and “Wrongful Loss” to mean the loss by unlawful means of property to which the person losing it is legally entitled.

There does not appear to be any greater significance in the use of these terms even though they are typically found in criminal statutes. Therefore, apart from the slight ambiguity as to purpose, their use in the IT Act does not appear to have any great significance.

Limitation on Liability

The provisions of Section 43 originally had the total liability for a breach capped at Rs. 5,00,00,000 (five crore rupees). The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liabilities.

Reasonable Security Practices and Procedures

Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:

  • By agreement;
  • By law; and
  • By prescription by the Central Government.


As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations, it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.

As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practices and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.

The Criminal Remedies for Unlawful Disclosure of Information

In addition to the civil remedies spelled out in such detail in Section 43-A, the newly introduced provisions of Section 72-A of the IT Act 2008 could be used to impose criminal sanctions against any person who discloses information in breach of a contract for services. While not exactly a data protection provision in the same way that Section 43-A is, there are enough similarities in purpose to achieve the same result.

Section 72-A reads:

Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such  material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rupees five lakh, or with both.

In substance, this provision appears to be focused on providing criminal remedies in the context of breach of confidentiality obligations under service contracts; given that the section specifically refers to the disclosure of personal information obtained under that service contract, it is fair to classify this as a provision that addresses data protection issues.

Personal Information

The IT Act 2008 does not define “personal information”. Equally, there are no judicial precedents that provide any clarity on the term. The Right to Information Act, 2005 does provide a definition for “personal information”, but that definition is inappropriate in the context of the IT Act 2008. In the absence of a useable definition for the term “personal information”, it becomes difficult to assess the scope and ambit of the provision and in particular to understand the extent to which it is enforceable.

"Willful"

The section would only apply to persons who willfully disclose personal information and cause wrongful loss or gain. Hence, in order to make a person liable it has to be proved that the person disclosing the personal information did so with an intention to cause wrongful loss or gain. It would be a valid defense to claim that any loss caused was unintentional.

Service Contracts

The section appears to be particular about the fact that it only applies in the context of personal information obtained under a contract for services. This appears to rule out confidential information (that is not of a personal nature) that has been received under any other form of agreement (including, for example, a technology license agreement). The section is clearly intended to protect against the misuse of personal information and cannot be adapted to provide a wider level of protection against all breaches of confidential information. That said, employers now have a much stronger weapon against employees who leave with the personal records of other fellow employees.

Consent

This section also clearly applies only to those disclosures of personal information with the intent to cause wrongful loss or gain which have taken place without the consent of the person whose personal information is being disclosed. What remains to be seen is how the law will deal with situations where a general consent for disclosures has been obtained at the time of recruitment.

Such clauses are made effective around the world by including opt in and opt out clauses, to allow the employee to either expressly agree to the disclosure of his personal information or to specifically exclude himself from the ambit of any such disclosures.

Media of Material

This section, unlike several other provisions of the IT Act 2008, deals with all manner of materials without requiring them to be digital. However, while disclosure of information stored in the non-electronic medium has been recognised, in the absence of a clear definition of personal information, it is difficult to ascertain the application and enforcement of this section.

What’s Missing

In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilisation and proper disposal of data. At present the statute is silent about these aspects. In many ways, the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.

 

Primer on the New IT Act

by Pranesh Prakash last modified Aug 02, 2011 07:41 AM
With this draft information bulletin, we briefly discuss some of the problems with the Information Technology Act, and invite your comments.

The latest amendments to the Information Technology Act 2000, passed in December 2008 by the Lok Sabha, and the draft rules framed under it contain several provisions that can be abused and misused to infringe seriously on citizens' fundamental rights and basic civil liberties. We have already written about some of the problems with this Act earlier.  With this information bulletin, drafted by Chennai-based advocate Ananth Padmanabhan, we wish to extend that analysis into the form of a citizens' dialogue highlighting ways in which the Act and the rules under it fail.  Thus, we invite your comments, suggestions, and queries, as this is very much a work in progress.  We will eventually consolidate this dialogue and follow up with the government on the concerns of its citizens.

Intermediaries beware

Internet service providers, webhosting service providers, search engines, online payment sites, online auction sites, online market places, and cyber cafes are all examples of “intermediaries” under this Act. The Government can force any of these intermediaries to cooperate with any interception, monitoring or decryption of data by stating broad and ambiguous reasons such as the “interest of the sovereignty or integrity of India”, “defence of India”, “security of the State”, “friendly relations with foreign States”, “public order” or for “preventing incitement to” or “investigating” the commission of offences related to those. This power can be abused to infringe on the privacy of intermediaries as well as to hamper their constitutional right to conduct their business without interference.

If a Google search on “Osama Bin Laden” throws up an article that claims to have discovered his place of hiding, the Government of India can issue a direction authorizing the police to monitor Google’s servers to find the source of this information. While Google can, of course, establish that this information cannot be attributed directly to the organization, making the search unwarranted, that would not help it much. While section 69 grants the government these wide-ranging powers, it does not provide for adequate safeguards in the form of having to show due cause or having an in-built right of appeal against a decision by the government. If Google refused to cooperate under such circumstances, its directors would be liable to imprisonment of up to seven years.

Pre-censorship

The State has been given unbridled power to block access to websites as long as such blocking is deemed to be in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States, and other such matters.

Thus, if a web portal or blog carries or expresses views critical of the Indo-US nuclear deal, the government can block access to the website and thus muzzle criticism of its policies.   While some may find that suggestion outlandish, it is very much possible under the Act.  Since there is no right to be heard before your website is taken down nor is there an in-built mechanism for the website owner to appeal, the decisions made by the government cannot be questioned unless you are prepared to undertake a costly legal battle. 

Again, if an intermediary (like Blogspot or an ISP like Airtel) refuses to cooperate, its directors may be personally liable to imprisonment for up to a period of seven years.  Thus, being personally liable, the intermediaries are rid of any incentive to stand up for the freedom of speech and expression.

We need to monitor your computer: you have a virus

The government has been vested with the power to authorize the monitoring and collection of traffic data and information generated, transmitted, received or stored in any computer resource. This provision is much too widely-worded. 

For instance, if the government feels that there is a virus on your computer that can spread to another computer, it can demand access to monitor your e-mails on the ground that such monitoring enhances “cyber security” and prevents “the spread of computer contaminants”.

Think before you click "Send"

If out of anger you send an e-mail for the purpose of causing “annoyance” or “inconvenience”, you may be liable for imprisonment up to three years along with a fine. While that provision (section 66A(c)) was meant to combat spam and phishing attacks, it criminalizes much more than it should.

A new brand of "cyber terrorists"

The new offence of “cyber terrorism” has been introduced, which is so badly worded that it borders on the ludicrous.  If a journalist gains unauthorized access to a computer where information regarding corruption by certain members of the judiciary is stored, she becomes a “cyber terrorist” as the information may be used to cause contempt of court.  There is no precedent for any such definition of cyberterrorism.  It is unclear what definition of terrorism the government is going by when even unauthorized access to defamatory material is considered cyberterrorism.

Uploads

by Nishant Shah last modified Nov 01, 2008 07:59 AM
Nishant Shah by Sunil Abraham — last modified Nov 01, 2008 07:57 AM
Open letter to UN IGF by Sanchia de Souza — last modified Nov 30, 2008 07:59 AM

The Digital is Political

by Nishant Shah last modified Mar 21, 2012 09:14 AM
Technologies are not just agents of politics, there is politics in their design, writes Nishant Shah in this article published in Down to Earth in the Issue of June 15, 2011.

The links between digital technologies and politics, especially in the light of the recent West Asian-North African uprisings, have been well-established. But there is a pervasive belief that the technologies of computing, in themselves, are apolitical. There are two warring groups when it comes to debates around political participation and social change that the digital and Internet technologies have fostered.

On the one hand are people who celebrate the negotiation- and intervention-making power of these technologies and attribute to them great power that can change the world. On the other are those who look at these developments with suspicion, trying to make a case for the power of the human will rather than the scope of technology design.

Both sides remain convinced that there is a cause-and-effect link between technology and politics, but nobody talks about the politics of technology. The functional focus on digital technologies—economic prosperity, time-space shrinkage, transparent interaction and governance—has been overwhelming. This fosters a pervasive belief that technologies of computation and communication are agnostic to politics: there is a disconnect between everyday practices of technology and spectrum of politics within which we operate.

Let me give an example to explain this. Take a blank sheet of paper. To all appearances, it is completely agnostic to the uses it can be put to. It can become a letter of love, it can become a note of dismissal, shattering the dreams of somebody who is fired, it can be a promissory note facilitating legal and economic transactions, or it can become the rag to mop a spill on your desk. It is generally presumed that the piece of paper does not have any design or agency. And yet, it is obvious from history that this sheet of paper did indeed revolutionise the world.

The advent of the printing press, the ability to mass-produce paper, the possibility of sending disembodied messages, the power of the paper to store information which can then be retrieved, has been transforming the world the last 500 years. It is a technologised platform that, by its very design possibilities and limitations, is able to shape, not only how we have communicated with each other, but also how we think. Let us remember the first proof of our identity is not in images or in sounds, but in a document, printed on a piece of paper, that declares us human and alive and legally present—the birth certificate.

We have grown so used to the world of writing and of printing that we have appropriated paper as an integral part of the human socio-cultural fabric. However, technology interfaces and products have not only a political agenda in their design, but also the power to shape the ways in which human history and memory function. The blank sheet of paper, in its inability to capture oral traditions, eradicates them. The tyranny of a piece of paper brings a fixity to articulations which are fluid. To think of the paper as bereft of political design, ambition and destiny, would be to neglect the lessons learned in history.

The digital interface needs to be understood through similar prisms. It is presumed that the digital interface in itself is not political in nature. Or politics is reduced to the level of content. In the process certain significant questions remain unanswered: who owns the digital technologies? Who supports them? Who benefits from them? Who controls them? Who remains excluded? Who is being made to bear the burdens?

Questions about exclusion and discrimination, built into the very structure of technology, are often overlooked. How do technologies determine who gets a voice? How do the digital webs exclude those who shall always remain outcasts? What happens to our understanding of the relationship between the state and the citizen? What are our digital rights? How does the technology design mitigate social evils? How does technology emerge as the de-facto arbitrator of law?

Politics plays a part in the very presence and design of these technologies. It is perhaps time to proclaim that like the personal, the “The Technological is the Political.” 

Read the original here

Privacy

by kaeru — last modified Dec 14, 2012 10:26 AM
Privacy and the Indian Copyright Act by Prasad Krishna — last modified Aug 06, 2013 01:37 PM
India's Copyright Act was established in 1957, and is in the process of being placed before the Parliament in 2010. The provisions in the proposed Bill will work to make the Act WIPO Copyright Treaty (WCT) compliant. When looking at privacy in the context of copyright four key questions arise, says Elonnai Hickock as she analyses privacy in the context of the Indian Copyright Act.
Cybercrime and Privacy by Prasad Krishna — last modified Sep 14, 2010 01:21 PM
Elonnai Hickok examines privacy in the context of India’s legal provisions on cybercrime. She picks up the relevant provisions of the Information Technology Act as amended in 2008 dealing with cyber crimes and provides a fair analysis of the pros and cons of the amended Act.
Privacy, Free/Open Source, and the Cloud by Elonnai Hickok — last modified Mar 22, 2012 05:50 AM
A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture.
C.I.S Responds to Privacy Approach Paper by Elonnai Hickok — last modified Mar 21, 2012 10:08 AM
A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation.
American Bar Association Online Privacy Conference: A Report by Elonnai Hickok — last modified Mar 21, 2012 10:08 AM
On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take.
Privacy and Banking: Do Indian Banking Standards Provide Enough Privacy Protection? by Elonnai Hickok — last modified Mar 21, 2012 10:07 AM
Banking is one of the most risky sectors as far as privacy is concerned due to the highly sensitive and personal nature of information which is often exchanged, recorded and retained. Although India has RBI guidelines and legislations to protect data, this blog post looks at the extent of those protections, and what are the areas that still need to be addressed.
Privacy and Telecommunications: Do We Have the Safeguards? by Elonnai Hickok — last modified Mar 21, 2012 10:06 AM
All of you often come across unsolicited and annoying telemarketing calls/ SMS's, prank calls, pestering calls for payment, etc. Do we have any safeguards against them? This blog post takes a look at the various rules and regulations under Indian law to guard our privacy and confidentiality.
Consumer Privacy - How to Enforce an Effective Protective Regime? by Elonnai Hickok — last modified Mar 21, 2012 10:06 AM
In a typical sense, when people think of themselves as consumers, they just think about what they purchase, how they purchase and how they use their purchase. But while doing this exercise we are always exchanging personally identifiable information, and thus our privacy is always at risk. In this blog post, Elonnai Hickok and Prashant Iyengar through a series of questions look through the whole concept of consumer privacy at the national and international levels. By placing a special emphasis on Indian context, this post details the potential avenues of consumer privacy in India and states the important elements that should be kept in mind when trying to find at an effective protective regime for consumer privacy.
Public Statement to Final Draft of UID Bill by Elonnai Hickok — last modified Mar 22, 2012 05:48 AM
The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill.
UID Meeting in Bangalore – A Report by Prasad Krishna — last modified Jan 04, 2011 08:14 AM
On 23 November 2010 a public meeting was held for the UID in Bangalore. The speakers included B.K Chandrashekar, former Chairman of the Karnataka Legislature Council, Mr. Vidyashankar, Principal Secretary to Government of e-commerce, Sunil Abraham, Executive Director of Centre for Internet and Society, Jude D’Souza, Technology Specialist and Mathew Thomas, Retired Army Officer.
Should Ratan Tata be Afforded the Right to Privacy? by Elonnai Hickok — last modified Mar 21, 2012 10:03 AM
The Ratan Tata case has raised many important questions pertaining to privacy. This note looks at a few of those questions, and the debate that centers around them.
UID & Privacy - A Call for Papers by Elonnai Hickok — last modified Mar 21, 2012 10:03 AM
Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010.
The Privacy Rights of Whistleblowers by Elonnai Hickok — last modified Mar 22, 2012 05:47 AM
The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy.
Does the UID Reflect India? by Elonnai Hickok — last modified Mar 22, 2012 05:45 AM
On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events.
An Open Letter to the Finance Committee: SCOSTA Standards by Elonnai Hickok — last modified Dec 20, 2013 03:58 AM
The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.
Privacy Matters Conference Agenda by Prasad Krishna — last modified Jan 14, 2011 11:45 AM
The "Privacy Matters" conference is taking place on Sunday January 23rd, at NUJS Law school at 10:30. It is a full day event that will discuss the challenges and concerns of privacy in India. Below is the agenda for the event. We look forward to your participation and attendance.
Privacy Matters — Conference Report by Prasad Krishna — last modified Jan 27, 2011 10:22 AM
A one-day conference on Privacy Matters was held on Sunday, 23 January 2011 at the National University of Juridical Sciences (NUJS) Law School in Kolkata. This was the first of a series of eleven conferences on ‘privacy’ that Privacy India is scheduled to host in different Indian cities from January to June this year. Members of Parliament, Sri Manoj Bhattacharya from the Revolutionary Socialist Party (RSP) and Sri Nilotpal Basu from the Communist Party of India (Marxist) CPI (M) spoke in the conference. Students, the civil society and lawyers also participated in it.
Analysing the Right to Privacy and Dignity with Respect to the UID by Deva Prasad — last modified Mar 21, 2012 09:54 AM
In the below note, Deva Prasad, LLM Candidate at NLSIU, explores the challenges that the UID project faces from a legal perspective.
Privacy By Design — Conference Report by Prasad Krishna — last modified Aug 22, 2011 12:03 PM
How do we imagine privacy? How is privacy being built into technological systems? On April 16th,The Center for Internet and Society hosted Privacy by Design, an Open Space meant to answer these questions and more around the topic of privacy. Below is a summary of the conversations and dialogs from the event.
Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert by Elonnai Hickok — last modified Mar 21, 2012 09:35 AM
Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.
A Street View of Private and the Public by Prashant Iyengar — last modified Mar 21, 2012 09:34 AM
Prashant Iyengar on how in the eyes of the law, the internet giant is like the homeless in India. This article was published by Tehelka on June 4, 2011.
Privacy Matters, Guwahati — Event Report by Prasad Krishna — last modified Aug 26, 2011 10:31 AM
On June 23, a public seminar on “Privacy Matters” was held at the Don Bosco Institute in Karhulli, Guwahati. It was organised by IDRC, Society in Action Group, IDEA Chirang, an NGO initiative working with grassroots initiatives in Assam, Privacy India and CIS and was attended by RTI activists and grass roots NGO representatives from across the North Eastern region: Manipur, Arunachal Pradesh, Tripura, Nagaland, Assam and Sikkim. The event focused on the challenges and concerns of privacy in India.
An Overview of DNA Labs in India by Shilpa Narani — last modified Feb 02, 2016 01:11 PM
DNA fingerprinting has become the most precise and technologically advanced method for identifying crimes such as murder, kidnapping, robbery and rape. Police and judicial authorities and in some cases even private parties retain this in their records, writes Shilpa in this blog post.
My Experiment with Scam Baiting by Sahana Sarkar — last modified Mar 13, 2012 10:43 AM
Today, as I am sure many of you have experienced, Internet scams are widespread and very deceptive. As part of my research into privacy and the Internet, I decided to follow a scam and attempt to fully understand how Internet scams work, and what privacy implications they have for Internet users. Though there are many different types of scams that take place over the Internet —identity scams, housing scams, banking scams— just to name a few. I decided to look in depth at the lottery scam.
The DNA Profiling Bill 2007 and Privacy by Elonnai Hickok — last modified Mar 21, 2012 09:40 AM
In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective.
The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt by Prashant Iyengar — last modified Feb 29, 2012 05:45 AM
Over the past few days various newspapers have reported the imminent introduction in Parliament, during the upcoming Monsoon session, of a Right to Privacy Bill. Since the text of this bill has not yet been made accessible to the public, this post attempts to grope its way – through guesswork – towards a picture of what the Bill might look like from a combined reading of all the newspaper accounts, writes Prashant Iyengar in this blog post which was posted on the Privacy India website on June 8, 2011.
UID: Nothing to Hide, Nothing to Fear? by Shilpa Narani — last modified Sep 28, 2011 11:44 AM
Isn’t it interesting that authorities ask you about your identity and you end up showing your proof of existence! Isn’t this breaching into one’s personal life? Why so much transparency only from the public side? Why can’t the government be equally transparent to the public?, asks Shilpa Narani.
An Interview with Activist Shubha Chacko: Privacy and Sex Workers by Elonnai Hickok — last modified Mar 28, 2012 06:26 AM
On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation.
Limits to Privacy by Prashant Iyengar — last modified Dec 14, 2012 10:28 AM
In his research article, Prashant Iyengar examines the limits to privacy for individuals in light of the provisions of the Constitution of India, public interest, security of state and maintenance of law and order. The article attempts to build a catalogue of all these justifications and arrive at a classification of all such frequently used terms invoked in statutes and upheld by courts to deprive persons of their privacy.
Video Surveillance and Its Impact on the Right to Privacy by Vaishnavi Chillakuru — last modified Sep 29, 2011 05:35 AM
The need for video surveillance has grown in this technologically driven era as a mode of law enforcement. Video Surveillance is very useful to governments and law enforcement to maintain social control, recognize and monitor threats, and prevent/investigate criminal activity. In this regard it is pertinent to highlight that not only are governments using this system, but residential communities in certain areas are also using this system to create a safer environment.
When Data Means Privacy, What Traces Are You Leaving Behind? by Noopur Raval — last modified Nov 24, 2011 09:24 AM
How do you know yourself to be different from others? What defines the daily life that you live and the knowledge you produce in the span of this life? Is all that information yours or are you a mere stakeholder on behalf of the State whose subject you are? What does privacy really mean? In a society that is increasingly relying on information to identify people, collecting and archiving ‘personal’ details of your lives, your name, age, passport details, ration card number, call records etc, how private is your tweet, status update, text message or simply, your restaurant bill?
Privacy & Media Law by Sonal Makhija — last modified Dec 14, 2012 10:26 AM
In her research, Sonal Makhija, a Bangalore-based lawyer, tries to delineate the emerging privacy concerns in India and the existing media norms and guidelines on the right to privacy. The research examines the existing media norms (governed by Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority), the constitutional protection guaranteed to an individual’s right to privacy upheld by the courts, and the reasons the State employs to justify the invasion of privacy. The paper further records, both domestic and international, inclusions and exceptions with respect to the infringement of privacy.
Right to Privacy Bill 2010 — A Few Comments by Elonnai Hickok — last modified Mar 22, 2012 06:26 AM
Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.
Conference Report: 'Privacy Matters' Bangalore by Prasad Krishna — last modified Feb 08, 2011 05:13 AM
On February 5th the 'Privacy Matters" conference was held at the TERI Regional Center in Bangalore. The event was a full day and centered around issues of privacy including: privacy rights of minorities, privacy and open government data, and privacy and identity.
Open Letter to the Finance Committee: Operational Design by Prasad Krishna — last modified Feb 17, 2011 10:02 AM
The objective of the UID project is to provide identity infrastructure that is not susceptible to fraud or error. This note highlights parts of the operational design of the project, which are flawed. We plead that each point be taken into consideration and that the design be suitably revised.
Open Letter to the Finance Committee: UID Budget by Prasad Krishna — last modified Feb 17, 2011 11:18 AM
This note presents the aspects of the UID project, which have not been considered or incorporated into the UID’s budget. The costs include re-enrollment, loss in human time, and the cost of the audit function.
Open Letter to the Finance Committe: Biometrics by Prasad Krishna — last modified Feb 17, 2011 01:12 PM
This note points out the weaknesses inherent in biometrics and the pitfalls in using them. It recommends procedural safeguards that should be adopted by the UID in order to make the use of biometrics more secure and inclusive.
Open Letter to the Finance Committee: Finance and Security by Prasad Krishna — last modified Feb 17, 2011 11:57 AM
This note explores the three connections between finance and security and demonstrates the cost implications of operating a centrally designed identity management system as proposed by the UID. In doing so, it shows how the monitoring, storing, and securing of transactional data in a centralized database fall short of meeting the project's objectives of authentication, and thus is an additional cost. Further, it is argued that the blanket monitoring of the transaction database is not an effective method of detecting fraud, and is an expensive component of the project.
Open Letter to the Finance Committee: UID and Transactions by Prasad Krishna — last modified Feb 24, 2011 01:35 PM
Since official documentation from the UIDAI is very limited, we assume that data pertaining to transactions would comprise of the Aadhaar number, identifier of the authenticating device, date-time stamp, and approval/rejection/error code. Recording and maintaining of data pertaining to transactions is very important because it increases transparency and accountability through an audit trail. However, storage of such sensitive data creates many privacy risks, because more often than not metadata gives you as much intelligence as raw data.
Privacy and Governmental Databases by Elonnai Hickok — last modified Mar 22, 2012 05:41 AM
In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases.
A Stolen Perspective by Elonnai Hickok — last modified Mar 21, 2012 09:43 AM
The note below is a perspective piece on biometrics. On March 11th I traveled down to the Philippines, and had a chance to experience the possible convenience of biometric based identification.
News Broadcasting Standards Authority censures TV9 over privacy violations! by Prashant Iyengar — last modified Mar 22, 2012 05:14 AM
We at PrivacyIndia/CIS are delighted by the recent order issued by the News Broadcasting Standards Authority(NBSA) which slapped a 1 lakh rupee fine on the news channel TV9 for airing an extremely incendiary and invasive programme titled "Gay Culture rampant in Hyderabad".
'Privacy Matters', Ahmedabad: Conference Report by Prasad Krishna — last modified Apr 04, 2011 04:45 AM
On 26 March 2011, civil society, lawyers, judges, students and NGO’s, gathered together at the Ahmedabad Management Association to take part in 'Privacy Matters' – a public conference organised by Privacy India in partnership with IDRC and Research Foundation for Governance in India (RFGI) — to discuss the challenges of privacy in India, with an emphasis on national security and privacy. The conference was opened by Prashant Iyengar, head researcher at Privacy India and Kanan Drhu, director of RFGI. Mr. Iyengar explained Privacy India’s mandate to raise awareness of privacy, spark civil action, and promote democratic dialogue around privacy challenges and violations in India. RFGI is a think tank established in 2009 which aims to research, promote, and implement various reforms to improve the legal and political process in Gujarat and across India. ‘Privacy Matters – Ahmedabad’ is the third conference out of the eight that Privacy India will be hosting across India. The next conference will take place in Hyderabad on 9 April 2011. It will focus on human rights and privacy.
Encryption Standards and Practices by Elonnai Hickok — last modified Mar 22, 2012 05:39 AM
The below note looks at different types of encryption, varying practices of encryption in India, and the relationship between encryption, data security, and national security.
Surveillance Technologies by Elonnai Hickok — last modified Mar 22, 2012 05:40 AM
The following post briefly looks at different surveillance technologies, and the growing use of the them in India.
Is Data Protection Enough? by Elonnai Hickok — last modified Mar 22, 2012 05:28 AM
The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.
Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy? by Prashant Iyengar — last modified Dec 14, 2012 10:29 AM
How do the provisions of the Information Technology Act measure up to the challenges of privacy infringement? Does it provide an adequate and useful safeguard for our electronic privacy? Prashant Iyengar gives a comprehensive analysis on whether and how the Act fulfils the challenges and needs through a series of FAQs while drawing upon real life examples.
Consumer Privacy in e-Commerce by Sahana Sarkar — last modified Mar 28, 2012 04:53 AM
Looking at the larger picture of national security versus consumer privacy, Sahana Sarkar says that though consumer privacy is important in the world of digital technology, individuals must put aside some of their civil liberties when it comes to the question of national security, as it is necessary to prevent societal damage.
Copyright Enforcement and Privacy in India by Prashant Iyengar — last modified Dec 14, 2012 10:27 AM
Copyright can function contradictorily, as both the vehicle for the preservation of privacy as well as its abuse, writes Prashant Iyengar. The research examines the various ways in which privacy has been implicated in the shifting terrain of copyright enforcement in India and concludes by examining the notion of the private that emerges from a tapestry view of the relevant sections of Copyright Act.
Privacy Blog by kaeru — last modified Aug 08, 2011 07:41 AM
An analysis of privacy in the context of India
Re-thinking Key Escrow by Natasha Vaz — last modified Aug 22, 2011 11:44 AM
Would you make duplicates of your house keys and hand them over to the local police authority? And if so, would you feel safe? Naturally, one would protest this invasion of privacy. Similarly, would it be justified for the government to have a copy of the private key to intercept and decrypt communications? This is the idea behind key escrow; it enables government ‘wiretapping’.
CCTV in Universities by Merlin Oommen — last modified Sep 01, 2011 09:50 AM
Basic Closed Circuit Television (CCTV) Infrastructure is used to observe movements from a central room, and consists of one or more video cameras that transmit video and audio images to a set of monitors or video recorders.

Whole Body Imaging and Privacy Concerns that Follow

by Srishti Goyal — last modified Sep 29, 2011 05:38 AM
Law student at the National University of Juridical Sciences, and intern for Privacy India, Srishti Goyal compares, contrasts, and critiques the Whole Body Imaging practices found in the US, the UK, and Australia, and makes recommendations for an Indian regime.

Introduction

Whole Body Imaging has been introduced in many countries in light of growing security concerns, two examples in particular being  the attack on the twin towers in USA, and what is commonly known as the Christmas Bomb (A man by the name of Umar Farouk Abdulmutallab tried to detonate a bomb on a flight from Amsterdam as it was about to land in Detroit.) Despite the security concerns that have motivated the implementation of Whole Body Imaging, there are also many concerns that have prevented the full fledged application of this technology. Opponents to the technology have stated that the full body scanner would expose travelers to harmful radiation and is thus a health hazard. Others have stated that these digital strip searches (as they are popularly known) will violate child pornography laws. Some, who are trying to encourage the use of full body scanners, are of the opinion that it is better to opt for a whole body scan as the “pat down” searches are more invasive in nature. There are also the concerns that persons may be singled out on the basis of their color and ethnicity. The scope of research for this particular paper is limited to the extent of the privacy concerns that have arisen in light of the use of the technology in order to achieve better security. The question that forms the crux of the debate is: should ones personal privacy be compromised in order to ensure security for one and all? The primary reason why whole body scanners are said to breach privacy is because of the invasive nature of the images produced, which can be detailed enough to show genitalia of the person being scanned.
Learning from the experience of other nations that have already implemented the use of Whole Body Imaging” we can decide what policies India should have in place and most importantly whether or not India realistically has a use for this technology.
Adequate privacy, it is said, is obtained when the restriction on access to persons and personal information allows a person not to be subjected to intrusion and public exposure [1]. Full body scanners can be called intrusive because in effect they allow the government to carry out strip searches by using technology to remove clothes instead of physically doing the same. Apart from this there are other concerns. For instance there have been instances when these images have been saved and have been uploaded on the internet [2]. In Lagos these images have been used as pornographic material. There is also a cause of concern amongst transgender who do not feel comfortable in revealing their gender which is different from the gender that they portray[3] and they are of the opinion that this information could lead to harassment. Since the scanners can detect medical equipment people who use colostomy bags and catheters which are otherwise hidden may find these scans embarrassing [4].

USA

In the U.S, Whole Body Imaging was introduced in light of the growing concerns with regard to security at airports and terrorist attacks. The Transportation Security Administration is responsible for monitoring security at the airport. The TSA has thus introduced Full Body Scanners at airports. In order to address the privacy concerns that have been raised the TSA has taken the following steps:

  •  Ensuring that the Security officer who is privy to the scan is not the same as the officer interacting with the person who is being scanned.
  • The TSA has also stated that personally identifiable information will not be stored and distributed.[5]
  • Another step towards safeguarding the privacy of the passengers has been to blur the faces of the person being scanned.[6]

 Though the TSA has taken various steps to ensure the privacy of individuals, one can argue that these measures are not without loopholes. The fact that the Security Officer looking at the scan and the Security officer handling the passenger are different does not do away with this invasion of privacy. There is also the added concern that these images may be uploaded on the internet, which in fact has already been done. The release and collection of these images is in contravention of the Privacy Act of 1974 that governs the collection, maintenance, use and dissemination of personal identifiable information about individuals which in the possession of the federal agencies. The TSA assures that the images will not be retained, but the fact is that the machines have been programmed such as to enable retention of images, if the same has been disable, it can be tampered with. Lastly, on the point of blurring of faces, it is a software fix and can be undone as easily as the application of the software. The TSA in its Privacy impact Assessment report had listed down that full body scanning would initially be a secondary screening measure. What this means is that everyone goes through one level of security screening and if one is randomly selected or the security has reason to suspect a passenger, the passenger can be called for a second level of screening. At which point the passengers will undergo full body scanning.
 A federal judge in California, in 1976 said that the laws of privacy “encompass the individual's regard for his own dignity; his resistance to humiliation and embarrassment; his privilege against unwanted exposure of his nude body and bodily functions." As already stated, these body scanners lead to situations that can be embarrassing, do lead to unwanted exposure of body, and can lead to situation where the person scanned could be humiliated (as in the case of transgender and other persons with catheters and colostomy bags). The Electronic Privacy Information Center is a non-profit group that was established to focus attention on civil liberties issue. EPIC challenged the constitutional validity of full body scanning, claiming that the same violated the fourth amendment [9]. The amendment guards against unlawful searches and seizures. In the case of whole body imaging, travelers are subjected to “invasive searches” without any suspicion that they did anything wrong, and without being informed of  the reason he/she is being subjected to a search of such a nature. [10]  The latest is the use of this technology in courthouses in Florida and at train stations. 

UK

In the UK if a passenger is selected for full body scanning, the passenger must comply [11]. The passenger is forbidden from flying if he or she refuses to the scanning process and cannot ask for an alternate screening process [12]  Unlike the US in the UK the option of a pat-down search is not available. The steps taken to protect the privacy of the passengers are the same as practiced in the US.

  • The images of the passengers are not retained
  • The images are produce in such a manner that the Security officer cannot recognize the person.

A major concern in UK is the violation of child pornography laws that do not allow the creation of indecent images of a child. However, a rule that would have exempted persons under the age of 18 from full body scans was overturned by the government in the UK [13]. Gordon Brown the Prime Minister of UK in 2010 gave permission for the use of full body scanners at the airports. BAA Ltd, which operates six airports in UK (including the Heathrow Airport) has undertaken the installation of these scanners at its airports. In general, the security at the airports comes under the ambit of the Homeland Security and the department will be supervising the installation of the machines. Lord Adonis, the Transport Secretary, confirmed the new policy in a written parliamentary statement, saying that the scanners would help security staff to detect explosives or other dangerous items [14].

One of the major opponents of Whole Body Imaging has been the Equality and Human Right Commission (EHRC), which is of the opinion that the use of this technology would breach the privacy rules under the Human Rights Act [15].  The move to use this technology has raised concerns about the excessive collection of personal data. Big Brother Watch, a campaign that fights intrusion on privacy and protects liberties of people, started an online movement that opposes and raises concerns with full body scanning. It has also listed down all the airports around the world that are using (or are going to be using) this technology [16].  The only group that has openly welcomed this move of the government has been the Liberal Democrats [17]. The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators.

The privacy policy should include as a minimum:

  • rules regarding the location of the equipment;
  •  A process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
  • A process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
  • Prohibition on copying or transferring the images in any way;
  • Instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
  • A process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The BodyScanner Task Force was established by the European Commission to publish an impact assessment report and to advise the commission, but the task force has yet to publish its report with specific legislative proposals [18].   

Concerns in the UK also arose in light of a response of a judge to a complaint by the Electronic Privacy Information Centre (based in Washington). The judge stated that the Department of Homeland Security (USA) would be allowed to keep images of individuals screened at the airport [19]. This raises concerns amongst activists as to which images can and which images cannot be saved by the airport authorities.

Australia

Post the attempted attack on Christmas Day, pressure on countries such as Australia increased to make use of whole body imaging technology. However, the Association of Asia Pacific Airliners, an association of the international carriers servicing in Australia, criticised the use of full body scanners [20]. Apart from the privacy concerns, that people all over the world share, another aspect that is cause for concern in Australia is the increase in traveling cost. The machines used for whole body imaging is extremely expensive, and thus the question posed time and again in Australia is if it will be economically viable to make use of this technology?[21] The Queensland Council for civil liberties has opposed the use of this Advance Imaging Technology (AIT) and has stated that passengers should be allowed to refuse being scanned and should be allowed to opt for a pat down. Kevin Rudd (the Prime Minister of Australia at the time of implementation of this technology) had taken note of the privacy concerns and assured that such measure would be undertaken that would mitigate these concerns. Currently, Body scanners are installed at the international airports in Australia. The transport minister has said that the images produced would be stick figures and not naked images [22]. This move has been taken in light of the back clash that body scanners faced in the USA. Changes regarding whole body imaging have been referred to the Privacy Commissioner in order to ensure that privacy is not intruded. Namely, Full Body screening will not be applied to all the passengers - instead passengers will either be randomly selected or will be selected on the basis of their profiles [23].

India

Currently in India whole body scanners can be found at the Delhi International Airport [24]. Thus, debate and discussion about the use of these scanners has not gained much momentum in India. It would be advisable that when framing legislation or guidelines to govern full body scanners, India incorporates the experiences of other nations who have already started the use of this technology.

Generally speaking it seems as though the use of a full body scanner would not be recommendable for the Indian scenario. It has already been seen that these scans are not very effective in detecting plastic and fluids [25]. Additionally the scanner only shows objects that are on the body and not in the body. Thus, the effectiveness of these scanners is questionable (especially considering it cannot detect plastics and light fluids) [26]. Additionally, in India the demographic using these scanners would be very different from the people using these scanners in other countries. For instance, it has been pointed out that the interest of Muslim women has not been taken into account when introducing this method of screening. Apart from personal privacy issues there are religious issues that arise, and though the instances of the same maybe far apart in other nations, in India the same will act as a hindrance on a daily basis. If not dealt with delicately this can be a major cause of concern that will have far reaching ramifications. Furthermore, one cannot stress enough the cost that will be involved with the implementation of these scanners. These scanners are extremely expensive and require trained Security Officers to operate them.  Additionally, what the scanners seek to accomplish can be achieved by insuring that the pat-downs are carried out properly. But there is a caveat that must be mentioned here. In US, one is allowed to choose between a pat-down and a body scanner. There have been instances when these pat-downs have been more intrusive than the body scanners. Thus, there should be guidelines in place as to how these pat-downs should be carried out. The guidelines should specify actions that the Security Officials would not be allowed to carry out.

Lastly, even if India decided to adopt the full body scanners, considering it helps save time and takes only 15 seconds to complete, it should not be used as a primary screening method.  Hypothetically, if body scanners are used as a secondary screening process, alternate screening processes should be available if the passenger does not wish to subject himself/ herself to the scan. But then the question is why should the government invest so much in an expensive technology which the passengers can easily avoid?

 

Bibliography:

 
[1].A Companion to Philosophy of Law and Legal Theory, Constitutional Law and Privacy, Anita. L. Allen Pg 147.

[2].http://gizmodo.com/5690749/these-are-the-first-100-leaked-body-scans.

[3]. Available at http://www.airlinereporter.com/2010/08/we-do-not-have-all-the-same-body-parts-and-body-scanners-violates-your-privacy/.

[4].http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searchers.

[5].Privacy impact assessment report. Available at - http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_wbi.pdf.

[6].http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searches.

[7].http://travel.usatoday.com/flights/2010-07-13-1Abodyscans13_ST_N.htm .

[8].http://www.stopdigitalstripsearches.org/.

[9]. http://epic.org/privac/airtravel/backscatter/.

[10].http://www.dailymail.co.uk/news/article-2012249/TSA-scanners-catch-implant-bomber-admit-officials.html?ito=feeds-newsxml.

[11].http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.

[12].http://www.bigbrotherwatch.org.uk/home/2010/03/body-scanner-refuseniks.html.

[13].http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.

[14].http://www.timesonline.co.uk/tol/news/uk/article7011224.ece.

[15].http://www.timesonline.co.uk/tol/news/politics/article6990990.ece.

[16].http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.

[17].http://news.bbc.co.uk/2/hi/8438355.stm.

[18].http://www.huntonprivacyblog.com/2010/02/articles/european-union-1/uk-airports-implement-compulsory-use-of-full-body-scanners/.

[19].http://www.bigbrotherwatch.org.uk/home/2011/01/judge-blocks-investigations-into-body-scanners.html.

[20].http://www.theaustralian.com.au/travel/backlash-to-airport-body-scans/story-e6frg8rf-1225817485755.

[21].http://www.sbs.com.au/news/article/1190826/full-body-scanners-to-be-introduced-at-airports.

[22].http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.

[23].http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.

[24].List of Airports with full body scanners. Available at http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.

[25].http://www.independent.co.uk/news/uk/home-news/are-planned-airport-scanners-just-a-scam-1856175.html.

[26].http://www.bigbrotherwatch.org.uk/home/2010/01/invasion-of-the-body-scanners.html.

UID: Questions without Answers – A Talk by Usha Ramanathan

by Natasha Vaz — last modified Nov 24, 2011 04:41 AM
UID enrolment is in full swing, providing an official identification to millions of Indians, yet there are numerous unanswered questions. A public talk on UID was held at the Institute of Science, Bangalore on September 6, 2011. Usha Ramanathan, an independent law researcher on jurisprudence, poverty and rights, discussed the questions that plague the UID project and the veil of silence enveloping the answers.

Ms. Ramanathan began her presentation by describing the progress and evolution of the UID project. She stated three adjectives that reflect the target goal of the Unique Identification Authority of India (UIDAI): unique, ubiquitous and universal. She demonstrated how their initial objectives and claims have been drastically altered in three major ways.

First and foremost, the UIDAI claimed that enrolment is voluntary, not mandatory, and hence, inclusive. Yet, Nandan Nilekani has consistently maintained that other agencies may make it compulsory. UID is becoming ubiquitous and is a prerequisite for access to a wide variety of welfare schemes and services such as PDS, MGNREGS, banks, public health, etc. It is thus clear that this could actually exclude those who do not have a number or whose biometrics doesn't work. Therefore, this undermines the inclusive nature of the project.

Second, the UIDAI claimed that the UID would enable inclusive growth. Ms. Ramanathan expressed a serious concern surrounding the risk of exclusion. Instead of facilitating inclusion, around two to five per cent of the Indian population would be excluded from the current process of authentication and potentially from having a UID number, as they do not have viable biometric data.[1]  Physical or visual impairments such as corneal blindness, corneal scars, and malnourishment induced cataracts or ‘low-quality’ fingerprints from a lifetime of hard labour inhibit those from providing valid fingerprints or iris scans.[2]

Third, Ms. Ramanathan reiterated that the National Identification Authority India Bill prohibited sharing data, except by the consent of the resident, by a court order or for national security. However, UID information is being directly fed into the National Intelligence Grid (NATGRID) who will then provide information about people that is in 21 databases, to eleven security agencies, including the RAW and IB over which there is no superintendence or oversight.[3] She discussed the high likelihood of a breach of privacy as there are insufficient standards protecting an individual from unlawful invasion. Additionally, the UIDAI does not have mechanisms in place for an individual to be notified if there is a data breach. 

Who owns this project?

A very important question asked is, “Who owns this project?” Ms. Ramanathan stated that the convergence of information especially during the ‘de-duplication process clearly reflects the corporatization of the project. She also questioned the background of some of the technological companies involved. For instance, L-1 Identity Solutions is well known for its links with the CIA. Additionally, Accenture is on a Smart Borders project with US Homeland Security. She explained that ownership also plays into the feasibility and financial cost of the project. Furthermore, the UIDAI has not conducted a feasibility study on the technology or the financial cost of the project.

International Experience

Lastly, Ms. Ramanathan discussed the international experience of a universal identity system. In the United Kingdom, their universal system of identification was labelled as ‘intrusive bullying’ as well as ‘an assault on personal liberties’.  The United States and the United Kingdom both abandoned a universal identity system, as it was impractical, unjustified and dangerous.

Ms. Ramanathan raised many questions that evoked thought and discussion from the audience. She provided numerous examples of ambiguity, misconceptions and confusion surrounding the UID project.  She urged the audience to exercise their civil liberties or risk losing them. Lastly, she believed that an informed debate involving the UIDAI and the public is long overdue.

“The UIDAI must clarify misconception and provide detailed answers to crucial questions, as there is a lack of understanding within the general population about the UID. Therefore, the UIDAI and the Government of India must increase and ensure transparency of the UID project”, she added. 

Ms. Usha Ramanathan was speaking at an event organised by Concern, an IISc Student group. She was speaking in her personal capacity and the opinions reflected above are necessarily not those of CIS.

 



[1] Biometrics Design Standards for UID Applications (December 2009).

[2] Biometrics Design Standards for UID Applications (December 2009).

[3]Usha Ramanathan, The Myth of the Technology Fix, http://www.india-seminar.com/2011/617/617_usha_ramanathan.htm.

VIDEO

 

Design!Public II in Bangalore ― Event Report

by Yelena Gyulkhandanyan last modified Oct 20, 2011 08:48 AM
Design Public, a high-level conclave on innovation, took place in Bangalore at the National Gallery for Modern Art on October 14, 2011. The event was organized by the Centre for Knowledge Societies in collaboration with the Centre for Internet and Society, the Centre for Law and Policy Research, Mint, and others. The conclave brought together industry experts, scholars, and activists to create a dialogue about design and innovation in the public interest. This blog post captures the developments as it happened on this day.

The day consisted of discussions on several related topics, as well as engaging the participants in interactive challenge sessions.

Aditya Dev Sood, from the Centre for Knowledge Societies, kick-started the event with some words about the value of innovative thinking. Reflecting upon lessons learned from the previous Design Public conclave, Dr. Sood explained that while the previous event focused on governance innovation, the second Design Public conclave will reflect on the importance of citizen participation in innovation. After brief introductions of the conclave participants and speakers, the first session on Innovation and the Indian Corporation began.

Mr. Krishnan demonstrated the ingenuity of innovation through the history of the Indian mousetrap, in which he described three generations of mousetraps, which increase in the scale of functionality and effectiveness with each new proceeding product. One of the recurring views that emerged during the conversation was that while the Indian society is highly innovative, large Indian corporations do not generally take part in innovation. Harish Bijoor explained why there is a lack of motivation on the part of Indian corporations to innovate by stating, "what happens to large companies is that they get too preoccupied with success." The comfort that comes with the achievement of success makes Indian corporations unmotivated to pursue innovative ideas. Mr. Krishnan also added that "the Indian corporate is too regimented, which kills innovation. Most innovators are outside of corporations."

A distinction between innovation in India and the West was made, stating that in most Western societies, innovation occurs at the top most resource-rich layer of society. In India it is the opposite. Entrepreneurship happens on a grassroots local level. Arun Pande offered a thought on improving the current trends, stating that large companies can play a role in innovation by collaborating with small entrepreneurs working on social issues. It was agreed among the speakers that Indian corporations need to focus on innovative ideas to tackling some of India’s grand challenges and improving the quality of life for the citizens.

On that thought, the second panel began on the question: Is Innovation in the Public and Social Sectors Possible? Sunil Abraham, the panel moderator, introduced the session by giving an example of modern innovation, speaking about Spice M9000 and the extremely efficient and economic way in which it is manufactured. The device comes with features such as a dual SIM card, radio receiver, a receiver for terrestrial television, two large boom-box speakers, and a projector. Five thousand of these devices can be manufactured in Shenzen, China for Rs 2 crores within approximately 45 days.  

The panel was asked whether academic knowledge and innovation can be incorporated into practical government policies. Ashwin Mahesh answered this question by stating, "the structure of absorbing information from academia is not present in the public sector." The speakers agreed that the government needs to encourage innovation and support its citizens to pursue innovative solution-based initiatives. Rohini Nilekani was of the opinion that "you need solution-based thinking on two levels, the state and local." Mr. Mahesh added that "the government needs to empower small communities to solve their problems and drive things locally, from the bottom-up." The necessity for private-public partnerships was a clear theme throughout the conversation, Pratham Books being given as a successful example of such endeavour. Mrs. Nilekani explained that "we need to break down the distinction between what is public and what is private. We need to work towards a common goal. We need to innovate and design checks and balances to wheel public interest."

The third panel was on The Challenge of Start Up innovation. Aditya Mishra from the Headstart Foundation defined a startup as something that makes a meaningful impact on society. According to Mr. Mishra, the startup ecosystem is problematic in India because large corporations generally do not engage in partnerships with startups. Naresh Narasimhan pointed out that "there is a notion that startup entrepreneurs do not have enough knowledge, so they get dismissed." It was further explained that aspiring entrepreneurs in India do not have enough spaces where networking and business negotiations could take place. Zackery Denfeld was of the opinion that there is a lot of innovation happening in the middle level, but more innovation needs to be done at the lower level. There is a need to focus on smaller start-ups. Design should be done at a higher paste. People should be able to fail fast, learn from mistakes, and start-up again.  

The Theory and Practice of Innovation was the next panel. Upon being asked to give a single sentence definition of design, the speakers provided several enlightening answers. M. P. Ranjan stated that it is human intentions and actions that generate value. Reto Wettach added that design encompasses "methods which help define solutions, and goals which help solve these problems." One of the emerging thoughts from the discussion was that design has a value that is measurable beyond monetary gain. Furthermore, when you take public issues into consideration, the non-designers are just as important as designers. "Everybody has privileged information which they can bring into the synthesis of a solution," stated Eswaran Subrahmanian.

Having learned from each other and the inspiring ideas that were circulating the panel discussions, the participants were given three scenarios for which they were asked to brainstorm innovative approaches and solutions. The scenarios were Online Higher Education, Quality Maternal and Child Healthcare, and Toilet-training for All. During these sessions, the participants were confronted with problems faced by communities in India, which included the lack of higher education opportunities in rural areas, the need for proper and timely administered antenatal care, as well as the need to ensure village sanitation infrastructure. The solutions given to these problems highlighted the importance of a participatory approach to problem solving. Empowering community members and encouraging local leadership in innovative projects ensures their sustainability. 

Concluding remarks on lessons learned and a way forward brought the afternoon to an end. Some of the final thoughts were that consensus is integral in the public space. End users and community members need to be involved in the process of design and innovation. While one must look beyond the government for instituting solutions to public problems and concerns, the role of the government, especially the local government, is also important. All sectors of society need to be engaged in design and innovation. "Persistence and methodology can make us an irresistible force," pointed out Ashwin Mahesh. 

On that note, the conclave came to an end, but without a doubt, the lessons and inspiration gained by the participants will continue on.

Seventh Open Letter to the Finance Committee: A Note on the Deduplication of Unique Identifiers

by Prasad Krishna last modified Nov 22, 2011 07:28 AM
Sahana Sarkar on behalf of the Centre for Internet and Society (CIS) had sent in a Right to Information application on 30 June 2011 to Ashish Kumar, Central Public Information Officer, UIDAI. The UIDAI sent in its reply. Through the seventh open letter, Hans attempts to characterize in an abstract way the replies that CIS managed to elicit and makes some elementary observations.
The UIDAI records one or more biometric signatures of those individuals to whom it assigns its unique identity or identifier ; and for convenience let us call this the process of registering an applicant. In the normal course of registration the signatures of an applicant will be compared to those already recorded; and the outcomes of this exercise of comparing suites of biometric signatures — fingerprints and iris-scans, say — may be regarded as the values of a binary variable:

h1

With more than one signature, we have Y = 1 only when those of the applicant match the signatures in some other suite of such item by item; and Y = 0 then if at least one of his or her signatures fails to match any already recorded one.

Though the circumstance should be unlikely, a person who has already been registered may apply again to be registered: with fraudulent intent maybe: or simply because he or she has lost the document – some identity card, perhaps – which bears the identifier assigned to him or her by the UIDAI. And the possibilities here may be regarded as the values of a binary variable:

h2

Though we are regarding X and Y as variables equally, and taking them for jointly distributed ones, there is an evident asymmetry between them. The exercise of trying to match a given suite of signatures to some set of other suites can be performed so long as the signatures remain available; but for a given applicant the values of X refer to events already past. Faced with an applicant of whom they may suppose no more than what he or she may disclose, the personnel of the UIDAI cannot directly estimate either of the two quantities:

h3

We have p[X = 0] + p[X = 1] = 1 here, needless to say, so there is only one quantity that needs estimating. But it is worth emphasizing that even when an applicant declares himself to have been registered already— and has come, say, to have a lost card newly issued — the personnel of the UIDAI are obliged to remain agnostic about p[X = 1] : no matter how ready they are to believe him.[1]

That no individual should be assigned more than one identifier is an entirely evident desideratum: so the process of comparing the signatures of a fresh applicant to those already recorded must be a strict one. But the process of comparison should also make it very likely that, when a match of signatures does occur, the applicant is someone who has in fact been registered already. The chance that a genuinely new applicant’s signatures will match some already recorded suite should be very small: the proportion of such mistaken matches, among all matches, should be as low as possible. This proportion is usually denoted by p[X = 0 | Y = 1] : the conditional probability that X = 0 given that Y = 1 : the chance that, despite a match of signatures, the applicant has not in fact been registered already. The defining formula:

h4

relates this conditional probability to the ‘absolute’ or ‘raw’ probabilities of the events [Y = 1] and [X = 0 and Y = 1] ; the second of which is sometimes said to be contained in the first.

Suppose that there have been N applicants thus far. It is usual to say N trials of X and Y have occurred; but only the outcomes for Y are known. Suppose that matches have been found some m times out of these N ; then N − m applicants will have been registered. With regard to these trials, set

h5

Note that these numbers are not individually known; but as the specified events exhaust the possibilities, we have c 00 +c 01 +c 10 +c 11 = N ; and we do know that

h6

The ratio m/N would be a reasonable estimate of p[Y = 1] ; and (N − m)/N a reasonable estimate of p[Y = 0] = 1 − p[Y = 1] likewise. The quantity we are seeking is p[X = 0 | Y = 1] however: of which the ratio c 01/m would be a natural estimate. But unless we have some sense of the relative magnitudes of c 01 and c 11 the quantity

h7

could be anything between 0 and 1 now. To estimate the relative magnitudes of c 01 and c 11 in any direct way would be difficult, because one has no purchase on how likely the events [X = 0 & Y = 1] or [X = 1 & Y = 1] are. So p[X = 0 | Y = 1] must be estimated directly, it would seem; and we shall come back to the question.

The reply we have received from the UIDAI indicates that 2.59 × 107 registrations — or successful ‘enrolments’, as they have put it — had been effected by 17.08.2011;while the ‘enrolments rejected’ came to 2.005 × 103 they say. Enrolments were rejected when ‘residents were duplicates’: if we take this to mean that an applicant was refused registry on account of his signatures matching some suite of signatures already recorded, then we may suppose that

h8

The False Positive Identification Rate, or FPIR, is defined in that reply as the ratio of the number of the number of false positive identification decisions to the total number of enrolment transactions by unenrolled individuals : if by “unenrolled individual” we understand an applicant of whom [X = 0] actually obtains, then in our notation we have

h9

rather: which would be a natural estimate of p[X = 0 & Y = 1] now, and since

h10

the ‘false postive identification rate’ thus construed could be bound, at least, if p[X = 0 | Y = 1] itself could be. At any rate, this latter proportion seems to be the most pertinent one here: p[X = 0 | Y = 1] is the conditional probability, of mistaken matches, that the UIDAI must strive to keep as low as possible.

The reply from the UIDAI defines a false negative identification as an incorrect decision of a biometric system that an applicant for a UID, making no attempt to avoid recognition, has not been previously enrolled in the system, when in fact they have. One is at a loss to understand how the personnel of the UIDAI are to determine when an applicant is making no attempt to avoid recognition. Putting that aside, the False Negative Identification Rate or FNIR would now appear to be p[X = 1 | Y = 0] : the probability that, despite his or her signatures not matching any already recorded suite, an applicant has in fact already been registered: and with our notation

h11

now. But c 10 cannot be reliably estimated, again, because one has no purchase on how likely [X = 1 & Y = 0] is; and the conditional probability p[X = 1 | Y = 0] will have to be estimated or bound in some direct way as well.

The preceding paragraphs have asserted that, in order to estimate or effectively bound the identification rates being sought by the UIDAI, the conditional probabilities p[X = 0 | Y = 1] and p[X = 1 | Y = 0] will have to be addressed in some direct way: without any attempt to estimate the likelihoods of [X = 0 & Y = 1] and [X = 1 & Y = 0] by themselves, that is to say. There might be ways of reliably estimating these conditional probabilities; and the manufacturers of the devices that produce the signatures may have provided tight bounds on what they would be — when the devices are working properly, at least. But let us now consider how the UIDAI has elaborated on these rates.

Their reply to our second question states that the biometric service providers have to meet the following accuracy SLA’s for FPIR and FNIR:

h 12

The condition of ‘non-duplication’ in the requirement (P) implies that the FPIR is being understood now as the formula in (†) above computes it: as an estimate of the conditional probability p[Y = 1 |X = 0]: since one already knows that [X = 0] for each enrolment here. Such an estimate could be made if one had obtained a sample of suites of signatures from distinct individuals — where no two suites in the sample could have come from the same individual — and compared each suite to every other: the proportion of matches found would be an estimate of p[Y = 1 |X = 0] now.[2]

The ‘biometric service providers’ the UIDAI has contracted with are presumably able to perform such experiments accurately. But an estimate of p[Y = 1 |X = 0] will not, as we shall momentarily see, by itself readily yield a usable bound on p[X = 0 | Y = 1] : on the crucial likelihood that, despite his or her suite of signatures matching a suite already recorded, an applicant has not in fact been registered.

The condition “ONLY duplicate enrolments” in the requirement (N) implies that the FNIR is being understood as an estimate of the conditional probability p[Y = 0 |X = 1] now: as one already knows that [X = 1] for each enrolment here. The biometric service providers should be able to estimate this probability as well. The FNIR as (‡) construes it is an estimate of p[X = 1 | Y = 0] rather; but a usable bound for this likelihood is readily got from p[Y = 0 |X = 1] now, for we may surely expect p[X = 1] < p[Y = 0].

Let us see if the requirement (P) will yield any usable upper bound on the crucial likelihood p[X = 0 | Y = 1]: which, to note it again, is what the UIDAI must seek to minimise. Consider the consequences when the FPIR is understood as (P) envisages. Taken together with formula (1) above we have

h13

If we are not willing to wager on any upper limit appreciably less than 1 for p[X = 0] , we obtain

h 12

now.[3] Unless one can reasonably suppose that the event [Y = 1] never occurs, one must grant that p[Y = 1] > 0 . We have

h15

But this inequality yields a usable upper bound only when K < 3: only when K is 1 or 2 that is. In either case, only by supposing that p[Y = 1] > 10−2 will the accuracy mandated for the FPIR by the UIDAI yield a usable upper bound on p[X = 0 | Y = 1] . Since the UIDAI expects that p[Y = 1] < 10−2 surely, we must conclude now that the requirements it has imposed on its ‘biometric service providers’ will not help its personnel estimate an upper limit for the crucial likelihood that, despite his or her suite signatures matching some already recorded suite, an applicant for a UID has not in fact been registered already: which likelihood, to insist again, is what the UIDAI must seek to minimise.

The argument just made will seem perverse: but the calculation is perfectly general. Suppose an FPIR limit of 10−J is mandated; then, unless one is willing to wager an upper limit on p[X = 0] , one cannot get a usable upper bound on p[X = 0 | Y = 1] from this limit on the FPIR, used all by itself, unless one supposes that p[Y = 1] > 10−J+1.

To save writing, denote by L01 the crucial likelihood p[X = 0 | Y = 1] ; and suppose that   is some desired upper bound on L01 now. Assume that the FPIR achieved by a service provider is an accurate estimate of p[Y = 1 |X = 0] ; then from (1) we get

h16

Now [X = 0] should not be a rare event at all, and, conversely, [Y = 1] should be a rare event.[4] So one should be able to set some reasonable upper limit to the ratio p[Y = 1]/ p[X = 0] : but without attempting any precise estimate, at all, of either individual probability. One may reasonably expect, for instance, that no more than one in a thousand applicants for a uid will already have been registered; and when p[X = 1] < 10−3 we will have

h17

h18

h19

from (3) above. This calculation can be repeated with any number m in place of 3 here, of course, provided p[X = 1] < 10−m and p[Y = 1] < 10−m are both likely; and it seems entirely reasonable, now, for the UIDAI to insist that its biometric service providers meet the requirement.

h20

for some appropriate upper bound X on L01 . The considerations leading to (4) make it reasonable to insist on m _ 3 now; and recalling what L01 is — the crucial likelihood that, despite his or her signatures matching some already recorded suite of signatures, an applicant has not in fact been registered — the UIDAI will have to insist on some quite small bound X: for it would not want, too often, to refuse anyone a UID on account of a mistaken match of biometric signatures.[6]

It would be foolish to speculate on what the authorities regard as acceptable error here; but if the UIDAI is of a mind that such mistakes should happen less than one in a thousand times say, then, taking the minimal value of 3 for m in the suggested requirement (R), it should demand an FPIR less than 10−6 : a ‘false positive identification rate’ a thousand-fold less than the limit currently imposed.

[1]Should it seem entirely odd to talk of probability when one of the events in question — either [X = 0] or [X = 1] — will already have occurred, we may regard the probabilities we assign them as measures of our uncertainty only: but no practical question hinges on probabilities being understood ‘subjectively’ rather than ‘objectively’.

[2]It might be well to note, however, that the size of the sample must be manageable: for a sample of size K a total of K • (K − 1)/2 comparisons will have to be performed.

[3]Wagering an upper limit on p[X = 0] would require one to reasonably estimate the probability of finding already-registered individuals among applicants.

[4]The event [Y = 1] must be just as rare, one supposes, as [X = 0] is frequent.

[5]We are supposing, that is to say, that matches of biometic signatures are very rarely mistaken matches.

[6]A small _ is consistent with supposing that p[X = 1] and p[Y = 1] are commensurate probabilites. If p[X = 0 | Y = 1] < 10−3 for instance, then p[X = 1 | Y = 1] _ (103 − 1)/103 ; one may suppose, that is, that [X = 1] will be the case 999 out of a 1000 times that [Y = 1] obtains; and, of course, to suppose that [X = 1] will be appreciably more frquent than [Y = 1] is to grant that biometric signatures will fail appreciably often to distinguish individuals.

See the RTI application of 30/06/2011 [PDF, 15 kb].

Download the Seventh Open Letter here

SCOSTA and UID Comparison not Valid, says Finance Committee

by Elonnai Hickok last modified Nov 22, 2011 04:37 PM
The Standing Committee on Finance Branch, Lok Sabha Secretariat has responded to the suggestions offered by CIS on the National Identification Authority of India, Bill 2010 and has requested it to mail its views by 14 October 2011.

On January 6, 2011, CIS had sent an open letter to the Parliamentary Finance Committee demonstrating how the Aadhaar biometric standard is weaker than the SCOSTA standard. The text of the reply is reproduced below.

Sir,

This is in response to one of the views/suggestions offered by CIS on the National Identification Authority of India Bill, 2010.

CIS View /Suggestion:

 

"Though the Aadhaar biometrics are useful for the de-duplication and identification of individuals, the Smart Card Operating System for Transport Application [(SCOSTA), developed by the National Informatics Centre in India)] standard is a more secure, structurally sound, and cost-effective approach to authentication of identity for India. Therefore, the Aadhaar biometric based authentication process should be replaced with a SCOSTA standard based authentication process."

In this regard, do you agree with the following view? If not, please justify.

"Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the unique id project.

The UID project follows a different approach and has multiple objectives — providing identity to residents of India, ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services, eliminating the fakes, duplicates and ghost identities prevalent in other databases and provide a platform for authentication in a cost effective and accessible manner.

UIDAI is not issuing cards or smart cards. Cards can be issued by agencies that are providing services. UID authentication does not exclude smart cards — service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."

You are requested to email your view by 14 October, 2011 positively.

Standing Committee on Finance Branch
Lok Sabha Secretariat

 
 

Sixth Annual Meeting of the Internet Governance Forum, Nairobi: A Summary

by Prasad Krishna last modified Oct 24, 2011 09:09 AM
The sixth annual meeting of the Internet Governance Forum was held from 27 to 30 September 2011 at the United Nations Office in Nairobi, Kenya. Sunil Abraham participated in six workshops: Privacy, Security, and Access to Rights: A Technical and Policy Analyses, Use of Digital Technologies for Civic Engagement and Political Change: Lessons Learned and Way Forward, The Impact of Regulation: FOSS and Enterprise, Proprietary Influences in Free and Open Source Software: Lessons to Open and Universal Internet Standards, Access and Diversity of Broadband Internet Access and Putting Users First: How Can Privacy be Protected in Today’s Complex Mobile Ecosystem?

Privacy, Security, and Access to Rights: A Technical and Policy Analyses

Workshop No. 219
The workshop was moderated by Kim Pham, Expression Technologies, Civil Society (United States). The panel members included Carlos Affonso Pereira de Souza, Centro de Technologica e Socieda (Brazil), Christopher Soghoian, Indiana University (United States), Karen Reilly, Tor Project, Technical/Civil Society (United States) and Sunil Abraham, Centre for Internet and Society (India).
See the workshop details here

Use of Digital Technologies for Civic Engagement and Political Change: Lessons Learned and Way Forward

Workshop No. 184
The workshop was moderated by Katim S Touray Council Vice Chair, Free Software and Open Source Foundation for Africa and Member, ICANN Board of Directors. Fouad Bajwa of Gerry Morgan Foundation (Pakistan) was the remote moderator. Nnenna Nwakanma of Nnenna.org, Simeon Oriko of @TheKuyuProject &@StorySpaces, Wael Khalil, Activist and Sunil Abraham of the Centre for Internet & Society were the panel members. Nishant Shah from the Centre for Internet & Society participated remotely from Bangalore. 
See the workshop details here
See the entire transcription here

The Impact of Regulation: FOSS and Enterprise

Workshop No. 211
The workshop was moderated by Dorothy Gordon, Director General, AITI-KACE, Judy Okite was the remote moderator. The panel members were Satish Babu, ICFOSS, India, Yves Miezan Ezo, Smile Training, Manager, (France), Sunil Abraham, Executive Director, Centre for Internet & Society, Bangalore, Evans Ikua, FOSS Certification Manager, [email protected] program. 
See the workshop details here
See the entire transcription here

Proprietary Influences in Free and Open Source Software: Lessons to Open and Universal Internet Standards

Workshop No. 201
The workshop was moderated by Alejandro Pisanty, Director General for Academic Computing Services of the National University of Mexico (UNAM), Mexico. Tracy Hackshaw, Computer Society of Trinadad and Tobago, Trinadad and Tobago, Venkatesh Hariharan, Head of Public Policy and Government Affairs at Google, India and Scott O Bradner, University Technology Security Officer, Harvard University, USA were the panel members.
See the workshop details here
See the entire transcription here

Access and Diversity of Broadband Internet Access

Workshop No. 113
The workshop was moderated by N Ravi Shanker, Addl Secy, Department of Information Technology, Ministry of Information Technology, Government of India (Chair). Abhishek Singh, Director, Department of Information Technology, Ministry of Information Technology, Government of India, Venkatesh Hariharan, Head of Public Policy and Government  Relations, Google India and Sunil Abraham, Executive Director, The Centre for Internet and Society, India were the panel members.
See the workshop details here
See the entire transcription here

Putting users First: How can Privacy be Protected in Today’s Complex Mobile Ecosystem?

Workshop No. 75
This workshop was moderated by Ambassador David Gross, Partner, Wiley Rein LLP, Yiannis Theodorou, Regulatory Policy Manager, GSMA was the remote moderator. The panel members included Pat Walshe, Director of Privacy-GSMA), Jeff Brueggeman (Vice President-Publiy Policy AT&T), Patrick Ryan, Policy Counsel, Open Internet for Google Inc, Ms Juliana Rotich, Executive Director of Ushahidi Inc, Sunil Abraham, Executive Director, The Centre for Internet and Society (India) and Ian Brown, co-director of Oxford University's Information Security and Privacy Programme.
See the workshop details here
See the entire transcription here

Analysis of DIT's Response to Second RTI on Website Blocking

by Pranesh Prakash last modified Dec 02, 2011 09:26 AM
In this blog post, Pranesh Prakash briefly analyses the DIT's response to an RTI request on website blocking alongside the most recent edition of Google's Transparency Report, and what it tells us about the online censorship regime in India.


What the DIT's Response Tells Us, and What It Doesn't

We at the Centre for Internet and Society had sent in a right to information request to the Department of Information Technology (DIT) asking for more information about website blocking in India. The response we got from the DIT was illuminating in many ways. The following are the noteworthy points, in brief:

  • Six government officials, and one politician have so far made requests for 'disabling access' to certain online content under s.69A of the Information Technology (IT) Act.
  • 68 individual items have been requested to be blocked, those being 64 websites (domain-level blocking), 1 sub-domain, and 3 specific web pages. Seemingly, none of these requests have been accepted.
  • The data provided by the government seemingly conflicts with the data released by the likes of Google (via its Transparency Report).
  • India's law enforcement agencies are circumventing the IT Act, the Indian Penal Code (IPC), and ultimately the Constitution, by not following proper procedure for removal of online content.
  • Either the DIT is not providing us all the relevant information on blocking, or is not following the law.

 

Conflicting Data on Censorship Requests

The latest Google Transparency Report, released on October 25, 2011, shows that there were 68 written requests (imaginably taking the form of forceful requests/orders) from Indian law enforcement agencies for removal of 358 items from Google's various. If you take the figures since January 2010, it adds up to over 765.

However, the official government statistics show only eight separate requests having been made to the  DIT (which, under the IT Act, is the only authority that can order the blocking of online content), adding up to a total of 64 websites (domain-level), 1 sub-domain, and 3 specific web pages. Of these only 3 are for Google's services (2 for Blogger, and 1 for YouTube).

If classified according to presumable reason for seeking of the block, that would be 61 domains hosting adult content; 1 domain (tamil.net.in), 1 sub-domain (ulaginazhagiyamuthalpenn.blogspot.com), and 2 specific pages (video of a speech by Bal Thackeray on YouTube and Wikipedia page for Sukhbir Singh Badal) for political content; 1 for religious content (a blog post titled "Insults against Islam" in Malay); and 1 domain hosting online gambling (betfair.com). It is unclear for why one of the requests was made (topix.net).1

Content Removal vs. Content Blocking

Section 69A of the IT Act provides the Central Government the power to "direct any agency of the Government or intermediary to block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource". The only person through whom this power can be exercised is the 'Designated Officer' (currently Dr. Gulshan Rai of the DIT), who in turn has to follow the procedure laid down in the rules drafted under s.69A ("Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009", the 'Blocking Rules').

Because of this, we see everyone from the Secretary of the Public Law and Order Department of Tamil Nadu to the Joint Commissioner of Police of Mumbai and the State President of the Bharatiya Janata Minority Morcha approaching the Designated Officer for blocking of websites.

However, as the data from Google shows, there are many times more requests being sent to remove content. The only explanation for this is that an order to 'block for access... or cause to be blocked for access by the public' is taken to be different from an order for removal of content. Nothing in the IT Act, nor in the Blocking Rules actually address this issue.2

Thus, there is a possibility that the forcible removal of content is treated separately from blocking of content. That would mean that while blocking is regulated by the IT Act, forcible removal of content is not. Thus, it would seem that forcible removal of online content is happening without clear regulation or limits.3

Role of the Indian Penal Code and Code of Criminal Procedure

There are existing provisions in the Indian Penal Code that provide the government the power to censor book, pamphlets, and other material on varied grounds, including obscenity, causing of enmity between communities, etc. The police is provided powers to enforce such governmental orders. Section 95 of the Code of Criminal Procedure allows the State Government to declare (through an official notification) certain publications which seem to violate the Indian Penal Code as 'forfeited to the Government' and to issue search warrants for the same. After this the police can enforce that notification.

It is clear that this is not the case for any of the content removal requests that were sent to Google.

Police Are Defeating the Constitution and the IT Act

Therefore, it would seem that law enforcement agencies are operating outside the bounds set up under the Indian Penal Code, the Code of Criminal Procedure, as also the Information Technology Act, when they send requests for removal of content to companies like Google. While a company might comply with it because it appears to them to violate their own terms of service (which generally include a wide clause about content being in accordance with all local laws), community guidelines, etc., it would appear that it is not required under the law to do so if the order itself is not legal.

However, anecdotal evidence has it that most companies comply with such 'requests' even when they are not under any legal obligation to do so.

This way the intention of Parliament in enacting s.69A of the IT Act—to regulate government censorship of the Internet and bring it within the bounds laid down in the Constitution—is defeated.

DIT Either Evasive or Not Following Rules

The DIT did not provide answers on:

  • Whether any block ordered by the DIT has ever been revoked
  • On what basis DIT decides which intermediary (web host, ISP, etc.) to send the order of blocking to

It also provided the minutes for only one meeting4 of the committee that decides whether to carry out a block, when we had requested for minutes of all the meetings it has ever held. That committee (the Committee for Examination of Requests, constituted under Rule 8(4) of the Blocking Rules) has to consider every single item in every single request forwarded to the Designated Officer, and 68 items were sent to the Designated Officer in 6 requests. Quite clearly something doesn't add up. Either the Committee is not following the Blocking Rules or the DIT is not providing a full reply under the RTI Act.

 


  1. A request was made to block http://www.topix.net, by the 'Commmissioner, Maharashtra State, Colaba, Mumbai—400001', presumably the Commissioner of State Intelligence Department of Maharashtra, whose office is located in Colaba.

  2. However, the Blocking Rules require the person or the hosting intermediary being contacted for a response. This provides the person/intermediary the opportunity to remove the content voluntarily or to oppose the request for blocking.

    "Rule 8. Examination of request: (1) On receipt of request under rule 6, the Designated Officer shall make all reasonable efforts to identify the person or intermediary who has hosted the information or part thereof as well as the computer resource on which such information or part thereof is being hosted and where he is able to identify such person or intermediary and the computer resource hosting the information or part thereof which have been requested to be blocked for public access, he shall issue a notice by way of letters or fax or e-mail signed with electronic signatures to such person or intermediary in control of such computer resource to appear and submit their reply and clarifications if any, before the committee referred to in rule 7, at a specified date and time, which shall not be less than forty-eight hours from the time of receipt of such notice by such person or intermediary."

  3. While it is possible to imagine that the Indian Penal Code and the Code of Criminal Procedure lay down limits, it is clear from the Google Transparency Report that the requests from removal are not coming based only on court orders, but from the executive and the police. The police have no powers under the IPC or the CrPC to request removal of content without either a public notification issued by the State Government or a court order.

  4. The minutes of the meeting held on August 24, 2010, on the request for blocking of www.betfair.com were sent as 'Annexure III' of the DIT response.  This request was not granted. 

India's Statement Proposing UN Committee for Internet-Related Policy

by Pranesh Prakash last modified Oct 31, 2011 03:28 PM
This is the statement made by India at the 66th session of the United Nations General Assembly, in which its proposal for the UN Committee for Internet-Related Policy was presented.


66th Session of the UN General Assembly

New York. October 26, 2011.


Agenda Item 16: Information and Communications

Technologies for Development (ICT): Global Internet Governance


Statement by India


Mr. Chairman,

We thank the Secretary-General for his report on enhanced cooperation on public policy issues pertaining to the Internet, contained in document A/66/77, which provides a useful introduction to the discussions under this agenda item.

As a multi-ethnic, multi-cultural and democratic society with an open economy and an abiding culture of pluralism, India emphasizes the importance that we attach to the strengthening of the Internet as a vehicle for openness, democracy, freedom of expression, human rights, diversity, inclusiveness, creativity, free and unhindered access to information and knowledge, global connectivity, innovation and socio-economic growth.

We believe that the governance of such an unprecedented global medium that embodies the values of democracy, pluralism, inclusion, openness and transparency should also be similarly inclusive, democratic, participatory, multilateral and transparent in nature.

Indeed, this was already recognized and mandated by the Tunis Agenda in 2005, as reflected in paragraphs 34, 35, 56, 58, 59, 60, 61 and 69 of the Agenda. Regrettably, in the six long years that have gone by, no substantial initiative has been taken by the global community to give effect to this mandate.

Meanwhile, the internet has grown exponentially in its reach and scope, throwing up several new and rapidly emerging challenges in the area of global internet governance that continue to remain inadequately addressed. It is becoming increasingly evident that the Internet as a rapidly-evolving and inherently global medium, needs quick-footed and timely global solutions and policies, not divergent and fragmented national policies.

The range and criticality of these pressing global digital issues that continue to remain unaddressed, are growing rapidly with each passing day. It is, therefore, urgent and imperative that a multilateral, democratic participative and transparent global policy-making mechanism be urgently instituted, as mandated by the Tunis Agenda under the process of ‘Enhanced Co-operation’, to enable coherent and integrated global policy-making on all aspects of global Internet governance.

Operationalizing the Tunis mandate in this regard should not be viewed as an attempt by governments to “take over” or “regulate and circumscribe” the internet. Indeed, any such misguided attempt would be antithetical not only to the internet, but also to human welfare. As a democratic and open society that has historically welcomed outside influences and believes in openness to all views and ideas and is wedded to free dialogue, pluralism and diversity, India attaches great importance to the preservation of the Internet as an unrestricted, open and free global medium that flourishes through private innovation and individual creativity and serves as a vehicle for open communication, access to culture, knowledge, democratization and development.

India recognizes the role played by various actors and stakeholders in the development and continued enrichment of the internet, and is firmly committed to multi-stakeholderism in internet governance, both at the national and global level. India believes that global internet governance can only be functional, effective and credible if all relevant stake-holders contribute to, and are consulted in, the process.

Bearing in mind the need for a transparent, democratic, and multilateral mechanism that enables all stakeholders to participate in their respective roles, to address the many cross-cutting international public policy issues that require attention and are not adequately addressed by current mechanisms and the need for enhanced cooperation to enable governments, on an equal footing, to carry out their roles and responsibilities in international public policy issues pertaining to the Internet, India proposes the establishment of a new institutional mechanism in the United Nations for global internet-related policies, to be called the United Nations Committee for Internet-Related Policies (CIRP). The intent behind proposing a multilateral and multi-stakeholder mechanism is not to “control the internet’’ or allow Governments to have the last word in regulating the internet, but to make sure that the Internet is governed not unilaterally, but in an open, democratic, inclusive and participatory manner, with the participation of all stakeholders, so as to evolve universally acceptable, and globally harmonized policies in important areas and pave the way for a credible, constantly evolving, stable and well-functioning Internet that plays its due role in improving the quality of peoples’ lives everywhere.

The CIRP shall be mandated to undertake the following tasks:

  1. Develop and establish international public policies with a view to ensuring coordination and coherence in cross-cutting Internet-related global issues;
  2. Coordinate and oversee the bodies responsible for technical and operational functioning of the Internet, including global standards setting;
  3. Facilitate negotiation of treaties, conventions and agreements on Internet-related public policies;
  4. Address developmental issues related to the internet;
  5. Promote the promotion and protection of all human rights, namely, civil, political, social, economic and cultural rights, including the Right to Development;
  6. Undertake arbitration and dispute resolution, where necessary; and,
  7. Crisis management in relation to the Internet.


The main features of CIRP are provided in the annex to this statement. In brief, the CIRP will comprise 50 Member States chosen on the basis of equitable geographical representation, and will meet annually for two working weeks in Geneva. It will ensure the participation of all relevant stakeholders by establishing four Advisory Groups, one each for civil society, the private sector, inter-governmental and international organizations, and the technical and academic community. The Advisory Groups will provide their inputs and recommendations to the CIRP. The meetings of CIRP and the advisory groups will be serviced by the UNCTAD Secretariat that also services the meetings of the Commission on Science and Technology for Development. The Internet Governance Forum will provide inputs to CIRP in the spirit of complementarity between the two. CIRP will report directly to the General Assembly and present recommendations for consideration, adoption and dissemination among all relevant inter-governmental bodies and international organizations. CIRP will be supported by the regular budget of the United Nations; a separate Fund would be set up by drawing from the domain registration fees collected by various bodies, in order to mainly finance the Research Wing to be established by CIRP to support its activities.

Those familiar with the discourse on global internet governance since the beginning of the WSIS process at the turn of the millennium, will recognize that neither the mandated tasks of the CIRP, nor its proposed modalities, are new. The Working Group on Internet Governance (WGIG) set up by the UN Secretary- General had explicitly recognized the institutional gaps in global internet governance and had proposed four institutional models in its report to the UN General Assembly in 2005. The contours of the CIRP, as proposed above, reflect the common elements in the four WGIG institutional models. While the excellent report of the WGIG was much discussed and deliberated in 2005, unfortunately, no concrete follow-up action was taken to give effect to its recommendations on the institutional front. We hope that this anomaly will be redressed at least six years later, with the timely establishment of the CIRP.

In order to operationalize this proposal, India calls for the establishment of an open-ended working group under the Commission on Science and Technology for Development for drawing up the detailed terms of reference for CIRP, with a view to actualizing it within the next 18 months. We are open to the views and suggestions of all Member States, and stand ready to work with other delegations to carry forward this proposal, and thus seek to fill the serious gap in the implementation of the Tunis Agenda, by providing substance and content to the concept of Enhanced Co-operation enshrined in the Tunis Agenda.

Thank you, Mr. Chairman.

 ***

Annex

The United Nations Committee for Internet-Related Policies (CIRP)


The United Nations Committee for Internet-Related Policies (CIRP) will have the following features:

Membership: The CIRP will consist of 50 Member States of the United Nations, chosen/elected on the basis of equitable geographical representation. It will provide for equitable representation of all UN Member States, in accordance with established UN principles and practices. It will have a Bureau consisting of one Chair, three Vice-Chairs and a Rapporteur.

Meetings: The CIRP will meet annually for two working weeks in Geneva, preferably in May/June, and convene additional meetings, as and when required. The UNCTAD Secretariat will provide substantive and logistical support to the CIRP by servicing these meetings.

Multi-stakeholder participation: Recognizing the need to involve all stakeholders in Global Internet Governance in their respective roles, the CIRP shall ensure the participation of all stakeholders recognized in the Tunis Agenda. Four Advisory Groups – one each for Civil Society, the Private Sector, Inter-Governmental and International Organisations, and the Technical and Academic Community - will be established, to assist and advise the CIRP. These Groups would be self-organized, as per agreed principles, to ensure transparency, representativity and inclusiveness. The Advisory Groups will meet annually in Geneva and in conjunction with any additional meetings of the CIRP. Their meetings will be held back-to- back with the meetings of the CIRP, so that they are able to provide their inputs and recommendations in a timely manner, to the CIRP.

Reporting: The CIRP will report directly to the UN General Assembly annually, on its meetings and present recommendations in the areas of policy and implementation for consideration, adoption and dissemination to all relevant inter-governmental bodies and international organizations. .

Research Wing: The Internet is a rapidly-evolving and dynamic medium that throws up urgent and rapidly-evolving challenges that need timely solutions. In order to deal effectively and prudently with these emerging issues in a timely manner, it would be vital to have a well-resourced Research Wing attached to the CIRP to provide ready and comprehensive background material, analysis and inputs to the CIRP, as required.

Links with the IGF: Recognizing the value of the Internet Governance Forum as an open, unique forum for multi-stakeholder policy dialogue on Internet issues, the deliberations in the IGF along with any inputs, background information and analysis it may provide, will be taken as inputs for consideration of the CIRP. An improved and strengthened IGF that can serve as a purposeful body for policy consultations and provide meaningful policy inputs to the CIRP, will ensure a stronger and more effective complementarity between the CIRP and the IGF.

Budget: Like other UN bodies, the CIRP should be supported by the regular budget of the United Nations. In addition, keeping in view its unique multi-stakeholder format for inclusive participation, and the need for a well-resourced Research Wing and regular meetings, a separate Fund should also be set up drawing from the domain registration fees collected by various bodies involved in the technical functioning of the Internet, especially in terms of names and addresses.

***

Excerpts from the Tunis Agenda


Paragraph 34 of the Tunis Agenda defines Internet Governance as “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet”.

Paragraph 35 reaffirms the respective roles of stakeholders as follows: “(a) Policy authority for Internet-related public policy issues is the sovereign right of States. They have rights and responsibilities for international Internet-related public policy issues”. (b) The private sector has had, and should continue to have, an important role in the development of the Internet, both in the technical an economic fields. (c) Civil society has also played an important role on Internet matters, especially at community level, and should continue to play such a role. (d) Intergovernmental organizations have had, and should continue to have, a facilitating role in the coordination of Internet-related public policy issues. (e) International organizations have also had and should continue to have an important role in the development of Internet-related technical standards and relevant policies.”

While delineating the respective roles of stakeholders, Paragraph 56 recognizes the need for an inclusive, multi-stakeholder approach by affirming that “The Internet remains a highly dynamic medium and therefore any framework and mechanisms designed to deal with Internet governance should be inclusive and responsive to the exponential growth and fast evolution of the Internet as a common platform for the development of multiple applications”.

Paragraph 58 recognizes “that Internet governance includes more than Internet naming and addressing. It also includes other significant public policy issues such as, inter alia, critical Internet resources, the security and safety of the Internet, and developmental aspects and issues pertaining to the use of the Internet”.

Paragraph 59 further recognizes that “Internet governance includes social, economic and technical issues including affordability, reliability and quality of service”. Paragraph 60 further recognizes that “there are many cross-cutting international public policy issues that require attention and are not adequately addressed by the current mechanisms”.

Paragraph 61 of the Tunis Agenda therefore concludes that “We are convinced that there is a need to initiate, and reinforce, as appropriate, a transparent, democratic, and multilateral process, with the participation of governments, private sector, civil society and international organisations, in their respective roles. This process could envisage creation of a suitable framework or mechanisms, where justified, thus spurring the ongoing and active evolution of the current arrangements in order to synergize the efforts in this regard”.

Paragraph 69 further recognizes “the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues”.

***

Press Coverage of Online Censorship Row

by Pranesh Prakash last modified Dec 08, 2011 11:31 AM
We are maintaining a rolling blog with press references to the row created by the proposal by the Union Minister for Communications and Information Technology to pre-screen user-generated Internet content.

Monday, December 5, 2011

India Asks Google, Facebook to Screen Content | Heather Timmons (New York Times, India Ink)

Tuesday, December 6, 2011

Sibal warns social websites over objectionable content | Sandeep Joshi (The Hindu)

Hate speech must be blocked, says Sibal | Praveen Swami & Sujay Mehdudia (The Hindu)

Won't remove material just because it's controversial: Google | (Press Trust of India)

Any Normal Human Being Would Be Offended | Heather Timmons (New York Times, India Ink)

After Sibal, Omar too feels some online content inflammatory | (Press Trust of India)

Online uproar as India seeks social media screening | Devidutta Tripathy and Anurag Kotoky (Reuters)

Kapil Sibal for content screening: Facebook, Twitter full of posts against censorship | (IANS)

India May Overstep Its Own Laws in Demanding Content Filtering | John Ribeiro (IDG)

Kapil Sibal warns websites: Mixed response from MPs | (Press Trust of India)

Websites must clean up content, says Sibal | (NewsX)

Kapil Sibal warns websites; Google says won't remove material just because it's controversial | Press Trust of India

Censorship By Any Other Name... | Yamini Lohia (Mint)

Kapil Sibal: We have to take care of sensibility of our people | Associated Press

Kapil Sibal gets backing of Digvijaya Singh over social media screening | Press Trust of India

Sibal Gets What He Set Out To Censor | (Hindustan Times, Agencies)

Objectionable Matter Will Be Removed, Censorship Not in Picture Yet: Kapil Sibal | Amar Kapadia (News Tonight)

Wednesday, December 7, 2011

Kapil Sibal Doesn't Understand the Internet | Shivam Vij (India Today)

'Chilling' Impact of India's April Internet Rules | Heather Timmons (New York Times, India Ink)

Screening, not censorship, says Sibal | (Business Standard)

Chandni Chowk to China | Salil Tripathi (Mint)

Kapil Sibal vs the internet | Sandipan Deb (Mint)

No Need for Censorship of the Internet: Cyber Law Experts | (Times News Network)

Protest with flowers for Sibal | (The Hindu)

Kapil Sibal cannot screen this report | Team DNA, Blessy Chettiar & Renuka Rao (Daily News and Analysis)

Kapil Sibal warns websites, but experts say prescreening of user content not practical | (Reuters)

Sibal's Remarks Brought Disgust | Hitesh Mehta (News Tonight)

BJP backs mechanism to curb objectionable content on websites | (The Hindu)

Move to regulate networking sites should be discussed in Parliament: BJP | (Press Trust of India)

Sibal under attack in cyberspace | (Press Trust of India)

Kapil Sibal's web censorship: Indian govt wanted 358 items removed, says Google | (Press Trust of India)

Kapil Sibal gets BJP support but with rider | (Indo-Asian News Service)

Sibal's way of regulating web not okay, says BJP | (Indo-Asian News Service)

Censorship in Blasphemy's Clothings | Gautam Chikermane (Hindustan Times, Just Faith)

India wants Google, Facebook to screen content | Sharon Gaudin (Computer World)

Should we be taming social media? | Swati Prasad (ZDNet, Inside India)

Kapil Sibal gets lampooned for views on Web control | (Daily News and Analysis)

'We don't need no limitation' | Asha Prakash (Times of India)

Five reasons why India can't censor the internet | Prasanto K. Roy (Indo-Asian News Service)

We Are the Web | (Indian Express)

Thursday, December 8, 2011

Kapil Sibal under attack in cyberspace, (Press Trust of India)

Speak Up for Freedom | Pranesh Prakash (Indian Express)

Newswallah: Censorship | Neha Thirani (New York Times, India Ink)

No Question of Censoring the Internet, Says Sachin Pilot | (NDTV)

Mind Your Netiquette, or We'll Mind it for You | A.A.K. (The Economist)

Take Parliament's view to regulate social networking sites, BJP tells govt | (Times News Network)

India wanted 358 items removed | Priscilla Jebaraj (The Hindu)

Indian Government v Social Networking sites: Expert Views | (Bar & Bench News Network)

Can Government Muzzle Websites? | Priyanka Joshi & Piyali Mandal (Business Standard)

US concerned over internet curbs, sidesteps India move | (Indo-Asian News Service)

Why Internet Companies Are Upset with Kapil Sibal | (Rediff)

Why Censor Facebook When You Don't Censor Sunny Leone? | (Indo-Asian News Service)

Online content issue: Talks with India on, says U.S. | (Press Trust of India)

US calls for Internet freedom amid India plan | Agence France-Presse

How India Makes E-books Easier to Ban than Books (And How We Can Change That)

by Pranesh Prakash last modified Feb 21, 2012 11:50 AM
Without getting into questions of what should and should not be unlawful speech, Pranesh Prakash chooses to take a look at how Indian law promotes arbitrary removal and blocking of websites, website content, and online services, and how it makes it much easier than getting offline printed speech removed.
How India Makes E-books Easier to Ban than Books (And How We Can Change That)

Banning E-Books is Trivially Easy

E-Books Are Easier To Ban Than Books, And Safer

Contrary to what Mr. Sibal's recent hand-wringing at objectionable online material might suggest, under Indian laws currently in force it is far easier to remove material from the Web, by many degrees of magnitude, than it is to ever get them removed from a bookstore or an art gallery. To get something from a bookstore or an art gallery one needs to collect a mob, organize collective outrage and threats of violence, and finally convince either the government or a magistrate that the material is illegal, thereby allowing the police to seize the books or stop the painting from being displayed. The fact of removal of the material will be noted in various records, whether in government records, court records, police records or in newspapers of record. By contrast, to remove something from the Web, one needs to send an e-mail complaining about it to any of the string of 'intermediaries' that handle the content: the site itself, the web host for the site, the telecom companies that deliver the site to your computer/mobile, the web address (domain name) provider, the service used to share the link, etc. Under the 'Intermediary Guidelines Rules' that have been in operation since 11th April 2011, all such companies are required to 'disable access' to the complained-about content within thirty-six hours of the complaint. It is really that simple.

"That's ridiculous," you think, "surely he must be exaggerating." Think again. A researcher working with us at the Centre for Internet and Society tried it out, several times, with many different intermediaries and always with frivolous and flawed complaints, and was successful six out of seven times . Thus it is easier to prevent Flipkart or Amazon from selling Rushdie's Midnight's Children than it is to prevent a physical bookstore from doing so: today Indira Gandhi wouldn't need to win a lawsuit in London against the publishers to remove a single line as she did then; she would merely have to send a complaint to online booksellers and get the book removed. It is easier to block Vinay Rai's Akbari.in (just as CartoonsAgainstCorruption.com was recently blocked) than it is to prevent its print publication. Best of all for complainants: there is no penalty for frivolous complaints such as those sent by us, nor are any records kept of who's removed what. Such great powers of censorship without any penalties for their abuse are a sure-fire way of ensuring a race towards greater intolerance, with the Internet — that republic of opinions and expressions — being a casualty.

E-Book Bans Cannot Be Challenged

In response to some of the objections raised, the Cyberlaw Division of the Department of Information Technology, ever the dutiful guardian of free speech, noted that if you have a problem with access to your content being 'disabled', you could always approach a court and get that ban reversed. Unfortunately, the Cyberlaw Division of the Department of Information Technology forgot to take into account that you can't contest a ban/block/removal if you don't know about it. While they require all intermediaries to disable access to the content within thirty-six hours, they forgot to mandate the intermediary to tell you that the content is being removed. Whoops. They forgot to require the intermediary to give public notice that content has been removed following a complaint from person ABC or corporation XYZ on such-and-such grounds. Whoops, again.

So while records are kept, along with reasons, of book bans, there are no such records required to be kept of e-book bans.

E-Book Censors Are Faceless

Vinay Rai is a brave man. He is being attacked by fellow journalists who believe he's disgracing the professional upholders of free-speech, and being courted by television channels who believe that he should be encouraged to discuss matters that are sub judice. He is viewed by some as a man who's playing politics in courts on behalf of unnamed politicians and bureaucrats, while others view him as being bereft of common-sense for believing that companies should be legally liable for not having been clairvoyant and removing material he found objectionable, though he has never complained to them about it, and has only provided that material to the court in a sealed envelope. I choose, instead, to view him as a scrupulous and brave man. He has a face, and a name, and is willing to openly fight for what he believes in. However, there are possibly thousands of unscrupulous Vinay Rais out there, who know the law better than he does, and who make use not of the court system but of the Intermediary Guidelines Rules, firmly assured by those Rules that their censorship activities will never be known, will never be challenged by Facebook and Google lawyers, and will never be traced back to them.

Challenging Invisible Censorship

Dear reader, you may have noticed that this is a bit like a trial involving Free Speech in which Free Speech is presumed guilty upon complaint, is not even told what the charges against it are, has not been given a chance to prove its innocence, and has no right to meet its accusers nor to question them. Yet, the Cyberlaw Division of the Department of Information Technology continues to issue press releases defending these Rules as fair and just, instead of being simultaneously Orwellian and Kafkaesque. These Rules are delegated legislation passed by the Department of Information Technology under s.79 of the Information Technology Act. The Rules were laid before Parliament during the 2011 Monsoon session. We at CIS believe that these Rules are *ultra vires* the IT Act as well as the Constitution of India, not only with respect to what is now (newly) proscribed online (which in itself is enough to make it unconstitutional), but how that which is purportedly unlawful is to be removed. We have prepared an alternative that we believe is far more just and in accordance with our constitutional principles, taking on best practices from Canada, the EU, Chile, and Brazil, while still allowing for expeditious removal of unlawful material. We hope that the DIT will consider adopting some of the ideas embodied in our draft proposal.

As Parliament passed the IT Act in the midst of din, without any debate, it is easy to be skeptical and wonder whether Rules made under the IT Act will be debated. However, I remain hopeful that Parliament will not only exercise its power wisely, but will perform its solemn duty — borne out of each MP's oath to uphold our Constitution — by rejecting these Rules.

Photo credit: Lynn Gardner, under CC-BY-NC-SA 2.0 licence*

This was reproduced in Outlook Magazine on 27 January 2012

Statutory Motion Against Intermediary Guidelines Rules

by Pranesh Prakash last modified Apr 03, 2012 09:35 AM
Rajya Sabha MP, Shri P. Rajeev has moved a motion that the much-criticised Intermediary Guidelines Rules be annulled.

Motion to Annul Intermediary Guidelines Rules

A motion to annul the Intermediary Guidelines Rules was moved on March 23, 2012, by Shri P. Rajeeve, CPI(M) MP in the Rajya Sabha from Thrissur, Kerala.

The motion reads:

"That this House resolves that the Information Technology (Intermediaries Guidelines) Rules, 2011 issued under clause (zg) of sub-section (2) of Section 87 read with sub-section (2) of Section 79 of the Information Technology Act, 2000 published in the Gazette of India dated the 13th April, 2011 vide Notification No. G.S.R 314(E) and laid on the Table of the House on the 12th August, 2011, be annuled; and

That this House recommends to Lok Sabha that Lok Sabha do concur on this Motion."

This isn't the first time that Mr. Rajeeve is raising his voice against the Intermediary Guidelines Rules. Indeed, even when the Rules were just in draft stage, he along with the MPs Kumar Deepak Das, Rajeev Chandrashekar, and Mahendra Mohan drew Parliamentarians' attention to the rules. Yet, the government did not heed the MPs' concern, nor the concern of all the civil society organizations that wrote in to them concerned about human rights implications of the new laws. On September 6, 2011, Lok Sabha MP Jayant Choudhary gave notice (under Rule 377 of the Lok Sabha Rules) that the Intermediary Guidelines Rules as well as the Reasonable Security Practices Rules need to be reviewed. Yet, the government has not even addressed those concerns, and indeed has cracked down even harder on online freedom of speech since then.

Fundamental Problems with Intermediary Guidelines Rules

The fundamental problems with the Rules, which deal with objectionable material online:

Shifting blame.

It makes the 'intermediary', including ISPs like BSNL and Airtel responsible for objectionable content that their users have put up.

No chance to defend.

There is no need to inform users before this content is removed. So, even material put up by a political party can be removed based on anyone's complaint, without telling that party. This was done against a site called *CartoonsAgainstCorruption.com". This goes against Article 19(1)(a).

Lack of transparency

No information is required to be provided that content has been removed. It's a black-box system, with no one, not even the government, knowing that content has been removed following a request. So even the government does not know how many sites have been removed after these Rules have come into effect.

No differentiation between intermediaries.

A one-size-fits-all system is followed where an e-mail provider is equated with an online newspaper, which is equated with a video upload site, which is equated with a search engine. This is like equating the post-office and a book publisher as being equivalent for, say, defamatory speech. This is violative of Article 14 of the Constitution, which requires that unequals be treated unequally by the law.

No proportionality.

A DNS provider (i.e., the person who gives you your web address) is an intermediary who can be asked to 'disable access' to a website on the basis of a single page, even though the rest of the site has nothing objectionable.

Vague and unconstitutional requirements.

Disparaging speech, as long as it isn't defamatory, is not criminalised in India, and can't be because the Constitution does not allow for it. Content about gambling in print is not unlawful, but now all Internet intermediaries are required to remove any content that promotes gambling.

Allows private censorship.

The Rules do not draw a distinction between arbitrary actions of an intermediary and take-downs subsequent to a request.

Presumption of illegality.

The Rules are based on the presumption that all complaints (and resultant mandatory taking down of the content) are correct, and that the incorrectness of the take-downs can be disputed in court (if they ever discover that it has been removed). This is contrary to the presumption of validity of speech used by Indian courts, and is akin to prior restraint on speech. Courts have held that for content such as defamation, prior restraints cannot be put on speech, and that civil and criminal action can only be taken post-speech.

Government censorship, not 'self-regulation'.

The government says these are industry best-practices in existing terms of service agreements. But the Rules require all intermediaries to include the government-prescribed terms in an agreement, no matter what services they provide. It is one thing for a company to choose the terms of its terms of service agreement, and completely another for the government to dictate those terms of service.

Problems Noted Early

We have noted in the past the problems with the Rules, including when the Rules were still in draft form:

Other organizations like the Software Freedom Law Centre also sent in scathing comments on the law, noting that they are unconstitutional.

We are very glad that Shri Rajeeve has moved this motion, and we hope that it gets adopted in the Lok Sabha as well, and that the Rules get defeated.

India's Broken Internet Laws Need a Shot of Multi-stakeholderism

by Pranesh Prakash last modified Apr 26, 2012 01:45 PM
Cyber-laws in India are severely flawed, with neither lawyers nor technologists being able to understand them, and the Cyber-Law Group in DEIT being incapable of framing fair, just, and informed laws and policies. Pranesh Prakash suggests they learn from the DEIT's Internet Governance Division, and Brazil, and adopt multi-stakeholderism as a core principle of Internet policy-making.

(An edited version of this article was published in the Indian Express as "Practise what you preach" on Thursday, April 26, 2012.)

The laws in India relating to the Internet are greatly flawed, and the only way to fix them would be to fix the way they are made. The Cyber-Laws & E-Security Group in the Department of Electronics and Information Technology (DEIT, who refer to themselves as 'DeitY' on their website!) has proven itself incapable of making fair, balanced, just, and informed laws and policies. The Information Technology (IT) Act is filled with provisions that neither lawyers nor technologists understand (not to mention judges). (The definition of "computer source code" in s.65 of the IT Act is a great example of that.)

The Rules drafted under s.43A of the IT Act (on 'reasonable security practices' to be followed by corporations) were so badly formulated that the government was forced to issue a clarification through a press release, even though the clarification was in reality an amendment and amendments cannot be carried out through press releases. Despite the clarification, it is unclear to IT lawyers whether the Rules are mandatory or not, since s.43A (i.e., the parent provision) seems to suggest that it is sufficient if the parties enter into an agreement specifying reasonable security practices and procedures. Similarly, the "Intermediary Guidelines" Rules (better referred to as the Internet Censorship Rules) drafted under s.79 of the Act have been called "arbitrary and unconstitutional" by many, including MP P. Rajeev, who has introduced a motion in the Rajya Sabha to repeal the Rules ("Caught in a net", Indian Express, April 24, 2012). These Rules give the power of censorship to every citizen and allow them to remove any kind of material off the Internet within 36 hours without anybody finding out. Last year, we at the Centre for Internet and Society used this law to get thousands of innocuous links removed from four major search engines without any public notice. In none of the cases (including one where an online news website removed more material than the perfectly legal material we had complained about) were the content-owners notified about our complaint, much less given a chance to defend themselves.

Laws framed by the Cyber-Law Group are so poorly drafted that they are misused more often than used. There are too many criminal provisions in the IT Act, and their penalties are greatly more than that of comparable crimes in the IPC. Section 66A of the IT Act, which criminalizes "causing annoyance or inconvenience" electronically, has a penalty of 3 years (greater than that for causing death by negligence), and does not require a warrant for arrest. This section has been used in the Mamata Banerjee cartoon case, for arresting M. Karthik, a Hyderabad-based student who made atheistic statements on Facebook, and against former Karnataka Lokayukta Santosh Hegde. Section 66A, I believe, imperils freedom of speech more than is allowable under Art. 19(2) of the Constitution, and is hence unconstitutional.

While s.5 of the Telegraph Act only allows interception of telephone conversations on the occurrence of a public emergency, or in the interest of the public safety, the IT Act does not have any such threshold conditions, and greatly broadens the State's interception abilities. Section 69 allows the government to force a person to decrypt information, and might clash with Art.20(3) of the Constitution, which provides a right against self-incrimination. One can't find any publicly-available governmental which suggests that the constitutionality of provisions such as s.66A or s.69 was examined.

Omissions by the Cyber-Law Group are also numerous. The Indian Computer Emergency Response Team (CERT-In) has been granted very broad functions under the IT Act, but without any clarity on the extent of its powers. Some have been concerned, for instance, that the broad power granted to CERT-In to "give directions" relating to "emergency measures for handling cyber security incidents" includes the powers of an "Internet kill switch" of the kind that Egypt exercised in January 2011. Yet, they have failed to frame Rules for the functioning of CERT-In. The licences that the Department of Telecom enters into with Internet Service Providers requires them to restrict usage of encryption by individuals, groups or organisations to a key length of only 40 bits in symmetric key algorithms (i.e., weak encryption). The RBI mandates a minimum of 128-bit SSL encryption for all bank transactions. Rules framed by the DEIT under s.84A of the IT Act were to resolve this conflict, but those Rules haven't yet been framed.

All of this paints a very sorry picture. Section 88 of the IT Act requires the government, "soon after the commencement of the Act", to form a "Cyber Regulations Advisory Committee" consisting of "the interests principally affected or having special knowledge of the subject-matter" to advise the government on the framing of Rules, or for any other purpose connected with the IT Act. This body still has not been formed, despite the lag of more than two and a half years since the IT Act came into force. Justice Markandey Katju’s recent letter to Ambika Soni about social media and defamation should ideally have been addressed to this body.

The only way out of this quagmire is to practise at home that which we preach abroad on matters of Internet governance: multi-stakeholderism. Multi-stakeholderism refers to the need to recognize that when it comes to Internet governance there are multiple stakeholders: government, industry, academia, and civil society, and not just the governments of the world. This idea has gained prominence since it was placed at the core of the "Declaration of Principles" from the first World Summit on Information Society in Geneva in 2003, and has also been at the heart of India's pronouncements at forums like the Internet Governance Forum. Brazil has an "Internet Steering Committee" which is an excellent model that practices multi-stakeholderism as a means of framing and working national Internet-related policies. DEIT's Internet Governance Division, which formulates India's international stance on Internet governance, has long recognized that governance of the Internet must be done in an open and collaborative manner. It is time the DEIT's Cyber-Law and E-Security Group, which formulates our national stance on Internet governance, realizes the same.

Privacy Matters — Medical Privacy

by Natasha Vaz last modified Jul 10, 2012 01:41 PM
On June 30, 2012, Privacy India in partnership with the Indian Network for People living with HIV/AIDS, Centre for Internet & Society, IDRC, Society in Action Group, with support from London-based Privacy International, held a public discussion on "Medical Privacy" at the Yashwantrao Chavan Academy of Development Administration.

The conversation brought together a cross section of citizens, lawyers, activists, researchers, academia and students.

Participants 1

Medical Privacy in India

He went on to explain that limited financial resources in public hospitals often preclude the separate examination of one patient at a time. “In Government hospitals, large numbers of patients congregate in the doctors office,” he says. Privacy is also related to a patient's financial status and decreases as one goes down the socio-economic ladder.

Additionally, he described the privacy concerns that arise due to infrastructural constraints. India's healthcare infrastructure has not kept up with the development of government health initiatives. For examples, the Janani Suraksha Yojana (JSY) initiative was launched in 2005, under the National Rural Health Mission (NRHM). JSY was implemented with the objective of reducing maternal and neo-natal mortality by promoting institutional delivery among the Poor Pregnant Woman. Financial incentives were provided to mothers. There was a phenomenal increase of institutional delivery. However, there was no proportional increase in infrastructure.

He called for a change in medical education, administration and management, stating, “Privacy protection has to be established as a core value that connects organizational culture. Alarmingly, medical curriculum in India does not have formal component on medical privacy, significant curriculum reforms in undergraduate medical teaching is necessary.

Medical Privacy- Legal Aspects

Referring to the Dr.Tokugha Yepthomi  Vs  Appollo Hospital Enterprises Ltd & Anr. III case, he described the Supreme Court’s verdict on the ‘Right to Life’.

The “Right to life” would positively include the right to be told that a person, with whom she was proposed to be married, was a victim of deadly disease, which was sexually communicable, since right of life includes right to lead a healthy life. Moreover where there is a clash of two fundamental rights, The RIGHT which would advance the public morality or public interest, would alone be enforced through the process of Court.

He concluded by asserting that there is considerable force in the argument that there is a need for a comprehensive legislation to protect the interest of poor patients and ordinary citizens who cannot afford to initiate a protracted legal battle to protect their medical privacy.

Supreme Court views on Medical Negligence

Confidentiality and privacy in medical Settigs vis-a-vis PLHIV

Ms. Nitu Sanadhya, Senior Legal Officer, Lawyers Collective, HIV/ AIDS Unit, stressed the importance of a rights-based approach and integrationist legal response to the HIV epidemic. When legislations or policies discriminate or isolate persons living with HIV, for example, through mandatory testing and breach of confidentiality, it drives the epidemic underground.

Under the RTI Act, A person’s HIV status is confidential and is protected in law and can only be disclosed to a third person in limited circumstances. The RTI Act specifically exempts the disclosure of personal information which is not of public interest; information which would cause an unwarranted invasion of privacy; and information which has been received in a fiduciary capacity. Therefore, The RTI Act 2005 cannot be used to obtain a person’s HIV report.

Privacy in Practice

be upheld. Yet, one sees a constant breach of people’s dignities in the medical system. Some people rationalize this violation of dignity by explaining that in India, doctors are used to people who have nothing and thus, dignity is not important. Yet, he argued, dignity is something that is inherent. The lack of dignity practiced in India's medical system shows a problem with how we are trained. Giving an example of how dignity is breached in India, Dr. Philip referred to two people being treated on the same table. He pointed out that the physical aspects of privacy are non-existent. For example, the WHO recommends five feet between beds, but typically two or three feet exist between hospital beds. Furthermore, there are often no curtains in hospitals. He then moved from physical privacy to information physical. In a hospital information flows in all directions, it is not a controlled environment and the patient does not choose who sees his/her information – the hospital decided. Dr. Philip then talked about training. The health care system encompasses a larger team of people from doctors to sweepers. Training is only given to clinical staff. Thus other aspects such as the Indian culture, infrastructure, and training all impact how privacy is carried out in the medical field.   In conclusion Dr. Philip re-stated that privacy is a byproduct of autonomy and dignity. He noted that offering a patient dignity was a critical step that must be taken by service providers. Closing his presentation, he challenged the audience with the following questions:  Considering how autonomy is not important, how do we reach people with the idea? Since physical privacy is key to other forms of privacy, how do we take it more seriously? What can we do about the medical team's approach to privacy?

Best Practices of Medical Privacy in Various Health Settings

how they can be adopted for the Indian scenario. A few of the principles included collection limitation principle, data quality principle, purpose specification principle, use limitation principle. For example, if health information for treating malaria is collected, than that information should only be used for that purpose.  Closing his presentation, he noted that most of the technologies that we use today for health run on IT, and thus can be used to compromise individual or hospital wide information.

Epidemics and Privacy

The exercise of actions within the Act is not necessarily bereft of infringement of privacy and overt discrimination. Certain diseases, as indeed limitations imposed by the state, have elements of stigma that further confound the fuzziness of this debate.

When an epidemic occurs, the need for privacy in the mind of the individual goes down, as they are concerned solely with receiving treatment. He also pointed out that there are contradictory elements during epidemics. For instance an area might not want to be named as having an outbreak of a disease, but at the same time individuals will line up outside hospitals for treatment, exposing the fact that they have the disease. He also spoke about how steps taken to address epidemics can invade privacy. For example, during the SARS outbreak, it was the practice to put the patient in an infectious disease hospital. This was invasive to personal privacy as it created stigma and discrimination. Closing his presentation he explained how the conventional notions of privacy do not necessary hold in the case of epidemics because it is an emergency outbreak. Thus, protocol is established on a case-to-case basis. Despite this he believes that it is possible and valuable to protect privacy in cases of epidemics.

HIV/ AIDS and Privacy

HIPPA with reference to Applicability to Patient Privacy and Clinical Data Confidentiality in India

Participants 4

Participants 5

Participants 8

Logos


Presentations

Click to download the presentation files. [Zip files, 2184 Kb]

Analysing Latest List of Blocked Sites (Communalism & Rioting Edition)

by Pranesh Prakash last modified Sep 06, 2012 11:52 AM
Pranesh Prakash does preliminary analysis on a leaked list of the websites blocked from August 18, 2012 till August 21, 2012 by the Indian government.

Note: This post will be updated as more analysis is done. Last update: 23:59 on August 22, 2012. This is being shared under a Creative Commons Attribution-NonCommercial licence.



How many items have been blocked?

There are a total of 309 specific items (those being URLs, Twitter accounts, img tags, blog posts, blogs, and a handful of websites) that have been blocked. This number is meaningless at one level, given that it doesn't differentiate between the blocking of an entire website (with dozens or hundreds of web pages) from the blocking of a single webpage. However, given that very few websites have been blocked at the domain-level, that number is still reasonably useful.

Please also note, we currently only have information related to what telecom companies and Internet Service Providers (ISPs) were asked to block till August 21, 2012. We do not have information on what individual web services have been asked to remove. That might take the total count much higher.

Why have these been blocked?

As far as I could determine, all of the blocked items have content (mostly videos and images have been targeted, but also some writings) that are related to communal issues and rioting. (Please note: I am not calling the content itself "communal" or "incitement to rioting", just that the content relates to communal issues and rioting.) This has been done in the context of the recent riots in Assam, Mumbai, UP, and the mass movement of people from Bangalore.

There were reports of parody Twitter accounts having been blocked. Preliminary analysis on the basis of available data show that parody Twitter accounts and satire sites have not been targetted solely for being satirical. For instance, very popular parody Twitter accounts, such as @DrYumYumSingh are not on any of the four orders circulated by the Department of Telecom. (I have no information on whether such parody accounts are being taken up directly with Twitter or not: just that they aren't being blocked at the ISP-level. Media reports indicate six accounts have been taken up with Twitter for being similar to the Prime Minister's Office's account.)

Are the blocks legitimate?

The goodness of the government's intentions seem, quite clearly in my estimation, to be unquestionable. Yet, even with the best intentions, there might be procedural illegalities and over-censorship.

There are circumstances in which freedom of speech and expression may legitimately be limited. The circumstances that existed in Bangalore could justifiably result in legitimate limitations on freedom of speech. For instance, I believe that temporary curbs — such as temporarily limiting SMSes & MMSes to a maximum of five each fifteen minutes for a period of two days — would have been helpful.

However it is unclear whether the government has exercised its powers responsibly in this circumstance. The blocking of many of the items on that list are legally questionable and morally indefensible, even while a some of the items ought, in my estimation, to be removed.

If the government has blocked these sites under s.69A of the Information Technology Act ("Power to Issue Directions for Blocking for Public Access of Any Information through any Computer Resource"), the persons and intermediaries hosting the content should have been notified provided 48 hours to respond (under Rule 8 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009). Even if the emergency provision (Rule 9) was used, the block issued on August 18, 2012, should have been introduced before the "Committee for Examination of Request" by August 20, 2012 (i.e., within 48 hours), and that committee should have notified the persons and intermediaries hosting the content.

Importantly, even though many of the items on that list are repugnant and do deserve (in my opinion) to be removed, ordering ISPs to block them is largely ineffectual. The people and companies hosting the material should have been asked to remove it, instead of ordering Internet service providers (ISPs) to block them. All larger sites have clear content removal policies, and encouraging communal tensions and hate speech generally wouldn't be tolerated. That this can be done without resort to the dreadful Intermediary Guidelines Rules (which were passed last year) shows that those Rules are unnecessary. It is our belief that those Rules are also unconstitutional.

Are there any egregious mistakes?

Yes, there are numerous such examples of egregious mistakes.

  1. Most importantly, some even people and posts debunking rumours have been blocked.
  2. Some of the Twitter accounts are of prominent people who write for the mainstream media, and who have written similar content offline. If their online content is being complained about, their offline content should be complained about too.
  3. Quite a number of the links include articles published and reports broadcast in the mainstream media (including a Times Now report, a Telegraph picture gallery, etc.), and in print, making the blocks suspect. Only the online content seems to have been targeted for censorship.

There are numerous mistakes and inconsistencies that make blocking pointless and ineffectual.

  1. Some of the items are not even web addresses (e.g., a few HTML img tags were included).
  2. Some of the items they have tried to block do not even exist (e.g., one of the Wikipedia URLs).
  3. An entire domain was blocked on Sunday, and a single post on that domain was blocked on Monday.
  4. For some Facebook pages, the secure version (https://facebook.com/...) is listed, for others the non-secure version (http://facebook.com/...) is listed.
  5. For some YouTube videos, the 'base' URL of YouTube videos is blocked, but for other the URL with various parameters (like the "&related=" parameter) is blocked. That means that even nominally 'blocked' videos will be freely accessible.

All in all, it is clear that the list was not compiled with sufficient care.

Despite a clear warning by the DIT that "above URLs only" should be blocked, and not "the main websites like www.facebook.com, www.youtube.com, www.twitter.com, etc.", it has been seen that some ISPs (like Airtel) have gone overboard in their blocking.

Why haven't you put up the whole list?

Given the sensitivity of the issue, we felt it would be premature to share the whole list. However, we strongly believe that transparency should be an integral part of all censorship. Hence, this analysis is an attempt to provide some much-needed transparency. We intend to make the entire list public soon, though. (Given how porous such information is, it is likely that someone else will procure the list, and release it sooner than us.)

Why can I still access many items that are supposed to be blocked?

One must keep in mind that fresh orders have been issued on a day-by-day basis, that there are numerous mistakes in the list making it difficult to apply (some of these mistakes have been mentioned above), and the fact that that this order has to be implemented by hundreds of ISPs.

Your ISP probably has not have got around to enforcing the blocks yet. At the time of this writing, most ISPs don't seem to be blocking yet. This analysis is based on the orders sent around to ISPs, and not on the basis of actual testing of how many of these have actually been blocked by Airtel, BSNL, Tata, etc.

Additionally, if you are using Twitter through a client (on your desktop, mobile, etc.) instead of the web interface, you will not notice any of the Twitter-related blocks.

So you are fine with censorship?

No. I believe that in some cases, the government has the legal authority to censor. Yet, exercising that legal authority is usually not productive, and in fact there are other, better ways of limiting the harms caused by speech and information than censorship. Limiting speech might even prove harmful in situations like these, if it ends up restricting people's ability to debunk false rumours. In a separate blog post (to be put up soon), I am examining how all of the government's responses have been flawed both legally and from the perspective of achieving the desired end.

So what should the government have done?

Given that the majority of the information it is targeting is on Facebook, Youtube, and Twitter, the government could have chosen to fight alongside those services to get content removed expeditiously, rather than fight against them. (There are some indications that the government might be working with these services, but it certainly isn't doing enough.)

For instance, it could have asked all of them to expedite their complaints mechanism for a few days, by ensuring that the complaints mechanism is run 24x7 and that they respond quickly to any complaint submitted about communal incitement, spreading of panic, etc. This does not need the passing of an order under any law, but requires good public relations skills and a desire not to treat internet services as enemies. The government could have encouraged regular users to flag false rumours and hate speech on these sites. On such occasions, social networking sites should step up and provide all lawful assistance that the government may require. They should also be more communicative in terms of the help they are providing to the government to curtail panic-inducing rumours and hate speech. (Such measures should largely be reactive, not proactive, to ensure legitimate speech doesn't get curtailed.)

The best antidote for the rumours that spread far and wide and caused a mass movement of people from Bangalore to the North-Eastern states would have been clear debunking of those rumours. Mass outreach to people in the North-East (very often the worried parents) and in Bangalore using SMSes and social media, debunking the very specific allegations and rumours that were floating around, would have been welcome. However, almost no government officials actually used social media platforms to reach out to people to debunk false information and reassure them. Even a Canadian interning in our organization got a reassuring SMS from the Canadian government.

It is indeed a pity that the government notified a social media engagement policy today, when the need for it was so very apparent all of the past week.

And what of all this talk of cybersecurity failure and cyber-wars?

Cybersecurity is indeed a cause of concern for India, but only charlatans and the ignorant would make any connection between India's cybersecurity and recent events. The role of Pakistan deserves a few words. Not many Pakistani websites / webpages have been blocked by the Indian government. Two of the Pakistani webpages that have been blocked are actually pages that debunk the fake images that have been doing the rounds in Pakistan for at least the past month. Even Indian websites like Kafila have noted these fake images long ago, and Ayesha Siddiqa wrote about this on August 5, 2012, and Yousuf Saeed wrote about it on August 13, 2012. Even while material that may have been uploaded from Pakistan, it seems highly unlikely they were targeted at an Indian audience, rather than a Pakistani or global one.

DomainTotal Number of EntriesTuesday, August 21, 2012Monday, August 20, 2012Sunday, August 19, 2012Saturday, August 18, 2012
ABC.net.au 1


1
AlJazeera.com 4
4

AllVoices.com 1


1
WN.com 1


1
AtjehCyber.net 1


1
BDCBurma.org 1 1


Bhaskar.com 1

1
Blogspot.com 4

3 1
Blogspot.in 7 1 3
3
Catholic.org 1

1
CentreRight.in 2 2


ColumnPK.com 1

1
Defence.pk 4
2 1 1
EthioMuslimsMedia.com 1


1
Facebook.com (HTTP) 75 36 7 18 14
Facebook.com (HTTPS) 27
3 23 1
Farazahmed.com 5 1

4
Firstpost.com 2
1 1
HaindavaKerelam.com 1

1
HiddenHarmonies.org 1
1

HinduJagruti.org 2
1 1
Hotklix.com 1

1
HumanRights-Iran.ir 2


2
Intichat.com 1 1


Irrawady.org 1

1
IslamabadTimesOnline.com 1


1
Issuu.com 1


1
JafriaNews.com 1


1
JihadWatch.org 2
2

KavkazCenter 1

1
MwmJawan.com 1


1
My.Opera.com 1 1


Njuice.com 1
1

OnIslam.net 1


1
PakAlertPress.com 1 1


Plus.Google.com 4


4
Reddit.com 1
1

Rina.in 1


1
SandeepWeb.com 1
1

SEAYouthSaySo.com 1


1
Sheikyermami.com 1


1
StormFront.org 1


1
Telegraph.co.uk 1


1
TheDailyNewsEgypt.com 1


1
TheFaultLines.com 1


1
ThePetitionSite.com 1 1


TheUnity.org 1


1
TimesofIndia.Indiatimes.com   
1
1

TimesOfUmmah.com 1


1
Tribune.com.pk 1 1


Twitter.com (HTTP) 1

1
Twitter.com (HTTPS) 11

1 10
Twitter account 18
16 2
TwoCircles.net 2

2
Typepad.com 1
1

Vidiov.info 1
1

Wikipedia.org 3

3
Wordpress.com 8 1 3 2 2
YouTube.com 85 18 39 14 14
YouTu.be 1

1
Totals30965888075

The analysis has been cross-posted/quoted in the following places:

  1. LiveMint (September 4, 2012)
  2. The Hindu (August 26, 2012)
  3. Wall Street Journal (August 25, 2012)
  4. tech 2 (August 25, 2012)
  5. China Post (August 25, 2012)
  6. The Hindu (August 24, 2012)
  7. LiveMint (August 24, 2012)
  8. Global Voices (August 24, 2012)
  9. Reuters (August 24, 2012)
  10. Outlook (August 23, 2012)
  11. FirstPost.India (August 23, 2012)
  12. IBN Live (August 23, 2012)
  13. News Click (August 23, 2012)
  14. Medianama (August 23, 2012)
  15. KAFILA (August 23, 2012)
  16. CIOL (August 23, 2012)

A Public Meeting on DNA Profiling Bill in Delhi

by Elonnai Hickok last modified Oct 10, 2012 10:58 AM
On September 27, 2012, the Centre for Internet and Society hosted a public talk at the Indian International Centre focused on the draft DNA Profiling Bill. Presenting at the meeting were international experts Dr. Helen Wallace, director of GeneWatch UK and Jeremy Gruber, president and executive director of the Council for Responsible Genetics US, and Dr. Anupuma Raina, senior scientist at AIIMs.

The use of DNA samples for forensics purposes has been increasing as law enforcement in India are relying on DNA samples as a source of evidence to solve crimes. India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.


Opening the meeting was a presentation by Dr. Anupama that focused on how DNA analysis has been used in various cases in India. Dr. Anupama emphasized the important role that DNA plays and the usefulness of the technology, but also cautioned that the police are still perfecting the use of DNA samples for forensic purposes. She promoted the passing of the DNA profiling bill with the correct safeguards. Dr. Anupama also provided insight into the current procedure for DNA analysis in India noting that consent is taken from individuals before taking DNA samples, and that ethical clearance is taken before DNA samples are taken and used for research purposes. She also noted that labs are working on improving quality insurance and emphasized the importance of chain of custody in ensuring that DNA samples are not contaminated.

Following Dr. Anupama, Jeremy Gruber spoke about the US experience with DNA databases and explained how DNA testing was initially introduced as a tool for establishing additional evidence for convicting violent felony offenders or freeing innocent individuals on a case to case basis. He explained how the technology of DNA sampling and its use in forensic cases can be both a useful tool when used justly and democratically, or can be harmful when used unjustly and undemocratically.  He noted that there has been an increase in the routine use and retention of DNA by law enforcement today for purposes such as using DNA databases for familial searching purposes, and using DNA analysis to create profiles of individuals. Concerns that Jeremy Gruber raised with respect to the draft DNA Profiling Bill included the assumption in the preamble of the bill that DNA is an infallible piece of evidence, pointing out that when DNA is used for forensic purposes it is vulnerable to inaccuracies such as false matches, sample contamination, and analysis error. He also made the point that the definitions found in the bill are overly broad and work to expand the scope by defining a wide range of crimes for which individuals will be added to the DNA database for. These broad definitions essentially turn the database into an all crimes database. Other concerns with the bill included that DNA laboratories are not clearly independent of the police, and that the bill allows for the additional collection of DNA from missing persons and victims.

In her presentation, Dr. Helen Wallace described the UK experience, where the first DNA database was established in 1995. In 2000 a major expansion of the UK DNA database took place, but was controversial for a number of reasons. In 2008 the European Court of Justice ruled that the regime of retaining DNA samples in the UK was unlawful and a breach of privacy. Now the UK law requires that only a barcode with identifying information be stored. Dr. Wallace also emphasized the fact that the number of convictions resulting from DNA detections has not increased as the UK DNA database has expanded, because the number of solved crimes is driven by the number of crime scene samples. Thus, samples on a database are only useful if they relate directly to the crime scene and a possible criminal. Therefore the more profiles that are added to the database that are related to petty crimes, civil cases, victims, volunteers etc. the less efficient and accurate the database becomes. Dr. Wallace recommended that a DNA database contain only careful crime scene evidence in order to ensure samples are matched accurately. Concerns with the DNA profiling Bill emphasized by Dr. Wallace included that consent is not provided for in the bill, and court orders are not required. Furthermore, the bill does contain a removal process, and it is unclear what DNA profiling system will be used.

Responding to the presentations made by the speakers, members of the audience raised concerns over the use of DNA sampling in India for reasons beyond forensic purposes, such as requiring surrogate mothers and the children to undergo DNA tests. Other members of the audience pointed out that the bill does not address the rights of suspects and prisoners. Additionally the question of the evidentiary weight of DNA samples in court was raised, along with the concern that the broad collection of DNA samples from individuals is just another example of the growing trend by the Indian government to collect and store information about its citizens.

Transparency and Privacy

by Prasad Krishna last modified Feb 28, 2014 04:54 AM
The two concepts, transparency and privacy, can be both opposing and inter related. On one level the protection of individual privacy is achieved through institutional and governmental transparency, as transparency of actions taken by the government or private sector, concerning the individuals works to inspire trust. On another level situations of privacy and transparency bring out the question of how the public good should be balanced against public and private interests.

PDF document icon Transparency and Privacy.pdf — PDF document, 541 kB (554,467 bytes)

The UK DNA Database and the European Court of Human Rights

by Prasad Krishna last modified Oct 10, 2012 10:19 AM
A presentation by Dr. Helen Wallace, Director, GeneWatch, UK

Microsoft PowerPoint presentation icon UK-DNA-database-lessons.ppt — Microsoft PowerPoint presentation, 1,706 kB (1,746,944 bytes)

Forensic DNA Databases

by Prasad Krishna last modified Oct 10, 2012 10:57 AM
A presentation by Jeremy Gruber

ZIP archive icon FGPI 2012 India.pptx — ZIP archive, 886 kB (907,551 bytes)

Privacy Perspectives on the 2012 -2013 Goa Beach Shack Policy

by Elonnai Hickok last modified Oct 25, 2012 10:23 AM
CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained.

The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.

An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.[1] This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.

To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.

Current Status of the Shack Policy

This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1st through May 31st, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.[2] Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.

Inside the policy:

Application Requirements

To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.[3] These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.

Operational Requirements

The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack[4] and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.[5]

The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,[6] shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,[7] and the proper disposal of trash and waste water will be the responsibility of the shack owner.[8] Furthermore, foreigners working in the shacks must have a work visa,[9] and loud music is not allowed to be played after 10:30 p.m.[10]

As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. [11] But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.

Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.[12]Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.

Enforcement

The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to  pay another Rs. 10,000 to continue operating.[13]The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. [14] If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.[15] Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.[16]

Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.

Other practices around security and identification in Goa

In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.[17]

The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period.  In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.

Will the 2012 – 2013 Beach Shack Policy have new implications?

In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be  over-reaching, there are a number of  positive requirements in the policy such as the use of eco-friendly material, noise control,  and strict procedures for disposing of trash and sewage.

The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of  ground work needs to be done before CCTVs are made mandatory for every shack in the state.  Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.

At the macro level, and when examined in the context of  the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to  part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.

For example, Goa is not the only city to consider mandatory installation of CCTV’s.  In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.[18] Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.[19]

The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.[20] The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.[21]

Conclusion

In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring  crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.

Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.


Notes
[1].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: http://bit.ly/Xk18NH. Last accessed: October 24th 2012.
[2]. Id. Section 2.
[3]. Id. Application Requirements 1-8. Pg 1&2.
[4]. Section 33.
[5].A part of the affidavit
[6].Id. Section 4.
[7]. Id. Section 17.
[8].Id. Section 28.
[9]. Id. Section 35.
[10].Id. Section 37.
[11]. Id. Section 38.
[12]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf
[13]. Beach Shack Policy 2012 - 2013, Section 16.
[14]. Id. Section 18.
[15]. Id. Section 22.
[16]. Id. Section 32.
[17]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: http://bit.ly/TbUO4S
[18]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28th 2012. Available at: http://bit.ly/RXtgBg. Last Accessed: October 24th 2012.
[19]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20th 2011. Available at: http://bit.ly/VHwCzd. Last accessed: October 24th 2012.
[20]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: http://bit.ly/VqzKtr. Last accessed: October 24th 2012.
[21]. Id. pg. 61-62.

Rethinking DNA Profiling in India

by Elonnai Hickok last modified Oct 29, 2012 08:00 AM
DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.

Elonnai Hickok's article was published in Economic & Political Weekly, Vol - XLVII No. 43, October 27, 2012


DNA evidence was first accepted by the courts in India in 1985,[1] and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include

"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."[2]

Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.

The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.[3] The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).[4]

The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,[5], along with a number of private labs [6] which analyse DNA samples for crime-related purposes.

In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of

"enhancing protection of people in the society and the administration of justice."[7]

The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.[8] The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.

Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from[9] from DNA samples[10] only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).[11] This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.[12]

The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board.[13] How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.[14] The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.[15] Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.

Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.[16] Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,[17] but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,[18] it allows for DNA profiles/DNA samples and related information related to be shared for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.”[19]

An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."[20] CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.[21] Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?

Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:

"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."[22]

This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.[23]

Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.[24] In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,

"In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals."[25] Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.[26] And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.[27] These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.

The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, "DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."[28]

This statement ignores the possibility of false matches, cross-contamination, and laboratory error[29] as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime[30] in the French diplomat rape case, the DNA report came out with both negative and positive results;[31] and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.[32] Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.[33]

The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:

"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."[34]

In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.[35] This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.[36] From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.

Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.[37]

Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.[38] The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.

The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.[39] These are significant gaps in the proposed legislation as it restricts the rights of the individual.

In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.


[1]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at: http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf. Last accessed: October 9th 2012.
[2]. Section 53. The Criminal Code of Procedure, 1973. Available at: http://www.vakilno1.com/bareacts/crpc/s53.htm. Last accessed October 9th 2012.
[3]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf. Last Accessed October 9th 2012.
[4]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0. Last accessed: October 9th 2012.
[5]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012.
[6]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.
[7]. Draft Human DNA Profiling Bill 2012. Introduction.
[8]. Id. section 12(a-z)
[9]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.
[10]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.
[11]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.
[12]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html. Last accessed: October 9th 2012
[13]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))
[14]. Id. Section 35
[15]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.
[16]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.
[17]. Draft Human DNA Profiling Bill 2012. Section 32 (5)- 6)(a)-(b[+] . Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.
[18]. Id. Section 39
[19]. Id. Section 40(c)
[20]. CDFD. Annual Report 2010-2011. Pg19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 9th 2012.
[21]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: http://www.cdfd.org.in/servicespages/dnafingerprinting.html
[22]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf. Last accessed: October 9th 2012
[23]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html. Last accessed: October 10th 2012.
[24]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms. Last accessed: October 9th 2012.
[25]. BioAxis DNA Research Centre (P) Limited. Website Available at: http://www.dnares.in/dna-databank-database-of-india.php. Last accessed: October 10th 2012.
[26]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank. Last accessed: October 10th 2012.
[27]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.
[28]. Draft DNA Human Profiling Bill 2012. Introduction
[29]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.
[30]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957. Last accessed: October 10th 2012.
[31]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html. Last accessed: October 10th 2012.
[32]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests. Last accessed: October 10th 2012.
[33]. Draft Human DNA Profiling Bill 2012. Section 18-27.
[34]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: http://dbtindia.nic.in/uniquepage.asp?id_pk=124. Last accessed: October 10 2012.
[35]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 10th 2012.
[36]. CDFD Annual Report 2006-2007.Pg. 13. Available at: http://www.cdfd.org.in/images/AR_2006_07.pdf. Last accessed: October 10th 2012.
[37]. Draft Human DNA Profiling Bill 2012. Section 35
[38]. Id. Section 41.
[39].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.

Q&A to the Report of the Group of Experts on Privacy

by Elonnai Hickok last modified Nov 09, 2012 10:20 AM
In January 2012 Justice A.P. Shah formed a committee consisting of a group of experts to contribute to and create a report of recommendations for a privacy legislation in India. The committee met a total of seven times from January to September 2012. The Centre for Internet and Society (CIS) was a member of the committee creating the report. This blog post is CIS’s attempt to answer questions that have arisen from media coverage on the report, based on our understanding.

Executive Summary

The executive summary explains how the need for a horizontal privacy legislation that recognizes the right to privacy has come about in India in light of projects and practices such as the UID, NATGRID, and the changing nature of business and technology. The executive summary highlights the committee’s recommendations of what should be considered by legislatures while enacting a privacy legislation in India.

Q: What are the salient features of the committee’s recommendations?

A: In its report the committee recommended that any privacy legislation passed should:

  • Be technologically neutral and interoperable with international standards to ensure that the regulation can adapt to changing technology, and that business will be promoted.
  • Recognize the multiple dimensions of privacy including physical and informational privacy.
  • Apply to all data controllers both in the private sector and the public sector to ensure that businesses and governments are held accountable to protecting privacy.
  • Establish a set of privacy principles that can be applicable to different practices, policies, projects, departments, and businesses to create a uniform level of privacy protection across all sectors.
  • Create an enforcement regime of co-regulation, where industry has the choice of developing privacy principles and ensuring compliance at the sectoral level with regular oversight by the Privacy Commissioners.

Chapter 1: Constitutional Basis for Privacy

This chapter summarizes a number of decisions from the Indian Judiciary that demonstrate how the right to privacy in India has been defined on a case to case basis and has been defined as either a fundamental right or a common law right.

Q: What are the contexts of the cases covered?

A: This chapter covers cases that speak to the:

  • Right to privacy in the context of surveillance by the State
  • Balancing the ‘right to privacy’ against the ‘right to free speech’
  • The ‘right to privacy’ of HIV patients
  • Prior judicial sanctions for tapping telephones
  • The ‘search and seizure’ powers of revenue authorities

Chapter 2: International Privacy Principles

This chapter summarizes recent developments in privacy laws, international privacy principles, and privacy principles developed by specific countries. This review aided the Committee in forming its recommendations for the report.

Q: Privacy principles from which countries were reviewed by the Committee?

A: The Committee reviewed privacy principles from the following countries and international organizations.

  • EU Regulations of January 2012
  • US Consumer Privacy Bill of Rights
  • OECD Privacy Principles
  • APEC Privacy Framework
  • Australia
  • Canada

Chapter 3: National Privacy Principles, Rationales, and Emerging Issues

This chapter lays out the nine national privacy principles and describes the rationale for each principle along with emerging issues around each principle.

Q: What could the principles apply to?

A: The principles apply to the collection, processing, storage, retention, access, disclosure, destruction, sharing, transfer, and anonymization of sensitive personal information, personal identifiable information, and identifiable information by data controllers. The national privacy principles can also be applied to legislation, projects, practices, and policies to ensure that provisions and requirements are in compliance with the national privacy principles.

Q: Who could be brought under the scope of the principles?

A: The principles are applicable to every data controller in the private sector and the public sector. For example organizations and government departments that determine the purposes and means of processing personal information will be brought under the scope of the principles and will be responsible for carrying out the processing of data in accordance with sectoral privacy standards or the national privacy principles.

Q: How could the National Privacy Principles impact individuals?

A: The principles provide individuals with the right to 1. Receive notice before giving consent stating what personal information is being collected, the purposes for which personal information is being collected, the uses of collected personal information, whether or not personal information will be disclosed to third persons, security safeguards established by the data controller, processes available to data subjects to access and correct personal information, and contact details of privacy officers. 2. Opt in and out of providing personal information 3. Withdraw given consent at any point of time. 4. Access and correct any personal information held by data controllers 5. Allow individuals to issue a complaint with the respective ombudsman, privacy commissioner, or court.

Q: Would the National Privacy Principles be binding for every data controller?

A: Yes, but Self Regulating Organizations at the industry level have the option of developing principles for that specific sector. These principles must be approved by the privacy commissioner and be in compliance with the National Privacy Principles.

Chapter 4: Analysis of Relevant Legislation, Bills, and Interests from a Privacy Perspective

This chapter examines relevant legislation, bills, and interests from a privacy perspective. In doing so the chapter clarifies how the right to privacy should intersect with the right to information and the freedom of expression, and anaylzes current and upcoming legislation to demonstrate what existing provisions in the legislation uphold the privacy principles, what existing provisions are in conflict with the principles, and what provisions are missing to ensure that the legislation is compliant to the extent possible with the principles.

Q: How does the report understand the relationship between the Right to Information and the Right to Privacy?

A: When applied the Privacy Act should not circumscribe the Right to Information Act. Furthermore, RTI recipients should not be considered data controllers and thus should not be brought under the ambit of the privacy principles.

Q: How does the report understand the relationship between the freedom of expression and privacy?

A: Questions about how to balance the right to privacy with the freedom of expression can arise in many circumstances including: the right to be forgotten and data portability, journalistic expression, state secrecy and whistle blowers, and national security. Most often, public interest is the test used to determine if the right to privacy should supersede the freedom of expression or vice versa.

Chapter 5: The Regulatory Framework

This chapter outlines the committee’s recommendations for a regulatory framework for the Privacy Act.

Q: Who are the main actors in the regulatory framework?

A: The report recommends that a regulatory framework be comprised of one privacy commissioner at the central level and four commissioners at the regional level, self regulating organizations (SRO’s) at the industry level, data controllers and privacy officers at the organization level, and courts.

Q: What are the salient features of the regulatory framework?

A: The salient features of the regulatory framework include 1. A framework of co-regulation 2. Complaints 3. Exceptions to the Privacy Act 4. Offenses under the Act

Q: What are exceptions to the right to privacy? Are these blanket exceptions?

A: National security; public order; disclosure of information in public interest; prevention, detection, investigation and prosecution of criminal offences; and protection of the individual or of the rights and freedoms of others are suggested exceptions to the right to privacy. The committee has qualified these exceptions with the statement that before an exception can be made for the following circumstances, the proportionality, legality, and necessity in a democratic state should be used to measure if the exception applies and the extent of the exception. Thus, they are not blanket exceptions to the right to privacy

Historical and scientific research and journalistic purposes were also recommended as additional exceptions to the right to privacy that may be considered. These exceptions will not be subjected to the principles of proportionality, legality, and necessary in a democratic state.

Q: What are the powers and responsibilities of the privacy commissioners?

A: The powers and responsibilities of the Privacy Commissioners are the following:

Responsibilities:

  1. Enforcement of the Act
  2. Broadly oversee interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material.
  3. Evaluate and approve privacy principles developed by SRO’s
  4. Collaborate with stakeholders to endure effective regulation, promote awareness of the Act, and sensitize citizens to privacy considerations

Powers:

  1. Order privacy impact assessments on organisations
  2. Investigate complaints suomotu or based off of complaints from data subjects (summon documents, call and examine witnesses, and take a case to court if necessary )
  3. Fine non-compliant data controllers

Q: How does Co-regulation work?

A: The purpose of establishing a regulatory framework of co-regulation is to ensure that appropriate policies and principles are articulated and enforced for all sectors. If a sector wishes to develop its own privacy standards, the industry level self regulating organization will submit to the privacy commissioner a sub set of self regulatory norms. If these norms are approved by the privacy commissioner the SRO will be responsible for enforcing those norms, but the privacy commissioner will have the power to sanction member data controllers for violating the norms. If a sector does not have an SRO or does not wish to develop its own set of standards, the National Privacy Principles will be binding.

Q: What are data controllers? What are privacy officers? What are ombudsmen?

A: A data controller is any entity that handles or process data. Privacy officers receive and handle complaints at the organizational level and may be appointed as part of a SRO’s privacy requirements for a sector.  Ombudsmen are appointed at the SRO level and are also responsible for receiving and handling complaints. The objective of having ombudsman and privacy officers is to reduce the burden of handling complaints on the commissioner and the courts.

Q: When can an individual issue a complaint? Which body should individuals issue complaints to?

A: An individual can issue a complaint at any point of time when they feel that their personal information has not been handled by a data controller according to the principles, or that a data controller is not in compliance with the Act. When applicable complaints are encouraged to be issued first to the organization. If the complaint is not resolved, the individual can take the complaint to the SRO or privacy commissioner. The individual also has the option of taking a complaint straight to the courts. When a complaint is received by the commissioner, the commissioner may fine the data controller if it is found to be non-compliant. Data controllers cannot appeal fines issued by the commissioner, but they can appeal the initial decision of non-compliance.

Q: Can an individual receive compensation for a violation of privacy:

A: Yes. Individuals who suffer damages caused by non-compliance with the principles or any obligation under the Act can receive compensation, but the compensation must be issued by the courts and cannot be issued by a privacy commissioner. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.

Q: What offences does the report reccomend?

A: The following constitutes as an offence under the Act:

  • Non-compliance with the  privacy principles
  • Unlawful  collection,  processing,  sharing/disclosure,  access,  and  use  of personal data
  • Obstruction of commissioner
  • Failure to comply with notification issued by commissioner
    • Processing data after receiving a notification
    • Failure to appear before commissioner
    • Failure to produce documents requested by commissioner
    • Sending report to commissioner with false or misleading information

Chapter 6: The Multiple Dimensions of Privacy

This chapter gives examples of practices that impact privacy in India which the national privacy principles could be applied to. These include interception/access, the use of electronic recording devices, the use of personal identifiers, and the use of bodily and genetic material. The current state of each practice in India is described, and the inconsistencies and gaps in the regimes are highlighted. Each section also provides recommendations of which privacy principles need to be addressed and strengthened in each practice, and how the privacy principles would be affected by each practice.

Q: Does the report give specific recommendations as to how each practice should be amended to incorporate the National Privacy Principles?

A: No. Each section explains the current state of the practice in India, gaps and inconsistencies with the current practice,  and recommends broadly what principles need to be addressed and strengthened in the regime, and how the National Privacy Principles may be affected by the practice.

Summary of Recommendations

This chapter consolidates and clarifies all of the Committee’s recommendations for a Privacy Act in India.

Q: Are the recommendations in this chapter different from chapters above?

A: No.  The recommendations in this chapter reflect the recommendations made earlier. This chapter does clarify the recommended scope and objectives of the Privacy Act  including:

  1. The Act should define and harmonize with existing laws in force.
  2. The Act should extend the right of privacy to all individuals in India and all data processed by any company or equipment locating in India, and all data that originated in India.
  3. The Act should clarify that the publication of personal data for artistic and journalistic purposes in public interest, the use of personal information for household purposes, and the disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.
  4. The Act should not require a ‘reasonable expectation’ of privacy to be present for the right to be evoked.
  5. If any other legislation provides more extensive protections than those set out by the Privacy Act, than the more extensive protections should apply.

Report of the Group of Experts on Privacy [PDF, 1270 Kb]

Report of the Group of Experts on Privacy

by Prasad Krishna last modified Nov 06, 2012 09:39 AM
The report covers international privacy principles, national privacy principles, rationale and emerging issues along with an analysis of relevant legislations/bills from a privacy perspective.

PDF document icon Report of the Group of Experts on Privacy.pdf — PDF document, 1,269 kB (1,299,685 bytes)

Arbitrary Arrests for Comment on Bal Thackeray's Death

by Pranesh Prakash last modified Jan 02, 2013 03:42 AM
Two girls have been arbitrarily and unlawfully arrested for making comments about the late Shiv Sena supremo Bal Thackeray's death. Pranesh Prakash explores the legal angles to the arrests.

Facts of the case

This morning, there was a short report in the Mumbai Mirror about two girls having been arrested for comments one of them made, and the other 'liked', on Facebook about Bal Thackeray:

Police on Sunday arrested a 21-year-old girl for questioning the total shutdown in the city for Bal Thackeray’s funeral on her Facebook account. Another girl who ‘liked’ the comment was also arrested.

The duo were booked under Section 295 (a) of the IPC (for hurting religious sentiments) and Section 64 (a) of the Information Technology Act, 2000. Though the girl withdrew her comment and apologised, a mob of some 2,000 Shiv Sena workers attacked and ransacked her uncle’s orthopaedic clinic at Palghar.

“Her comment said people like Thackeray are born and die daily and one should not observe a bandh for that,” said PI Uttam Sonawane.

What provisions of law were used?

There's a small mistake in Mumbai Mirror's reportage as there is no section "64(a)"1 in the Information Technology (IT) Act, nor a section "295(a)" in the Indian Penal Code (IPC). They must have meant section 295A of the IPC ("outraging religious feelings of any class") and section 66A of the IT Act ("sending offensive messages through communication service, etc."). (Update: The Wall Street Journal's Shreya Shah has confirmed that the second provision was section 66A of the IT Act.)

Section 295A of the IPC is cognizable and non-bailable, and hence the police have the powers to arrest a person accused of this without a warrant.2 Section 66A of the IT Act is cognizable and bailable.

Update: Some news sources claim that section 505(2) of the IPC ("Statements creating or promoting enmity, hatred or ill-will between classes") has also been invoked.

Was the law misapplied?

This is clearly a case of misapplication of s.295A of the IPC.3 This provision has been frivolously used numerous times in Maharashtra. Even the banning of James Laine's book Shivaji: Hindu King in Islamic India happened under s.295A, and the ban was subsequently held to have been unlawful by both the Bombay High Court as well as the Supreme Court. Indeed, s.295A has not been applied in cases where it is more apparent, making this seem like a parody news report.

Interestingly, the question arises of the law under which the friend who 'liked' the Facebook status update was arrested. It would take a highly clever lawyer and a highly credulous judge to make 'liking' of a Facebook status update an act capable of being charged with electronically "sending ... any information that is grossly offensive or has menacing character" or "causing annoyance or inconvenience", or under any other provision of the IT Act (or, for that matter, the IPC).4 That 'liking' is protected speech under Article 19(1)(a) is not under question in India (unlike in the USA where that issue had to be adjudicated by a court), since unlike the wording present in the American Constitution, the Indian Constitution clearly protects the 'freedom of speech and expression', so even non-verbal expression is protection.

Role of bad law and the police

In this case the blame has to be shared between bad law (s.66A of the IT Act) and an abuse of powers by police. The police were derelict in their duty, as they failed to provide protection to the Dhada Orthopaedic Hospital, run by the uncle of the girl who made the Facebook posting. Then they added insult to injury by arresting Shaheen Dhada and the friend who 'liked' her post. This should not be written off as a harmless case of the police goofing up. Justice Katju is absolutely correct in demanding that such police officers should be punished.

Rule of law

Rule of law demands that laws are not applied in an arbitrary manner. When tens of thousands were making similar comments in print (Justice Katju's article in the Hindu, for instance), over the Internet (countless comments on Facebook, Rediff, Orkut, Twitter, etc.), and in person, how did the police single out Shaheen Dhada and her friend for arrest?5

Social Media Regulation vs. Suppression of Freedom of Speech and Expression

This should not be seen merely as "social media regulation", but as a restriction on freedom of speech and expression by both the law and the police. Section 66A makes certain kinds of speech-activities ("causing annoyance") illegal if communicated online, but legal if that same speech-activity is published in a newspaper. Finally, this is similar to the Aseem Trivedi case where the police wrongly decided to press charges and to arrest.

This distinction is important as it being a Facebook status update should not grant Shaheen Dhada any special immunity; the fact of that particular update not being punishable under s.295 or s.66A (or any other law) should.


  1. Section 64 of the IT Act is about "recovery of penalty" and the ability to suspend one's digital signature if one doesn't pay up a penalty that's been imposed.

  2. The police generally cannot, without a warrant, arrest a person accused of a bailable offence unless it is a cognizable offence. A non-bailable offence is one for which a judicial magistrate needs to grant bail, and it isn't an automatic right to be enjoyed by paying a bond-surety amount set by the police.

  3. Section 295A of the IPC has been held not to be unconstitutional. The first case to challenge the constitutionality of section 66A of the IT Act was filed recently in front of the Madurai bench the Madras High Court.)

  4. One can imagine an exceptional case where such an act could potentially be defamatory, but that is clearly exceptional.

  5. This is entirely apart from the question of how the Shiv Sena singled in on Shaheen Dhada's Facebook comment.


This blog entry has been re-posted in the following places

DoT Blocks Domain Sites — But Reasons and Authority Unclear

by Smitha Krishna Prasad last modified Nov 21, 2012 10:03 AM
Earlier this year, ISPs such as Airtel and MTNL blocked a number of domain sites including BuyDomains, Fabulous Domains and Sedo.co.uk. Whereas the Indian Government and courts have previously issued orders blocking websites, these actions have generally been attributed to issues such as posting of inflammatory content or piracy of copyrighted material. However, the reasoning behind blocking domain marketplaces such as the above mentioned sites is not clear.

These websites offer users various tools to buy and sell domain names and simplify the purchasing process. Users on India Broad Band forum and websites like Medianama reported that these domain sites were not accessible and the following message was displayed instead — "This website/URL has been blocked until further notice either pursuant to Court orders or on the Directions issued by the Department of Telecommunications".

.In Registry’s Anti-Abuse Policy

If the issue at hand is one of abusive registrations, it would fall under the .IN Domain Anti-abuse Policy adopted by the National Internet Exchange of India (NIXI) and the .in registry. This policy states that NIXI will have the right to "deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status" if necessary. This raises a question as to why the Department of Telecommunications (DoT) would issue directions to block these domain marketplaces instead of cancelling their registration or placing it on hold under the policies adopted by NIXI.

A second, more important question would be whether the DoT has the power to block websites or take action under NIXI’s anti-abuse policy. NIXI and the .in registry both work under the aegis of the Department of Electronics and Information Technology. In addition, the Information Technology Act, 2000 ("the IT Act") is the only legislation that provides the authority to block a website and this authority is bestowed upon the Secretary, Department of Information Technology.

Information Technology Act

Section 69-A of the IT Act authorizes the central government to issue directions/orders to block public access to any information generated, transmitted, received, stored or hosted in any computer resource i.e., block websites. Such orders can be issued if the authorized officer finds that it is necessary to do so in the India’s sovereign and national interests or in the interest of public order. These interests include defence, security of the state, friendly relations with foreign neighbours and preventing incitement to the commission of an offence.

The procedures and safeguards that are to be followed before issuing an order to block a website are detailed in the Information Technology (Procedure and Safeguards for blocking for access of information by public) Rules, 2009 ("the rules"). The rules provide that upon receiving a complaint, the concerned organization for the blocking of access to information shall examine the complaint to ensure that there is a need to take action under the reasons mentioned above. If such action is found necessary, a request if forwarded and a committee established as per the rules reviews any requests made to block access to any information. During this review, there is also provision for a notice and reply procedure. This allows for the person controlling the online publication of such information to appear before the committee and respond to the request or make any clarifications regarding the information.

The recommendations of the committee are then sent to the Secretary of the Department of Information Technology who further directs an agency of the government or the intermediary to block the relevant content/website. The rules also provide procedures for blocking access in case of an emergency and in cases where court orders directing the blocking of information have been issued.

Whereas the ideas of sovereign interest and public order are admittedly very broad, there is no clear explanation as to what actions of domain sites/marketplaces such as BuyDomain and sedo.co.uk would be considered to impinge upon either. Neither is there any information available regarding why the DoT considers this to be the case.

Breaking Down Section 66A of the IT Act

by Pranesh Prakash last modified Dec 14, 2012 09:51 AM
Section 66A of the Information Technology Act, which prescribes 'punishment for sending offensive messages through communication service, etc.' is widely held by lawyers and legal academics to be unconstitutional. In this post Pranesh Prakash explores why that section is unconstitutional, how it came to be, the state of the law elsewhere, and how we can move forward.

Back in February 2009 (after the IT Amendment Act, 2008 was hurriedly passed on December 22, 2008 by the Lok Sabha, and a day after by the Rajya Sabha[1] but before it was notified on October 27, 2009) I had written that s.66A is "patently in violation of Art. 19(1)(a) of the Constitution of India":

Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1)(a) of our Constitution. The fact that some information is "grossly offensive" (s.66A(a)) or that it causes "annoyance" or "inconvenience" while being known to be false (s.66A(c)) cannot be a reason for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mill's harm principle provides a better framework for freedom of expression than Joel Feinberg's offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what "origin" means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organisations from using proxy servers, and may prevent a person from using a sender envelope different from the "from" address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunnelling, and other forms of ensuring anonymity online. This doesn't seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified.

I stand by that analysis. But given that it is quite sparse, in this post I will examine s.66A in detail.

Here's what s. 66A of the IT (Amendment) Act, 2008 states:

66A. Punishment for sending offensive messages through communication service, etc.,
Any person who sends, by means of a computer resource or a communication device,—
(a) any information that is grossly offensive or has menacing character;
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience,     danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use of such computer resource or a communication device,
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages

shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "electronic mail" and "electronic mail message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, images, audio, video and any other electronic record, which may be transmitted with the message.[2]

A large part of s.66A can be traced back to s.10(2) of the UK's Post Office (Amendment) Act, 1935:

If any person —
(a) sends any message by telephone which is grossly offensive or of an indecent, obscene, or menacing character; or
(b) sends any message by telephone, or any telegram, which he knows to be false, for the purpose of causing annoyance, inconvenience, or needless anxiety to any other person; or
(c) persistently makes telephone calls without reasonable cause and for any such purposes as aforesaid;
he shall be liable upon summary conviction to a fine not exceeding ten pounds, or to imprisonment for a term not exceeding one month, or to both such fine and imprisonment.

Section 66A bears a striking resemblance to the three parts of this law from 1935, with clauses (b) and (c) being merged in the Indian law into a single clause (b) of s.66A, with a whole bunch of new "purposes" added. Interestingly, the Indian Post Office Act, 1898, was never amended to add this provision.

The differences between the two are worth exploring.

Term of Punishment

The first major difference is that the maximum term of imprisonment in the 1935 Act is only one month, compared to three years in s.66A of the IT Act. It seems the Indian government decided to subject the prison term to hyper-inflation to cover for the time. If this had happened for the punishment for, say, criminal defamation, then that would have a jail term of up to 72 years!  The current equivalent laws in the UK are the Communications Act, 2003 (s. 127) and the Malicious Communications Act 1988 (s.1) for both of which the penalty is up to 6 months' imprisonment or to a maximum fine of £5000 or both. What's surprising is that in the Information Technology (Amendment) Bill of 2006, the penalty for section 66A was up to 2 years, and it was changed on December 16, 2008 through an amendment moved by Mr. A. Raja (the erstwhile Minister of Communications and IT) to 3 years. Given that parts of s.66A(c) resemble nuisance, it is instructive to note the term of punishment in the Indian Penal Code (IPC) for criminal nuisance: a fine of Rs. 200 with no prison term.

"Sending" vs. "Publishing"

J. Sai Deepak, a lawyer, has made an interesting point that the IT Act uses "send" as part of its wording, and not "publish". Given that, only messages specifically directed at another would be included. While this is an interesting proposition, it cannot be accepted because: (1) even blog posts are "sent", albeit to the blog servers — s.66A doesn't say who it has to be sent to; (2) in the UK the Communications Act 2003 uses similar language and that, unlike the Malicious Communication Act 1988 which says "sends to another person", has been applied to public posts to Twitter, etc.; (3) The explanation to s.66A(c) explicitly uses the word "transmitted", which is far broader than "send", and it would be difficult to reconcile them unless "send" can encompass sending to the publishing intermediary like Twitter.

Part of the narrowing down of s.66A should definitely focus on making it applicable only to directed communication (as is the case with telephones, and with the UK's Malicious Communication Act), and not be applicable to publishing.

Section 66A(c)

Section 66A(c) was also inserted through an amendment moved by Mr. Raja on December 16, 2008, which was passed by the Lok Sabha on December 22, 2008, and a day after by the Rajya Sabha. (The version introduced in Parliament in 2006 had only 66A(a) and (b).) This was done in response to the observation by the Standing Committee on Information Technology that there was no provision for spam. Hence it is clear that this is meant as an anti-spam provision. However, the careless phrasing makes it anything but an anti-spam provision. If instead of "for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages" it was "for the purpose of causing annoyance and inconvenience and to deceive and to mislead the addressee or recipient about the origin of such messages", it would have been slightly closer to an anti-spam provision, but even then doesn't have the two core characteristics of spam: that it be unsolicited and that it be sent in bulk. (Whether only commercial messages should be regarded as spam is an open question.) That it arise from a duplicitous origin is not a requirement of spam (and in the UK, for instance, that is only an aggravating factor for what is already a fine-able activity).

Curiously, the definitional problems do not stop there, but extend to the definitions of "electronic mail" and "electronic mail message" in the 'explanation' as well.  Those are so vast that more or less anything communicated electronically is counted as an e-mail, including forms of communication that aren't aimed at particular recipients the way e-mail is.

Hence, the anti-spam provision does not cover spam, but covers everything else. This provision is certainly unconstitutional.

Section 66A(b)

Section 66A(b) has three main elements: (1) that the communication be known to be false; (2) that it be for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will; (3) that it be communicated persistently. The main problem here is, of course, (2). "Annoyance" and "inconvenience", "insult", "ill will" and "hatred" are very different from "injury", "danger", and "criminal intimidation".  That a lawmaker could feel that punishment for purposes this disparate belonged together in a single clause is quite astounding and without parallel (except in the rest of the IT Act). That's akin to having a single provision providing equal punishment for calling someone a moron ("insult") and threatening to kill someone ("criminal intimidation"). While persistent false communications for the purpose of annoying, insulting, inconveniencing, or causing ill will should not be criminalised (if need be, having it as a civil offence would more than suffice), doing so for the purpose of causing danger or criminal intimidation should. However, the question arises whether you need a separate provision in the IT Act for that. Criminal intimidation is already covered by ss. 503 and 506 of the IPC. Similarly, different kinds of causing danger are taken care of in ss.188, 268, 283, 285, 289, and other provisions. Similarly with the other "purposes" listed there, if, for instance, a provision is needed to penalise hoax bomb threats, then the provision clearly should not be mentioning words like "annoyance", and should not be made "persistent". (At any rate, s. 505(1) of the IPC suffices for hoax bomb threats, so you don't need a separate provision in the IT Act).

I would argue that in its current form this provision is unconstitutional, since there is no countervailing interest in criminalising false and persistent "insults", etc., that will allow those parts of this provision to survive the test of 'reasonableness' under Art.19(2). Furthermore, even bits that survive are largely redundant. While this unconstitutionality could be cured by better, narrower wording, even then one would need to ensure that there is no redundancy due to other provisions in other laws.

Section 66A(a)

In s.66A(a), the question immediately arises whether the information that is "grossly offensive" or "menacing" need to be addressed at someone specific and be seen as "grossly offensive" or "menacing" by that person, or be seen by a 'reasonable man' test.

Additionally, the term "grossly offensive" will have to be read in such a heightened manner as to not include merely causing offence. The one other place where this phrase is used in Indian law is in s.20(b) of the Indian Post Office Act (prohibiting the sending by post of materials of an indecent, obscene, seditious, scurrilous, threatening, or grossly offensive character). The big difference between s.20(b) of the IPO Act and s.66A of the IT Act is that the former is clearly restricted to one-to-one communication (the way the UK's Malicious Communication Act 1988 is). Reducing the scope of s.66A to direct communications would make it less prone to challenge.

Additionally, in order to ensure constitutionality, courts will have to ensure that "grossly offensive" does not simply end up meaning "offensive", and that the maximum punishment is not disproportionately high as it currently is. Even laws specifically aimed at online bullying, such as the UK's Protection from Harassment Act 1997, can have unintended effects. As George Monbiot notes, the "first three people to be prosecuted under [the Protection from Harassment Act] were all peaceful protesters".

Constitutional Arguments in Importing Laws from the UK

The plain fact is that the Indian Constitution is stronger on free speech grounds than the (unwritten) UK Constitution, and the judiciary has wide powers of judicial review of statutes (i.e., the ability of a court to strike down a law passed by Parliament as 'unconstitutional'). Judicial review of statutes does not exist in the UK (with review under its EU obligations being the exception) as they believe that Parliament is supreme, unlike India. Putting those two aspects together, a law that is valid in the UK might well be unconstitutional in India for failing to fall within the eight octagonal walls of the reasonable restrictions allowed under Art.19(2). That raises the question of how they deal with such broad wording in the UK.

Genealogy of UK Law on Sending 'Indecent', 'Menacing', 'Grossly Offensive' Messages

Quoting from the case of DPP v. Collins [2006] UKHL 40 [6]:

The genealogy of [s. 127(1) of the Communication Act] may be traced back to s.10(2)(a) of the Post Office (Amendment) Act, 1935, which made it an offence to send any message by telephone which is grossly offensive or of an indecent, obscene or menacing character. That subsection was reproduced with no change save of punctuation in s.66(a) of the Post Office Act 1953. It was again reproduced in s.78 of the Post Office Act 1969, save that "by means of a public telecommunication service" was substituted for "by telephone" and "any message" was changed to "a message or other matter". Section 78 was elaborated but substantially repeated in s.49(1)(a) of the British Telecommunications Act 1981 and was re-enacted (save for the substitution of "system" for "service") in s.43(1)(a) of the Telecommunications Act 1984. Section 43(1)(a) was in the same terms as s.127(1)(a) of the 2003 Act, save that it referred to "a public telecommunication system" and not (as in s.127(1)(a)) to a "public electronic communications network". Sections 11(1)(b) o