We are anonymous, we are legion

'Delink ICANN from US jurisdiction'

praskrishna — 2016-11-15T14:16:36Z

Eight Indian civil society organisations involved with internet governance have called for complete delinking of ICANN from US jurisdiction, saying an important global public infrastructure being subject to a single country’s control is unacceptable.

The article was published by Deccan Herald on November 12.

The Internet Corporation for Assigned Names and Numbers (ICANN) is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable.

The demand from Bengaluru-based Centre for Internet and Society and IT for Change as well as Delhi-based Software Freedom Law Centre among others came against the backdrop of ICANN’s meeting in Hyderabad that ended on Wednesday.

The other organisations involved in the campaign are Free Software Movement of India (Hyderabad), Society for Knowledge Commons, Digital Empowerment Foundation, Delhi Science Forum and Third World Network (all in New Delhi).

“Urgent steps (should) be taken to transit ICANN from its current US jurisdiction. Only then can ICANN become a truly global organisation . We would like to make it clear that our objection is not directed particularly against the US, we are simply against an important global public infrastructure being subject to a single country’s jurisdiction,” a joint statement said.

Though the US has given up its role of signing entries to the Internet’s root zone file, which represents the addressing system for the global Internet, the groups said, the organisation that manages ICANN continues to be under US jurisdiction and hence subject to its courts, legislature and executive agencies.

“Keeping such an important global public infrastructure under US jurisdiction is expected to become a very problematic means of extending US laws and policies across the world,” the statement said.

Explaining the issue, it said country domain names like .br and .ph remain subject to US jurisdiction.

“Iran’s .ir was recently sought to be seized by some US private parties because of alleged Iranian support to terrorism. Although the plea was turned down, another court in another case may decide otherwise. Other countries cannot feel comfortable to have at the core of the Internet’s addressing system an organisation that can be dictated by one government,” the statement said.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-12-2016-delink-icann-from-us-jurisdiction

Google, Facebook will not place ads on sites distributing fake news

praskrishna — 2016-11-15T13:59:40Z

Google plans to update its AdSense program policies to prevent placement of its ads on sites distributing fake news.

The article by John Riberio originally published by IDG News Service was mirrored on CIO on November 14, 2016. Pranesh Prakash was quoted.

Facebook also said Monday it had updated the policy for its Audience Network, which places ads on websites and mobile apps, to explicitly clarify that it applies to fake news.

“In accordance with the Audience Network Policy, we do not integrate or display ads in apps or sites containing content that is illegal, misleading or deceptive, which includes fake news,” Facebook said in a statement. The company said its team will continue to closely vet all prospective publishers and monitor existing ones to ensure compliance.

False news stories have become a sore point after the U.S. presidential elections with critics blaming internet companies like Twitter and Facebook for having had an influence on the outcome of the elections as a result of the fake content.

The controversy also reflects concerns about the growing power of social networks to influence people and events, as well as help people to communicate and organize. Facebook promotes democracy by letting candidates communicate directly with people, Facebook CEO Mark Zuckerberg said recently in an interview.

Google had its own embarrassing moments on Sunday with a false story that claimed that President-elect Donald Trump had won the popular vote in the U.S. presidential elections figuring atop some Google search results. Trump’s Democratic rival Hillary Clinton is leading in the popular vote.

“We've been working on an update to our publisher policies and will start prohibiting Google ads from being placed on misrepresentative content, just as we disallow misrepresentation in our ads policies,” Google said Monday in a statement. “Moving forward, we will restrict ad serving on pages that misrepresent, misstate, or conceal information about the publisher, the publisher's content, or the primary purpose of the web property.”

Google evidently expects that the threat of a cut in revenue from ads will dissuade sites from publishing fake content.

Zuckerberg has described as “crazy” the criticism that fake news on Facebook's news feed had influenced the vote in favor of Trump. “Of all the content on Facebook, more than 99% of what people see is authentic. Only a very small amount is fake news and hoaxes,” Zuckerberg said in a post over the weekend. The hoaxes are not limited to one partisan view, or even to politics, he added.

Identifying the "truth" is complicated, as while some hoaxes can be clearly identified, a greater amount of content, including from mainstream sources, often gets the basic idea right but some details wrong or omitted, or expresses a view that some people will disagree with and flag as incorrect even when it is factual, Zuckerberg wrote.

There are concerns that the monitoring of sites for fake news and the penalties could give internet companies more power. "We have to be wary of Facebook and Google being allowed to decide what's 'fake' and what's 'true' news. That only increases their power," said Pranesh Prakash, policy director at the Centre for Internet & Society in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/cio-november-14-2016-john-riberio-google-facebook-will-not-place-ads-on-sites-distributing-fake-news

Big Data in India: Benefits, Harms, and Human Rights - Workshop Report

Vidushi Marda, Akash Deep Singh and Geethanjali Jujjavarapu — 2016-11-18T12:58:19Z

The Centre for Internet and Society held a one-day workshop on “Big Data in India: Benefits, Harms and Human Rights” at India Habitat Centre, New Delhi on the 1st of October, 2016. This report is a compilation of the the issues discussed, ideas exchanged and challenges recognized during the workshop. The objective of the workshop was to discuss aspects of big data technologies in terms of harms, opportunities and human rights. The discussion was designed around an extensive study of current and potential future uses of big data for governance in India, that CIS has undertaken over the last year with support from the MacArthur Foundation.

Contents

Big Data: Definitions and Global South Perspectives

Aadhaar as Big Data

Seeding

Aadhaar and Data Security

Aadhaar’s Relational Arrangement with Big Data Scheme

The Myths surrounding Aadhaar

IndiaStack and FinTech Apps

Problems with UID

Big Data: Definitions and Global South Perspectives

“Big Data” has been defined by multiple scholars till date. The first consideration at the workshop was to discuss various definitions of big data, and also to understand what could be considered Big Data in terms of governance, especially in the absence of academic consensus. One of the most basic ways to define it, as given by the National Institute of Standards and Technology, USA, is to take it to be the data that is beyond the computational capacity of current systems. This definition has been accepted by the UIDAI of India. Another participant pointed out that Big Data is not only indicative of size, but rather the nature of data which is unstructured, and continuously flowing. The Gartner definition of Big Data relies on the three Vs i.e. Volume (size), Velocity (infinite number of ways in which data is being continuously collected) and Variety (the number of ways in which data can be collected in rows and columns).

The presentation also looked at ways in which Big Data is different from traditional data. It was pointed out that it can accommodate diverse unstructured datasets, and it is ‘relational’ i.e. it needs the presence of common field(s) across datasets which allows these fields to be conjoined. For e.g., the UID in India is being linked to many different datasets, and they don’t constitute Big Data separately, but do so together. An increasingly popular definition is to define data as “Big Data” based on what can be achieved through it. It has been described by authors as the ability to harness new kinds of insight which can inform decision making. It was pointed out that CIS does not subscribe to any particular definition, and is still in the process of coming up with a comprehensive definition of Big Data.

Further, discussion touched upon the approach to Big Data in the Global South. It was pointed out that most discussions about Big Data in the Global South are about the kind of value that it can have, the ways in which it can change our society. The Global North, on the other hand, has moved on to discussing the ethics and privacy issues associated with Big Data.

After this, the presentation focussed on case studies surrounding key Central Government initiatives and projects like Aadhaar, Predictive Policing, and Financial Technology (FinTech).

Aadhaar as Big Data

In presenting CIS’ case study on Aadhaar, it was pointed out that initially, Aadhaar, with its enrollment dataset was by itself being seen as Big Data. However, upon careful consideration in light of definitions discussed above, it can be seen as something that enables Big Data. The different e-governance projects within Digital India, along with Aadhaar, constitute Big Data. The case study discussed the Big Data implications of Aadhaar, and in particular looked at a ‘cradle to grave’ identity mapping through various e-government projects and the datafication of various transaction generated data.

Seeding

Any digital identity like Aadhaar typically has three features: 1. Identification i.e. a number or card used to identify yourself; 2. Authentication, which is based on your number or card and any other digital attributes that you might have; 3. Authorisation: As bearers of the digital identity, we can authorise the service providers to take some steps on our behalf. The case study discussed ‘seeding’ which enables the Big Data aspects of Digital India. In the process of seeding, different government databases can be seeded with the UID number using a platform called Ginger. Due to this, other databases can be connected to UIDAI, and through it, data from other databases can be queried by using your Aadhaar identity itself. This is an example of relationality, where fractured data is being brought together. At the moment, it is not clear whether this access by UIDAI means that an actual physical copy of such data from various sources will be transferred to UIDAI’s servers or if they will just access it through internet, but the data remains on the host government agency’s server. An example of even private parties becoming a part of this infrastructure was raised by a participant when it was pointed out that Reliance Jio is now asking for fingerprints. This can then be connected to the relational infrastructure being created by UIDAI. The discussion then focused on how such a structure will function, where it was mentioned that as of now, it cannot be said with certainty that UIDAI will be the agency managing this relational infrastructure in the long run, even though it is the one building it.

Aadhaar and Data Security

This case study also dealt with the sheer lack of data protection legislation in India except for S.43A of the IT Act. The section does not provide adequate protection as the constitutionality of the rules and regulations under S.43A is ambivalent. More importantly, it only refers to private bodies. Hence, any seeding which is being done by the government is outside the scope of data protection legislation. Thus, at the moment, no legal framework covers the processes and the structures being used for datasets. Due to the inapplicability of S.43A to public bodies, questions were raised as to the existence of a comprehensive data protection policy for government institutions. Participants answered the question in the negative. They pointed out that if any government department starts collecting data, they develop their own privacy policy. There are no set guidelines for such policies and they do not address concerns related to consent, data minimisation and purpose limitation at all. Questions were also raised about the access and control over Big Data with government institutions. A tentative answer from a participant was that such data will remain under the control of the domain specific government ministry or department, for e.g. MNREGA data with the Ministry of Rural Development, because the focus is not on data centralisation but rather on data linking. As long as such fractured data is linked and there is an agency that is responsible to link them, this data can be brought together. Such data is primarily for government agencies. But the government is opening up certain aspects of the data present with it for public consumption for research and entrepreneurial purposes.The UIDAI provides you access to your own data after paying a minimal fee. The procedure for such access is still developing.

Aadhaar’s Relational Arrangement with Big Data Scheme

The various Digital India schemes brought in by the government were elucidated during the workshop. It was pointed out that these schemes extend to myriad aspects of a citizen’s daily life and cover all the essential public services like health, education etc. This makes Aadhaar imperative even though the Supreme Court has observed that it is not mandatory for every citizen to have a unique identity number. The benefits of such identity mapping and the ecosystem being generated by it was also enumerated during the discourse. But the complete absence of any data ethics or data confidentiality principles make us unaware of the costs at which these benefits are being conferred on us. Apart from surveillance concerns, the knowledge gap being created between the citizens and the government was also flagged. Three main benefits touted to be provided by Aadhaar were then analysed. The first is the efficient delivery of services. This appears to be an overblown claim as the Aadhaar specific digitisation and automation does not affect the way in which employment will be provided to citizens through MNREGA or how wage payment delays will be overcome. These are administrative problems that Aadhaar and associated technologies cannot solve. The second is convenience to the citizens. The fallacies in this assertion were also brought out and identified. Before the Aadhaar scheme was rolled in, ration cards were issued based on certain exclusion and inclusion criteria.. The exclusion and inclusion criteria remain the same while another hurdle in the form of Aadhaar has been created. As India is still lacking in supporting infrastructure such as electricity, server connectivity among other things, Aadhaar is acting as a barrier rather than making it convenient for citizens to enroll in such schemes.The third benefit is fraud management. Here, a participant pointed out that this benefit was due to digitisation in the form of GPS chips in food delivery trucks and electronic payment and not the relational nature of Aadhaar. Aadhaar is only concerned with the linking up or relational part. About deduplication, it was pointed out how various government agencies have tackled it quite successfully by using technology different from biometrics which is unreliable at the best of times.

The Myths surrounding Aadhaar

The discussion also reflected on the fact that Aadhaar is often considered to be a panacea that subsumes all kinds of technologies to tackle leakages. However, this does not take into account the fact that leakages happen in many ways. A system should have been built to tackle those specific kinds of leakages, but the focus is solely on Aadhaar as the cure for all. Notably, participants who have been a part of the government pointed out how this myth is misleading and should instead be seen as the first step towards a more digitally enhanced country which is combining different technologies through one medium.

IndiaStack and FinTech Apps

What is India Stack?

The focus then shifted to another extremely important Big Data project, India Stack, being conceptualised and developed by a team of private developers called iStack, for the NPCI. It builds on the UID project, Jan Dhan Yojana and mobile services trinity to propagate and develop a cashless, presence-less, paperless and granular consent layer based on UID infrastructure to digitise India.

A participant pointed out that the idea of India Stack is to use UID as a platform and keep stacking things on it, such that more and more applications are developed. This in turn will help us to move from being a ‘data poor’ country to a ‘data rich’ one. The economic benefits of this data though as evidenced from the TAGUP report - a report about the creation of National Information Utilities to manage the data that is present with the government - is for the corporations and not the common man. The TAGUP report openly talks about privatisation of data.

Problems with India Stack

The granular consent layer of India Stack hasn’t been developed yet but they have proposed to base it on MIT Media Lab’s OpenPDS system. The idea being that, on the basis of the choices made by the concerned person, access to a person’s personal information may be granted to an agency like a bank. What is more revolutionary is that India Stack might even revoke this access if the concerned person expresses a wish to do so or the surrounding circumstances signal to India Stack that it will be prudent to do so. It should be pointed out that the the technology required for OpenPDS is extremely complex and is not available in India. Moreover, it’s not clear how this system would work. Apart from this, even the paperless layer has its faults and has been criticised by many since its inception, because an actual government signed and stamped paper has been the basis of a claim.. In the paperless system, you are provided a Digilocker in which all your papers are stored electronically, on the basis of your UID number. However, it was brought to light that this doesn’t take into account those who either do not want a Digilocker or UID number or cases where they do not have access to their digital records. How in such cases will people make claims?

A Digital Post-Dated Cheque: It’s Ramifications

A key change that FinTech apps and the surrounding ecosystem want to make is to create a digital post-dated cheque so as to allow individuals to get loans from their mobiles especially in remote areas. This will potentially cut out the need to construct new banks, thus reducing the capital expenditure , while at the same time allowing the credit services to grow. The direct transfer of money between UID numbers without the involvement of banks is a step to further help this ecosystem grow. Once an individual consents to such a system, however, automatic transfer of money from one’s bank accounts will be affected, regardless of the reason for payment. This is different from auto debt deductions done by banks presently, as in the present system banks have other forms of collateral as well. The automatic deduction now is only affected if these other forms are defaulted upon. There is no knowledge as to whether this consent will be reversible or irreversible. As Jan Dhan Yojana accounts are zero balance accounts, the account holder will be bled dry. The implication of schemes such as “Loan in under 8 minutes” were also discussed. The advantage of such schemes is that transaction costs are reduced.The financial institution can thus grant loans for the minimum amount without any additional enquiries. It was pointed out that this new system is based on living on future income much like the US housing bubble crash. Interestingly, in Public Distribution Systems, biometrics are insisted upon even though it disrupts the system. This can be seen as a part of the larger infrastructure to ensure that digital post-dated cheques become a success.

The Role of FinTech Apps

FinTech ‘apps’ are being presented with the aim of propagating financial inclusion. The Technology Advisory Group for Unique Projects report stated that as managing such information sources is a big task, just like electricity utilities, a National Information Utilities (NIU) should be set up for data sources. These NIUs as per the report will follow a fee based model where they will be charging for their services for government schemes. The report identified two key NIUs namely the National Payments Corporation of India (NPCI) and the Goods and Services Tax Network (GSTN). The key usage that FinTech applications will serve is credit scoring. The traditional credit scoring data sources only comprised a thin file of records for an individual, but the data that FinTech apps collect - a person’s UID number, mobile number. and bank account number all linked up, allow for a far more comprehensive credit rating. Government departments are willing to share this data with FinTech apps as they are getting analysis in return. Thus, by using UID and the varied data sources that have been linked together by UID, a ‘thick file’ is now being created by FinTech apps. Banking apps have not yet gone down the route of FinTech apps to utilise Big Data for credit scoring purposes.

The two main problems with such apps is that there is no uniform way of credit scoring. This distorts the rate at which a person has to pay interest. The consent layer adds another layer of complication as refusal to share mobile data with a FinTech app may lead to the app declaring one to be a risky investment thus, subjecting that individual to a higher rate of interest .

Regulation of FinTech Apps and the UID Infrastructure

India Stack and the applications that are being built on it, generate a lot of transaction metadata that is very intimate in nature. The privacy aspects of the UID legislation doesn't cover such data. The granular consent layer which has been touted to cover this still has to come into existence. Also, Big Data is based on sharing and linking of data. Here, privacy concerns and Big Data objectives clash. Big Data by its very nature challenges privacy principles like data minimisation and purpose limitation.The need for regulation to cover the various new apps and infrastructure which are being developed was pointed out.

Problems with UID

It has been observed that any problem present with Aadhaar is usually labelled as a teething problem, it’s claimed that it will be solved in the next 10 years. But, this begs the question - why is the system online right now?

Aadhaar is essentially a new data condition and a new exclusion or inclusion criteria. Data exclusion modalities as observed in Rajasthan after the introduction of biometric Point of Service (POS) machines at ration shops was found to be 45% of the population availing PDS services. This number also includes those who were excluded from the database by being included in the wrong dataset. There is no information present to tell us how many actual duplicates and how many genuine ration card holders were weeded out/excluded by POS.

It was also mentioned that any attempt to question Aadhaar is considered to be an attempt to go back to the manual system and this binary thinking needs to change. Big Data has the potential to benefit people, as has been evidenced by the scholarship and pension portals. However, Big Data’s problems arise in systems like PDS, where there is centralised exclusion at the level of the cloud. Moreover, the quantity problem present in the PDS and MNREGA systems persists. There is still the possibility of getting lesser grains and salary even with analysis of biometrics, hence proving that there are better technologies to tackle these problems. Presently, the accountability mechanisms are being weakened as the poor don’t know where to go to for redressal. Moreover, the mechanisms to check whether the people excluded are duplicates or not is not there. At the time of UID enrollment, out of 90 crores, 9 crore were rejected. There was no feedback or follow-up mechanism to figure out why are people being rejected. It was just assumed that they might have been duplicates.

Another problem is the rolling out of software without checking for inefficiencies or problems at a beta testing phase. The control of developers over this software, is so massive that it can be changed so easily without any accountability.. The decision making components of the software are all proprietary like in the the de-duplication algorithm being used by the UIDAI. Thus, this leads to a loss of accountability because the system itself is in flux, none of it is present in public domain and there are no means to analyse it in a transparent fashion..

These schemes are also being pushed through due to database politics. On a field study of NPR of citizens, another Big Data scheme, it was found that you are assumed to be an alien if you did not have the documents to prove that you are a citizen. Hence, unless you fulfill certain conditions of a database, you are excluded and are not eligible for the benefits that being on the database afford you.

Why is the private sector pushing for UIDAI and the surrounding ecosystem?

Financial institutions stand to gain from encouraging the UID as it encourages the credit culture and reduces transaction costs.. Another advantage for the private sector is perhaps the more obvious one, that is allows for efficient marketing of products and services..

The above mentioned fears and challenges were actually observed on the ground and the same was shown through the medium of a case study in West Bengal on the smart meters being installed there by the state electricity utility. While the data coming in from these smart meters is being used to ensure that a more efficient system is developed,it is also being used as a surrogate for income mapping on the basis of electricity bills being paid. This helps companies profile neighbourhoods. The technical officer who first receives that data has complete control over it and he can easily misuse the data. This case study again shows that instruments like Aadhaar and India Stack are limited in their application and aren’t the panacea that they are portrayed to be.

A participant pointed out that in the light of the above discussions, the aim appears to be to get all kinds of data, through any source, and once you have gotten the UID, you link all of this data to the UID number, and then use it in all the corporate schemes that are being started. Most of the problems associated with Big Data are being described as teething problems. The India Stack and FinTech scheme is coming in when we already know about the problems being faced by UID. The same problems will be faced by India Stack as well.

Can you opt out of the Aadhaar system and the surrounding ecosystem?

The discussion then turned towards whether there can be voluntary opting out from Aadhaar. It was pointed out that the government has stated that you cannot opt out of Aadhaar. Further, the privacy principles in the UIDAI bill are ambiguously worded where individuals only have recourse for basic things like correction of your personal information. The enforcement mechanism present in the UIDAI Act is also severely deficient. There is no notification procedure if a data breach occurs. . The appellate body ‘Cyber Appellate Tribunal’ has not been set up in three years.

CCTNS: Big Data and its Predictive Uses

What is Predictive Policing?

The next big Big Data case study was on the Crime and Criminal Tracking Network & Systems (CCTNS). Originally it was supposed to be a digitisation and interconnection scheme where police records would be digitised and police stations across the length and breadth of the country would be interconnected. But, in the last few years some police departments of states like Chandigarh, Delhi and Jharkhand have mooted the idea of moving on to predictive policing techniques. It envisages the use of existing statistical and actuarial techniques along with many other tropes of data to do so. It works in four ways: 1. By predicting the place and time where crimes might occur; 2. To predict potential future offenders; 3. To create profiles of past crimes in order to predict future crimes; 4. Predicting groups of individuals who are likely to be victims of future crimes.

How is Predictive Policing done?

To achieve this, the following process is followed: 1. Data collection from various sources which includes structured data like FIRs and unstructured data like call detail records, neighbourhood data, crime seasonal patterns etc. 2. Analysis by using theories like the near repeat theory, regression models on the basis of risk factors etc. 3. Intervention

Flaws in Predictive Policing and questions of bias

An obvious weak point in the system is that if the initial data going into the system is wrong or biased, the analysis will also be wrong. Efforts are being made to detect such biases. An important way to do so will be by building data collection practices into the system that protect its accuracy. The historical data being entered into the system is carrying on the prejudices inherited from the British Raj and biases based on religion, caste, socio-economic background etc.

One participant brought about the issue of data digitization in police stations, and the impact of this haphazard, unreliable data on a Big Data system. This coupled with paucity of data is bound to lead to arbitrary results. An effective example was that of black neighbourhoods in the USA. These are considered problematic and thus they are policed more, leading to a higher crime rate as they are arrested for doing things that white people in an affluent neighbourhood get away with. This in turn further perpetuates the crime rate and it becomes a self-fulfilling prophecy. In India, such a phenomenon might easily develop in the case of migrants, de-notified tribes, Muslims etc. A counter-view on bias and discrimination was offered here. One participant pointed out that problems with haphazard or poor quality of data is not a colossal issue as private companies are willing to fill this void and are actually doing so in exchange for access to this raw data. It was also pointed out how bias by itself is being used as an all encompassing term. There are multiplicities of biases and while analysing the data, care should be taken to keep it in mind that one person’s bias and analysis might and usually does differ from another. Even after a computer has analysed the data, the data still falls into human hands for implementation.

The issue of such databases being used to target particular communities on the basis of religion, race, caste, ethnicity among other parameters was raised. Questions about control and analysis of data were also discussed, i.e. whether it will be top-down with data analysis being done in state capitals or will this analysis be done at village and thana levels as well too. It was discussed as topointed out how this could play a major role in the success and possible persecutory treatment of citizens, as the policemen at both these levels will have different perceptions of what the data is saying. . It was further pointed out, that at the moment, there’s no clarity on the mode of implementation of Big Data policing systems. Police in the USA have been seen to rely on Big Data so much that they have been seen to become ‘data myopic’. For those who are on the bad side of Big Data, in the Indian context, laws like preventive detention can be heavily misused.There’s a very high chance that predictive policing due to the inherent biases in the system and the prejudices and inefficiency of the legal system will further suppress the already targeted sections of the society. A counterpoint was raised and it was suggested that contrary to our fears, CCTNS might lead to changes in our understanding and help us to overcome longstanding biases.

Open Knowledge Architecture as a solution to Big Data biases?

The conference then mulled over the use of ‘Open Knowledge’ architecture to see whether it can provide the solution to rid Big Data of its biases and inaccuracies if enough eyes are there. It was pointed out that Open Knowledge itself can’t provide foolproof protection against these biases as the people who make up the eyes themselves are predominantly male belonging to the affluent sections of the society and they themselves suffer from these biases.

Who exactly is Big Data supposed to serve?

The discussion also looked at questions such as who is this data for? Janata Information System (JIS), is a concept developed by MKSS where the data collected and generated by the government is taken to be for the common citizens. For e.g. MNREGA data should be used to serve the purposes of the labourers. The raw data as is available at the moment, usually cannot be used by the common man as it is so vast and full of information that is not useful for them at all. It was pointed out that while using Big Data for policy planning purposes, the actual string of information that turned out to be needed was very little but the task of unravelling this data for civil society purposes is humongous. By presenting the data in the right manner, the individual can be empowered. The importance of data presentation was also flagged. It was agreed upon that the content of the data should be for the labourer and not a MNC, as the MNC has the capability to utilise the raw data on it’s own regardless.

Concerns about Big Data usage

Participants pointed out that privacy concerns are usually brushed under the table due to a belief that the law is sufficient or that the privacy battle has already been lost.
In the absence of knowledge of domain and context, Big Data analysis is quite limited. Big Data’s accuracy and potential to solve problems needs to be factually backed.
The narrative of Big Data often rests on the assumption that descriptive statistics take over inferential statistics, thus eliminating the need for domain specific knowledge. It is claimed that the data is so big that it will describe everything that we need to know.
Big Data is creating a shift from a deductive model of scientific rigour to an inductive one. In response to this, a participant offered the idea that troves of good data allow us to make informed questions on the basis of which the deductive model will be formed. A hybrid approach combining both deductive and inductive might serve us best.
The need to collect the right data in the correct format, in the right place was also expressed.

Potential Research Questions & Participants’ Areas of Research

Following this discussion, participants brainstormed to come up with potential areas of research and research questions. They have been captured below:

Big Data, Aadhaar and India Stack:

Has Aadhaar been able to tackle illegal ways of claiming services or are local negotiations and other methods still prevalent?
Is the consent layer of India Stack being developed in a way that provides an opportunity to the UID user to give informed consent? The OpenPDS and its counterpart in the EU i.e. the My Data Structure were designed for countries with strong privacy laws. Importantly, they were meant for information shared on social media and not for an individual’s health or credit history. India is using it in a completely different sphere without strong data protection laws. What were the granular consent layer structures present in the West designed for and what were they supposed to protect?
The question of ownership of data needs to be studied especially in context of a globalised world where MNCs are collecting copious amounts of data of Indian citizens. What is the interaction of private parties in this regard?

Big Data and Predictive Policing:

How are inequalities being created through the Big Data systems? Lessons should be taken from the Western experience with the advent of predictive policing and other big data techniques - they tend to lead to perpetuation of the current biases which are already ingrained in the system.
It was also pointed out how while studying these topics and anything related to technology generally, we become aware of a divide that is present between the computational sciences and social sciences. This divide needs to be erased if Big Data or any kind of data is to be used efficiently. There should be a cross-pollination between different groups of academics. An example of this can be seen to be the ‘computational social sciences departments’ that have been coming up in the last 3-4 years.
Why are so many interim promises made by Big Data failing? A study of this phenomenon needs to be done from a social science perspective. This will allow one to look at it from a different angle.

Studying Big Data:

What is the historical context of the terms of reference being used for Big Data? The current Big Data debate in India is based on parameters set by the West. For better understanding of Big Data, it was suggested that P.C. Mahalanobis’ experience while conducting the Indian census, (which was the Big Data of that time) can be looked at to get a historical perspective on Big Data. This comparison might allow us to discover questions that are important in the Indian context. It was also suggested that rather than using ‘Big Data’ as a catchphrase to describe these new technological innovations, we need to be more discerning.
What are the ideological aspects that must be considered while studying Big Data? What does the dialectical promise of technology mean? It was contended that every time there is a shift in technology, the zeitgeist of that period is extremely excited and there are claims that it will solve everything. There’s a need to study this dialectical promise and the social promise surrounding it.
Apart from the legitimate fears that Big Data might lead to exclusion, what are the possibilities in which it improve inclusion too?
The diminishing barrier between the public and private self, which is a tangent to the larger public-private debate was mentioned.
How does one distinguish between technology failure and process failure while studying Big Data?

Big Data: A Friend?

In the concluding session, the fact that the Big Data moment cannot be wished away was acknowledged. The use of analytics and predictive modelling by the private sector is now commonplace and India has made a move towards a database state through UID and Digital India. The need for a nuanced debate, that does away with the false equivalence of being either a Big Data enthusiast or a luddite is crucial.

A participant offered two approaches to solving a Big Data problem. The first was the Big Data due process framework which states that if a decision has been taken that impacts the rights of a citizen, it needs to be cross examined. The efficacy and practicality of such an approach is still not clear. The second, slightly paternalistic in nature, was the approach where Big Data problems would be solved at the data science level itself. This is much like the affirmative algorithmic approach which says that if in a particular dataset, the data for the minority community is not available then it should be artificially introduced in the dataset. It was also suggested that carefully calibrated free market competition can be used to regulate Big Data. For e.g. a private personal wallet company that charges higher, but does not share your data at all can be an example of such competition.

Another important observation was the need to understand Big Data in a Global South context and account for unique challenges that arise. While the convenience of Big Data is promising, its actual manifestation depends on externalities like connectivity, accurate and adequate data etc that must be studied in the Global South.

While the promises of Big Data are encouraging, it is also important to examine its impacts and its interaction with people's rights. Regulatory solutions to mitigate the harms of big data while also reaping its benefits need to evolve.

For more details visit https://cis-india.org/internet-governance/big-data-in-india-benefits-harms-and-human-rights-a-report

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

How Workstream 2 Plans to Improve ICANN's Transparency

Asvatha Babu — 2016-11-11T10:05:04Z

The Centre for Internet and Society has worked extensively on ICANN’s transparency policies. We are perhaps the single largest users of the Documentary Information Disclosure Policy. Our goal in doing so is not to be a thorn in ICANN’s side, but to try and ensure that ICANN, the organisation, as well as the ICANN community have access to the data required to carry out the task of regulating the global domain name system.

The transparency subgroup of ICANN’s Workstream 2 dialogue attempts to see how they could effectively improve the transparency and accountability of the organization. The main document under scrutiny at the moment is the draft Transparency Report published a few days before the 57th ICANN meeting in Hyderabad.

The report begins with an acknowledgement of the value of taking tips from the Right to Information policies of other institutions and governments. My colleague Padmini Baruah had earlier written a blog post comparing the exclusion policy of ICANN’s DIDP and the Indian Government’s RTI where she found that “the net cast by the DIDP exclusions policy is more vast than even than that of a democratic state’s transparency law.”[1] The WS2 report not only discusses the DIDP process, but also discusses ICANN’s proactive disclosures (with regard to lobbying etc) and whistleblower policies. This article focuses solely on the first.

As our earlier blog posts have mentioned, CIS sent in 28 DIDP requests over the last two years. Our experience with DIDP has been less than satisfactory and we are pleased that DIDP reform was an important part of the discussions of this subgroup. The report proposes some concrete structural changes to the DIDP process but skirts around some of the more controversial ones.

The recommendation to make the process of submitting requests clearer is a good one. There are currently no instructions on the follow-up process or what ICANN requires of the requestors. The report also recommends capping any extension to the original 30-day limit to an additional 30 days. While this is good, we further recommend that ICANN stay in touch with the requestor in order to help them to the best of its ability. The correspondence should ideally not be limited to a notification that they require an extension. Any clarifications on the part of the requestor must be resolved by ICANN. We commend the report for pointing out that the status quo – where there is no outside limit for extension of time beyond the mandated 30 days – is problematic as it allows the ICANN staff to give lesser priority to responding to DIDP requests. We strongly suggest that extensions of time on responding to DIDP requests be restricted to a maximum of 7 days after the passing of the 30-day period, after which liability should be strictly imposed on ICANN in the form of an individual fine, analogous to India’s RTI policy.[2]

One of the major areas of focus for this report and for our earlier analysis was the problematic nature of the exclusions to the DIDP. I had written that the conditions were "numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain.”[3] This is echoed by the report which calls for a deletion of two clauses that we found most used in denying our requests for information.

The report also calls into question the subjective nature of the last condition which states that ICANN can deny information if they find requests “not reasonable, excessive or overly burdensome, not feasible, abusive or vexatious or made by a vexatious or querulous individual.” As seen from our blog posts, we are of the firm belief that such a subjective condition has no place in a robust information disclosure policy. Requiring the Ombudsman’s consent to invoke it is a good first step. In addition to that, we strongly encourage that objective guidelines which specify when a requestor is considered “vexatious” be drawn up and made public.

The most disappointing aspect of this report is that it does not delve into details about having an independent party dedicated to reviewing the DIDP process to address grievances. We believe that this must not be left to the Ombudsman who cannot devote all their time to this process. We are of the opinion that an independent party would also be able to more effectively oversee the tracking and periodic review of the DIDP mechanism.

In conclusion, we believe that this report is a good start but does not comprehensively answer all of our issues with the DIDP process as it is. We look forward to more engagement with the Transparency subgroup to close all loopholes within the DIDP process.

[1] Padmini Baruah, Peering behind the veil of ICANN’s DIDP, (September 21, 2015), available at http://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icann2019s-didp (Last visited on November 9, 2016).

[2] Section 20(1), Right to Information Act, 2005.

[3] Asvatha Babu, If the DIDP Did Its Job, (November 3, 2016), available at http://cis-india.org/internet-governance/blog/if-the-didp-did-its-job (Last Visited on November 9, 2016).

For more details visit https://cis-india.org/internet-governance/blog/how-workstream-2-plans-to-improve-icanns-transparency

Internet's Core Resources are a Global Public Good - They Cannot Remain Subject to One Country's Jurisdiction

vidushi — 2016-11-14T06:39:52Z

This statement was issued by 8 India civil society organizations, supported by 2 key global networks, involved with internet governance issues, to the meeting of ICANN in Hyderabad, India from 3 to 9 November 2016. The Centre for Internet & Society was one of the 8 organizations that drafted this statement.

Recently, the US gave up its role of signing entries to the Internet's root zone file, which represents the addressing system for the global Internet. This is about the Internet addresses that end with .com, .net, and so on, and the numbers associated with each of them that help us navigate the Internet. We thank and congratulate the US government for taking this important step in the right direction. However, the organisation that manages this system, ICANN,[1] a US non-profit, continues to be under US jurisdiction, and hence subject to its courts, legislature and executive agencies. Keeping such an important global public infrastructure under US jurisdiction is expected to become a very problematic means of extending US laws and policies across the world.

We the undersigned therefore appeal that urgent steps be taken to transit ICANN from its current US jurisdiction. Only then can ICANN become a truly global organisation.[2] We would like to make it clear that our objection is not directed particularly against the US; we are simply against an important global public infrastructure being subject to a single country's jurisdiction.

Domain name system as a key lever of global control
A few new top level domains like .xxx and .africa are already under litigation in the US, whereby there is every chance that its law could interfere with ICANN's (global) policy decisions. Businesses in different parts of the world seeking top level domain names like .Amazon, and, hypothetically, .Ghaniancompany, will have to be mindful of de facto extension of US jurisdiction over them. US agencies can nullify the allocation of such top level domain names, causing damage to a business similar to that of losing a trade name, plus losing all the 'connections', including email based ones, linked to that domain name. For instance, consider the risks that an Indian generic drugs company, say with a top level domain, .genericdrugs, will remain exposed to.

Sector specific top level domain names like .insurance, health, .transport, and so on, are emerging, with clear rules for inclusion-exclusion. These can become de facto global regulatory rules for that sector. .Pharmacy has been allocated to a US pharmaceutical group which decides who gets domain names under it. Public advocacy groups have protested [3] that these rules will be employed to impose drugs-related US intellectual property standards globally. Similar problematic possibilities can be imagined in other sectors; ICANN could set “safety standards”, as per US law, for obtaining .car.

Country domain names like .br and .ph remain subject to US jurisdiction. Iran's .ir was recently sought to be seized by some US private parties because of alleged Iranian support to terrorism. Although the plea was turned down, another court in another case may decide otherwise. With the 'Internet of Things', almost everything, including critical infrastructure, in every country will be on the network. Other countries cannot feel comfortable to have at the core of the Internet’s addressing system an organisation that can be dictated by one government.

ICANN must become a truly global body
Eleven years ago, in 2005, the Civil Society Internet Governance Caucus at the World Summit on the Information Society demanded that ICANN should “negotiate an appropriate host country agreement to replace its California Incorporation”.

A process is currently under-way within ICANN to consider the jurisdiction issue. It is important that this process provides recommendations that will enable ICANN to become a truly global body, for appropriate governance of very important global public goods.

Below are some options, and there could be others, that are available for ICANN to transit from US jurisdiction.

ICANN can get incorporated under international law. Any such agreement should make ICANN an international (not intergovernmental) body, fully preserving current ICANN functions and processes. This does not mean instituting intergovernmental oversight over ICANN.
ICANN can move core internet operators among multiple jurisdictions, i.e. ICANN (policy body for Internet identifiers), PTI [4] (the operational body) and the Root Zone Maintainer must be spread across multiple jurisdictions. With three different jurisdictions over these complementary functions, the possibility of any single one being fruitfully able to interfere in ICANN's global governance role will be minimized.
ICANN can institute a fundamental bylaw that its global governance processes will brook no interference from US jurisdiction. If any such interference is encountered, parameters of which can be clearly pre-defined, a process of shifting of ICANN to another jurisdiction will automatically set in. A full set-up – with registered HQ, root file maintenance system, etc – will be kept ready as a redundancy in another jurisdiction for this purpose. [5] Chances are overwhelming that given the existence of this bylaw, and a fully workable exit option being kept ready at hand, no US state agency, including its courts, will consider it meaningful to try and enforce its writ. This arrangement could therefore act in perpetuity as a guarantee against jurisdictional interference without actually having ICANN to move out of the US.
The US government can give ICANN jurisdictional immunity under the United States International Organisations Immunities Act . There is precedent of US giving such immunity to non-profit organisations like ICANN. [6] Such immunity must be designed in such a way that still ensures ICANN's accountability to the global community, protecting the community's enforcement power and mechanisms. Such immunity extends only to application of public law of the US on ICANN decisions and not private law as chosen by any contracting parties. US registries/registrars, with the assent of ICANN, can choose the jurisdiction of any state of the US for adjudicating their contracts with ICANN. Similarly, registries/registrars from other countries should be able to choose their respective jurisdictions for such contracts.

We do acknowledge that, over the years, there has been an appreciable progress in internationalising participation in ICANN's processes, including participation from governments in the Governmental Advisory Committee. However, positive as this is, it does not address the problem of a single country having overall jurisdiction over its decisions.

Issued by the following India based organisation:

Centre for Internet and Society, Bangalore
IT for Change, Bangalore
Free Software Movement of India, Hyderabad
Society for Knowledge Commons, New Delhi
Digital Empowerment Foundation, New Delhi
Delhi Science Forum, New Delhi
Software Freedom Law Centre - India, New Delhi
Third World Network - India, New Delhi

Supported by the following global networks:

Association For Progressive Communications
Just Net Coalition

For any clarification or inquiries you may may write to or call:

Parminder Jeet Singh: parminder@itforchange.net +91 98459 49445, or
Vidushi Marda: vidushi@cis-india.org +91 99860 92252

[1] Internet Corporation for Assigned Names and Numbers

[2] The “NetMundial Multistakeholder Statement” , endorsed by a large number of governments and other stakeholders, including ICANN and US government, called for ICANN to become a “truly international and global organization”.

[3] See, https://www.techdirt.com/articles/20130515/00145123090/big-pharma-firms-seeking-pharmacy-domain-to-crowd-out-legitimate-foreign-pharmacies.shtml

[4] Public Technical Identifier, a newly incorporated body to carry out the operational aspects of managing Internet's identifiers.

[5] This can be at one of the existing non US global offices of ICANN, or the location of one of the 3 non-US root servers. Section 24.1 of ICANN Bylaws say, “The principal office for the transaction of the business of shall be in the County of Los Angeles, State of California, United States of America. may also have an additional office or offices within or outside the United States of America as it may from time to time establish”.

[6] E.g., International Fertilizer and Development Center was designated as a public, nonprofit, international organisation by US Presidential Decree, granting it immunities under United States International Organisations Immunities Act . See https://archive.icann.org/en/psc/corell-24aug06.html

For more details visit https://cis-india.org/internet-governance/blog/internets-core-resources-are-a-global-public-good

ICANN 57

praskrishna — 2016-11-08T01:14:37Z

ICANN 57 is being hosted by the Ministry of Electronics & Information Technology, Government of India from November 3 to 9, 2016 in Hyderabad at Hyderabad International Convention Centre. Vidushi Marda participated in the event as a speaker.

As part of her work for the Cross Community Working Party on ICANN's Corporate and Social Responsibility to Respect Human Rights, Vidushi presented her work on the Human Rights Impact of new gTLD Subsequent Procedures in Hyderabad.

India’s Minister of Law & Justice and Minister of Electronics and Information Technology Ravi Shankar Prasad reiterated India’s commitment to the multistakeholder model during the Opening Ceremony of the Internet Corporation of Assigned Names and Numbers’ (ICANN’s) 57th Public Meeting. The meeting, also known as ICANN57, is taking place in Hyderabad, India, from November 3 – 9, 2016 and has convened thousands of the global Internet community members (both on-site and remotely) to discuss and develop policies related to the Internet’s Domain Name System (DNS). It is hosted by the Ministry of Electronics and Information Technology (MeitY), with support from the Government of Telangana.

ICANN57 is the first post-IANA stewardship transition public meeting and also the first Annual General Meeting under the new Meetings Strategy. ICANN meetings are held three times a year in different regions to enable attendees from around the world to participate in person. These meetings offer a variety of sessions such as workshops, open forums and working meetings on the development and implementation of Internet policies. ICANN meetings offer the best opportunity for face-to-face discussions and exchange of opinions among attendees dedicated to the continued stable and secure operation of the Domain Name System.

For more info about the event, visit the ICANN website.

For more details visit https://cis-india.org/internet-governance/news/icann-57-hyderabad

If the DIDP Did Its Job

asvatha — 2016-11-07T12:57:18Z

Over the course of two years, the Centre for Internet and Society sent 28 requests to ICANN under its Documentary Information Disclosure Policy (DIDP). A part of ICANN’s accountability initiatives, DIDP is “intended to ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”

Through the DIDP, any member of the public can request information contained in documents from ICANN. We’ve written about the process here, here and here. As a civil society group that does research on internet governance related topics, CIS had a variety of questions for ICANN. The 28 DIDP requests we have sent cover a range of subjects: from revenue and financial information, to ICANN’s relationships with its contracted parties, its contractual compliance audits, harassment policies and the diversity of participants in its public forum. We have blogged about each DIDP request where we have summarized ICANN’s responses.

Here are the DIDP requests we sent in:

Dec 2014	Jan/Feb 2015	Aug/Sept 2015	Nov 2015	Apr/May 2016
ICANN meeting expenditure	Revenue from gTLD auction	Implementation of NETmundial principles	IANA transition postponement	Board Governance Committee Reports
Granular revenue statements	Globalisation Advisory Groups	Raw data - Granular income data	Presumptive renewal of registries	Diversity Analysis
ICANN cyber attacks	Organogram	Compliance audits - registries	ICANN-RIR relationship	Compliance audits
Implementation of NETmundial outcome document	Involvement in NETmundial Initiative	Compliance audits - registrars		Harassment policy
Complaints to ICANN ombudsman	RIR contract fees	Registrar abuse contact		DIDP statistics *
		Verisign Contractual violations		gTLD applicant support program
		Contractual auditors		Root Zone Maintenance agreements
		Internal website

ICANN’s responses were analyzed and rated between 0-4 based on the amount of information disclosed. The reasons given for the lack of full disclosure were also studied.

DIDP response rating
0	No relevant information disclosed
1	Very little information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
2	Partial information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
3	Adequate information disclosed; DIDP preconditions and/or other reasons for nondisclosure used.
4	All information disclosed

ICANN has defined a set of preconditions under which they are not obligated to answer a request. These preconditions are generously used by ICANN to justify their lack of a comprehensive answer. The wording of the policy also allows ICANN to dodge answering a request if it doesn’t have the relevant documents already in its possession. The responses were also classified by the number of times a particular DIDP condition for non-disclosure was invoked. We will see why these weaken ICANN’s accountability initiatives.

Of the 28 DIDP requests, only 14% were answered fully, without the use of the DIDP conditions of non-disclosure. Seven out of 28 or 40% of the DIDPs received a 0-rated answer which reflects extremely poorly on the DIDP mechanism itself. Of the 7 responses that received 0-rating, 4 were related to complaints and contractual compliance. We had asked for details on the complaints received by the ombudsman, details on contractual violations by Verisign and abuse contacts maintained by registrars for filing complaints. We received no relevant information.

We have earlier written about the extensive and broad nature of the 12 conditions of non-disclosure that ICANN uses. These conditions were used in 24 responses out of 28. ICANN was able to dodge from fully answering 85% of the DIDP requests that they got from CIS. This is alarming especially for an organization that claims to be fully transparent and accountable. The conditions for non-disclosure have been listed in this document and can be referred to while reading the following graph.

On reading the conditions for non-disclosure, it seems like ICANN can refuse to answer any DIDP request if it so wished. These exclusions are numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain: Correspondence, internal information, information related to ICANN’s relationship with governments, information derived from deliberations among ICANN constituents, information provided to ICANN by private parties and the kicker - information that would be too burdensome for ICANN to collect and disseminate.

As we can see from the graph, the most used condition under which ICANN can refuse to answer a DIDP request is F. Predictably, this is the most vaguely worded DIDP condition of the lot: “Confidential business information and/or internal policies and procedures.” It is up to ICANN to decide what information is confidential with no justification needed or provided for it. ICANN has used this condition 11 times in responding to our 28 requests.

It is also necessary to pay attention to condition L which allow ICANN to reject “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.” This is perhaps the weakest point in the entire list due its subjective nature. Firstly, on whose standards must this information request be reasonable? If the point of a transparency mechanism is to make sure that information sought by the public is disseminated, should they be allowed to obfuscate information because it is too burdensome to collect? Even if this is fair given the time constraints of the DIDP mechanism, it must not be used as liberally as has been happening. The last sub point is perhaps the most subjective. If a staff member dislikes a particular requestor, this point would justify their refusal to answer a request regardless of its validity. This hardly seems fair or transparent. This condition has been used 9 times in our 28 requests.

Besides the DIDP non-disclosure conditions, ICANN also has an excuse built into the definition of DIDP. Since it is not obliged to create or summarize documents under the DIDP process, it can simply claim to not have the specific document we request and thus negate its responsibility to our request. This is what ICANN did with one of our requests for raw financial data. For our research, we required raw data from ICANN specifically with regard to its expenditure on staff and board members for their travel and attendance at meetings. As an organization that is answerable to multiple stakeholders including governments and the public, it is justified to expect that they have financial records of such items in a systematic manner. However, we were surprised to learn that ICANN does not in fact have these stored in a manner that they can send as attachments or publish. Instead they directed us to the audited financial reports which did little for our research. However, in response to our later request for granular data on revenue from domain names, ICANN explained that while they do not have such a document in their possession, they would create one. This distinction between the two requests seems arbitrary to us since we consider both to be important to public.

Nevertheless, there were some interesting outcomes from our experience filing DIDPs. We learnt that there has been no substantive work done to inculcate the NETmundial principles at ICANN, that ICANN has no idea which regional internet registry contributes the most to its budget, and that it does not store (or is not willing to reveal) any raw financial data. These outcomes do not contribute to a sense of confidence in the organization.

ICANN has an opportunity to reform this particular transparency mechanism at its Workstream 2 discussions. ICANN must make use of this opportunity to listen and work with people who have used the DIDP process in order to make it useful, effective and efficient. To that effect, we have some recommendations from our experience with the DIDP process.

That ICANN does not currently possess a particular document is not an excuse if it has the ability to create one. In its response to our questions on the IANA transition, ICANN indicated that it does not have the necessary documents as the multi stakeholder body that it set up is the one conducting the transition. This is somewhat justified. However, in response to our request for financial details, ICANN must not be able to give the excuse that it does not have a document in its possession. It and it alone has the ability to create the document and in response to a request from the public, it should.

ICANN must also revamp its conditions for non-disclosure and make it tighter. It must reduce the number of exclusions to its disclosure policy and make sure that the exclusion is not done arbitrarily. Specifically with respect to condition F, ICANN must clarify how information was classified as confidential and why that is different from everything else on the list of conditions.

Further, ICANN should not be able to use condition L to outright reject a DIDP request. Instead, there must be a way for the requester and ICANN to come to terms about the request. This could happen by an extension of the 1 month deadline, financial compensation by requester for any expenditure on ICANN’s part to answer the request or by a compromise between the requester and ICANN on the terms of the request. The sub point about requests made “by a vexatious or querulous individual” must be removed from condition L or at least be separated from the condition so that it is clear why the request for disclosure was denied.

ICANN should also set up a redressal mechanism specific to DIDP. While ICANN has the Reconsideration Requests process to rectify any wrongdoing on the part of staff or board members, this is not adequate to identify whether a DIDP was rejected on justifiable grounds. A separate mechanism that deals only with DIDP requests and wrongful use of the non-disclosure conditions would be helpful. According to the icann bylaws, in addition to Requests for Reconsideration, ICANN has also established an independent third party review of allegations against the board and/or staff members. A similar mechanism solely for reviewing whether ICANN’s refusal to answer a DIDP request is justified would be extremely useful.

A strong transparency mechanism must make sure that its objective are to provide answers, not to find ways to justify its lack of answers. With this in mind, we hope that the revamp of transparency mechanisms after workstream 2 discussions leads to a better DIDP process than we are used to.

For more details visit https://cis-india.org/internet-governance/blog/if-the-didp-did-its-job

Workshop on 'Privacy after Big Data' (Delhi, November 12)

sumandro — 2016-11-12T10:14:52Z

The Centre for Internet and Society (CIS) and the Sarai programme, CSDS, invite you to a workshop on 'Privacy after Big Data: What Changes? What should Change?' on Saturday, November 12. This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy. It is an open event. Please register to participate.

Invitation note and agenda: Download (PDF)

Venue and RSVP

Venue: Centre for the Study of Developing Societies 29, Rajpur Road, Civil Lines, Delhi 110054.

Location on Google Maps: https://www.google.com/maps/place/CSDS/@28.677775,77.2162523,17z/.

Registration: Complete this form.

Concept Note

In this age of big data, discussions about privacy are intertwined with the use of technology and the data deluge. Though big data possesses enormous value for driving innovation and contributing to productivity and efficiency, privacy concerns have gained significance in the dialogue around regulated use of data and the means by which individual privacy might be compromised through means such as surveillance, or protected. The tremendous opportunities big data creates in varied sectors ranges from financial technology, governance, education, health, welfare schemes, smart cities to name a few.

With the UID (“Aadhaar”) project re-animating the Right to Privacy debate in India, and the financial technology ecosystem growing rapidly, striking a balance between benefits of big data and privacy concerns is a critical policy question that demands public dialogue and research to inform an evidence based decision.

Also, with the advent of potential big data initiatives like the ambitious Smart Cities Mission under the Digital India Scheme, which would rely on harvesting large data sets and the use of analytics in city subsystems to make public utilities and services efficient, the tasks of ensuring data security on one hand and protecting individual privacy on the other become harder.

As key privacy principles are at loggerheads with big data activities, it is important to consider privacy as an embedded component in the processes, systems and projects, rather than being considered as an afterthought. These examples highlight the current state of discourse around data protection and privacy in India and the shapes they are likely to take in near future.

This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy.

Agenda

09:00-09:30 Tea and Coffee

09:30-10:00 Introduction

Mr. Amber Sinha and Mr. Sandeep Mertia
This session will introduce the topic of the workshop in the context of the ongoing works at CIS and Sarai.

10:00-11:00 From Privacy Bill(s) to ‘Habeas Data’

Dr. Usha Ramanathan and Mr. Vipul Kharbanda
This session will present a brief history of the privacy bill(s) in India and end with reflections on ‘habeas data’ as a lens for thinking and actualising privacy after big data.

11:00-11:30 Tea and Coffee

11:30-12:30 Digital ID, Data Protection, and Exclusion

Ms. Amelia Andersdotter and Mr. Srikanth Lakshmanan
This session will discuss national centralised digital ID systems, often operating at a cross-functional scale, and highlight its implications for discussions on data protection, welfare governance, and exclusion from public and private services.

12:30-13:30 Digital Money and Financial Inclusion

Dr. Anupam Saraph and Ms. Astha Kapoor
This session will focus on the rise of digital banking and online payments as core instruments of financial inclusion in India, especially in the context of the Jan Dhan Yojana and UPI, and reflect on the concerns around privacy and financial data.

13:30-14:30 Lunch

14:30-15:30 Big Data and Mass Surveillance

Dr. Anja Kovacs and Mr. Matthew Rice
This session will reflect on the rise of mass communication surveillance across the world, and the evolving challenges of regulating il/legal surveillance by government agencies.

15:30-16:15 Privacy is (a) Right

Mr. Apar Gupta and Ms. Kritika Bhardwaj
This brief session is to share initial ideas and strategies for articulating and actualising a constitutional right to privacy in India.

16:15-16:30 Tea and Coffee

16:30-17:30 Round Table

An open discussion session to conclude the workshop.

Speakers

Mr. Amber Sinha

Amber works on issues surrounding privacy, big data, and cyber security. He is interested in the impact of emerging technologies like artificial intelligence and learning algorithms on existing legal frameworks, and how they need to evolve in response. Amber studied humanities and law at National Law School of India University, Bangalore.

E-mail: amber at cis-india dot org.

Twitter: @ambersinha07.

Ms. Amelia Andersdotter

Amelia Andersdotter has been a Member of the European Parliament. She works on practical implications of data protection laws and consumer information security in Sweden, and digital rights in the Europe in general. Presently she is residing in Bangalore, where she is a visiting scholar with Centre for Internet and Society. She holds a BSc in Mathematics.

URL: https://dataskydd.net.

Twitter: @teirdes.

Dr. Anja Kovacs

Dr. Anja Kovacs directs the Internet Democracy Project in Delhi, India, which works for an Internet that supports free speech, democracy and social justice in India and beyond. Anja’s research and advocacy focuses especially on questions regarding freedom of expression, cybersecurity and the architecture of Internet governance. She has been a member of the of the Investment Committee of the Digital Defenders Partnership and of the Steering Committee of Best Bits, a global network of civil society members. She has also worked as an international consultant on Internet issues, including for the Independent Commission on Multilateralism, the United Nations Development Programme Asia Pacific and the UN Special Rapporteur on Freedom of Expression, Mr. Frank La Rue, as well as having been a Fellow at the Centre for Internet and Society in Bangalore, India.

Internet Democracy Project: https://internetdemocracy.in.

Twitter: @anjakovacs.

Dr. Anupam Saraph

Anupam Saraph has extensively researched India's UID number that has been widely regarded as the game changer in development programs. It has come to be linked with both public and private databases and become the requirement for access to entitlements, benefits, services and rights. Dr. Saraph, who has the design of at least two identification programs to his credit has researched the UID’s functional creep since its inception.

He has been dissecting the myths of what the UID is or is not. He has also tracked the consequences of its linkages on databases that protect national security, sovereignty, democratic status and the entire banking and money system in India. He has also highlighted the implications of its use for targeted delivery of cash subsidies from the Consolidated Fund of India. He has written and lectured widely about the devastating impact of the UID number on development programs, national security and the governability of India.

As a Professor of Systems, Governance and Decision Sciences, Environmental Systems and Business he mentors students and teaches systems, information systems, environmental systems and sustainable development at universities in Europe, Asia and the Americas. He has worked with the Rensselaer Polytechnic Institute, Rijksuniversitiet Groningen, RIVM, University of Edinburgh, Resource Use Institute, Systems Research Institute among others. Dr. Saraph has had the unique distinction of being India’s only person who has held the only office of a City CIO in India, in a PPP arrangement with government, industry and himself. He has also been the first e-governance Advisor to a State government. Dr. Saraph has held CxO and ministerial level positions and serves as an independent director on the boards of Public and Private Sector companies and NGOs. He is also the President of the Nagrik Chetna Manch, an NGO charged with the mission to bring accountability in governance.

Dr. Saraph is also actively engaged in civil society where he participates in several environmental, resource and nature conservation initiatives, has authored draft legislations for river and natural resource conservation, right to good governance and has contributed to governance, election and democratic reforms. Dr. Saraph is a regular columnist in newspapers and writes on issues of governance, future design, technology and education from a systems perspective.

As a future designer and recognized as a global expert on complex systems he helps individuals and organisations understand and design the future of their worlds. Together they address the toughest challenges, accomplish missions and achieve business goals. He also supports building capacity to address the challenges of today as well as to build future designs through teams and effective leadership. Since the eighties Dr. Saraph has modeled complex systems of cities, countries, regions and even the planet. His models have been awarded internationally and even placed in 10-year permanent exhibitions.

Dr Saraph works with business and government executives, civil society leaders, politicians, generals, civil servants, police, trade unionists, community activists, United Nations and ASEAN officials, judges, writers, media, architects, designers, technologists, scientists, entrepreneurs, board members and business leaders of small, mid and large single and trans-national companies, religious leaders and artists across a dozen countries and various industry sectors to help them and their organisations succeed in their missions. He advises the World Economic Forum through its Global Agenda Council for Complex Systems and the Club of Rome, Indian National Association as a founder life member.

Dr Saraph holds a PhD in designing sustainable systems from the faculty of Mathematics and Natural Sciences of the Rijksuniversiteit Groningen, the Netherlands.

Website: http://anupam.saraph.in.

Twitter: @anupamsaraph.

Mr. Apar Gupta

Apar Gupta practices law in Delhi. He is also one of the co-founders of the Internet Freedom Foundation. His work and writing on public interest issues can be accessed at his personal website www.apargupta.com.

Twitter: @aparatbar.

Ms. Astha Kapoor

Astha Kapoor is a public policy strategy consultant working on financial inclusion and digital payments. Currently, she is working with MicroSave. Her tasks involve a focus on government to people (G2P) payments - and her work spans strategy, advisory and evaluation with the DBT Mission, Office of the Chief Economic Advisor, NITI Aayog and ministries pertaining to food, fuel and fertilizer. She recently designed a pilot to digitize uptake of fertilizers in Krishna district, and evaluated the newly introduced coupon system in the Public Distribution System in Bengaluru.

Twitter: @kapoorastha.

Ms. Kritika Bhardwaj

Kritika Bhardwaj works as a Programme Officer at the Centre for Communication Governance (CCG), National Law University, Delhi. Her main areas of research are privacy and data protection. At CCG, she has written about the privacy implications of several contemporary issues such as Aadhaar (India's unique identification project), cloud computing and the right to be forgotten. A lawyer by training, Kritika has a keen interest in information law and human rights law.

Centre for Communication Governance, NLU Delhi: http://ccgdelhi.org.

Twitter: @Kritika12.

Mr. Matthew Rice

Matthew Rice is an Advocacy Officer at Privacy International working across the organisation engaging with international partners and strengthening their capacity on communications surveillance issues. He has previously worked at Privacy International as a consultant building the Surveillance Industry Index, the largest publicly available database on the private surveillance sector ever assembled. Matthew graduated from University of Aberdeen with an LLB (Hons.) and also has an MA in Human Rights from University College London.

Privacy International: https://privacyinternational.org.

Twitter: @mattr3.

Mr. Sandeep Mertia

Sandeep Mertia is a Research Associate at The Sarai Programme, Centre for the Study of Developing Societies, Delhi. He is an ICT engineer by training with research interests in Science & Technology Studies, Software Studies and Anthropology. He is conducting an ethnographic study of emerging modes of data-driven knowledge production in the social sector.

Sarai: http://sarai.net.

Twitter: @SandeepMertia.

Academia: https://daiict.academia.edu/SandeepMertia.

Mr. Srikanth Lakshmanan

Srikanth is a software professional with interests in Internet, follower of Internet policy discussions, volunteers for multiple online campaigns related to Internet. He is also fascinated by FOSS, opendata, localization, Wikipedia, maps, public transit, civic tech and occasionally contributes to them.

Site: http://www.srik.me.

Twitter: @logic.

Mr. Vipul Kharbanda

Vipul Kharbanda is a consultant with the Center for Internet and Society, Bangalore. After finishing his BA.LLB.(Hons.) from National Law School of India University in Bangalore, he worked for India’s largest corporate law firm for two and a half years in their Mumbai office for two years working primarily on the financing of various infrastructure projects such as Power Plants, Roads, Airports, etc. Since quitting his corporate law job, Vipul has been working as the Associate Editor in a legal publishing house which has been publishing legal books and journals for the last 90 years in India. He has also been involved with the Center for Internet and Society as a Consultant working primarily on issues related to privacy and surveillance.

For more details visit https://cis-india.org/internet-governance/events/privacy-after-big-data-delhi-nov-12-2016

Workshop on Democratic Accountability in the Digital Age (Delhi, November 14-15)

sumandro — 2016-12-15T09:27:22Z

IT for Change, along with Centre for Internet and Society (CIS), Digital Empowerment Foundation (DEF), Mazdoor Kisan Shakti Sangathan (MKSS) and National Campaign for People’s Right to Information (NCPRI), is organising a two day workshop on ‘Democratic Accountability in the Digital Age’. The workshop will focus on evolving a comprehensive policy approach to data based governance and digital democracy, grounded in a rights and social justice framework. It will be held at the United Service Institution of India, Delhi, during November 14-15, 2016. The CIS team to participate in the workshop includes Sumandro Chattapadhyay (speaker), Amber Sinha (speaker), Vanya Rakesh (participant), and Himadri Chatterjee (participant).

The workshop aims to:

Discuss the institutional norms, rules and practices appropriate to the rise of ‘governance by networks’ and ‘rule by data’ that can guarantee democratic accountability and citizen participation, and
Articulate the steps to claim the civic-public value of digital technologies so that data and the new possibilities for networking are harnessed for a vibrant grassroots democracy.

We hope the workshop can create a civil society coalition that can build effective strategies for legal and policy reform to further participatory democracy in the digital age. On the first day, the workshop will set the context through knowledge sharing and thematic presentations and discussions. On the second day, we aim to concretize strategies for collective action to further democratic accountability in the digital age.

Workshop Agenda (PDF)

Background Note (ODT)

For more details visit https://cis-india.org/internet-governance/events/workshop-on-democratic-accountability-in-the-digital-age-delhi-november-14-15

Behind Modi’s Heartwarming Diwali Ad for Soldiers, An App That’s Primed for Political Messaging

praskrishna — 2016-10-30T07:33:57Z

The campaign, which allows users to send Modi quotes on themes like Ayodhya and the perfidy of the Opposition, raises questions about the boundaries between government, party and personal promotion.

The article by Sangeeta Barooah Pisharoty was published in the Wire on October 29, 2016. Sunil Abraham was quoted.

On October 22, Prime Minister Narendra Modi launched a public campaign, Sandesh2Soldiers, urging the people to be a part of it. The prime minister prodded people to express their gratitude to soldiers guarding the borders through the campaign by sending them personalised messages on the occasion of Diwali.

Such messages can be sent through the Narendra Modi mobile app, the “official app of the prime minister”, or by logging on to www.mygov.in, a central government platform launched by the prime minister in 2014 to facilitate participatory governance by engaging the public. One can also send a message by recording it after dialing a 10-digit number – which would then be aired by All India Radio (AIR).

Media reports said a special module had been created within the mobile app to not only enable people to send text messages to soldiers but also to upload handwritten letters, decorated cards and videos to them expressing their Diwali wishes and feelings for the armed forces.

A special video that carried Modi’s appeal to the public to send messages to the armed forces was shared on social media along with a few other videos to promote the prime minister’s idea. One such video features a child sending a ‘thank you rocket’ to soldiers for defending the nation under hostile circumstances. That the call to send a personal message has come from the prime minister has upped the profile of this campaign.

Bollywood stars like Akshay Kumar, Aamir Khan and Salman Khan, and cricketers such as Virat Kohli, Virendra Sehwag and Mohammad Kaif have also posted their messages to soldiers on Twitter by using the prime minister’s campaign hashtag #Sandesh2Soldiers. Many Bharatiya Janata Party (BJP) politicians and ministers have also joined in.

As per a tweet by AIR on October 26, “Around 9,800 persons sent their good wishes to jawans of security forces so far during this festive season”. Last checked, www.mygov.in, run by the National Informatics Centre under the the Ministry of Electronics and Information Technology, showed 13,000 messages and video uploads recorded. The number is going up by the minute.

While the registration requirement at the government’s www.mygov.in portal only requires the sender to provide her or his name and e-mail address to be able to send a message or upload a video – a usual cyber safety procedure – those who want to use the Modi app for the purpose will have to do more: they will first have to agree to be personally profiled by the prime minister’s “official” mobile application.

Personally identifiable information

This is how things work: to register oneself through the app and send a message, a user not only has to disclose her name, mobile number and email address but also profession, the state and the district she belongs to, her voter identification card number, specific areas of interests and a personal description within “500 characters”.

This has left many potential senders and experts flummoxed. Why does a citizen, in order to express her gratitude to the armed forces on the occasion of Diwali at the call of her prime minister need to share additional information with the app, which amounts to profiling? At a time when the Supreme Court is hearing a bunch of petitions on the mandatory use of Aadhar cards by the government, some of which deal with issues of privacy and the possible misuse of the collected data, this is a relevant question.

“There was absolutely no need for the app to ask for additional information from a user just to send a message to the armed forces. As far as the additional information sought from a user is concerned, it allows the data collector to build a profile of the user but it is not profiling in the modern big data sense wherein multiple data sources are combined to create a complete profile of the data subject,” says Sunil Abraham, director of the Bangalore-based Centre for Internet and Society.

Abraham adds, “There is no guarantee that the data collected (through the app) won’t be used illegally by some commercial enterprise, etc. because our data protection law, Section 43A of the Information and Technology Act, doesn’t apply to the state but only to the private sector. In other words, if the personal information is shared with the government, then it is perfectly legal for the government to disclose the personal information to other government or commercial entities.”

Unlike the MyGov portal, where a user can type or upload a message, the Narendra Modi mobile app also automatically adds a quote from the prime minister below the one typed by the user. It expresses the prime minister’s pride over “the indomitable valour and supreme sacrifice of our armed forces etched in the memory of every Indian”.

The prime minister launched his official mobile app in August last year at a function reportedly organised by MyGov, thus making him the first prime minister to have a mobile app named after him. Designed by a team of six students from Delhi Technical University after winning a two-phased contest launched by MyGov in March last year, the app has been described as “a one-stop destination for knowing about all the latest day-to-day activities of the prime minister.”As per media reports, the app would correspond to the prime minister’s official website, www.pmindia.gov.in.

Obviously then, information on how to access the app and take part in the campaign have been publicised through his portal, www.pmindia.gov.in.

This raises another question. Even though www.pmindia.gov.in is not directly accepting public messages for the armed forces but is only promoting the campaign and giving information on how to download the mobile app for it (thereby proving that it corresponds to the app), it does direct an interested user to the prime minister’s personal website, www.narendramodi.in on clicking its publicity window designed for the campaign.

The user can then download the Modi app from his personal website, which was used extensively during the run-up to the 2014 parliamentary elections by Modi to reach out to voters. So the app not only corresponds to the official website of the prime minister but also with his personal website through the official website. Curiously, it is not possible to access the app from the MyGov portal even though the entity under the Ministry of Electronics and Information launched the app at a function on August 6 in New Delhi reportedly organised by it.

Thus, while the app that seemed to have been developed and launched by a government department can’t be accessed directly through a government portal, it can be accessed through the prime minister’s personal portal. Also, features in the app like “forget password” are handled by his personal website, which communicates with an app user as its “Admin”.

So who runs the app? Is it not the official app of the prime minister of the country? Who owns it? Is it his personal app that he considers “official”? These are questions to which answers are not easily available.

No answers

The Wire made multiple attempts to get an official response, both from the government and the BJP Cyber Cell, about these queries but failed to get an answer. The Wire also failed to get any official clarification to why the app seeks personal details of a user to just send messages to the armed forces.

Calls and text messages to the social media cell of the Press Information Bureau (PIB) – the government’s media interface in the digital space – the office of Anurag Jain, listed in the www.pmindia.gov.in as the “web information office”, and to MyGov, which launched the app at the second anniversary function of the Modi government on August 6 last year in New Delhi, failed to receive a reply. All that a PIB official was willing to say on condition of anonymity to this correspondent, “I think it has been outsourced, we don’t deal with it. May be you can contact the PMO.”

Anurag Jain’s office at the PMO said, “You won’t get any information here on the app and the response of the people for the campaign through it. Call the appointments section, it might know.” But that section didn’t respond.

A mail sent to Arvind Gupta of the BJP’s Cyber Cell too has so far remained unanswered. A BJP source, however, pointed out, “If you go to @narendramodi_in, it clearly mentions that it is the twitter account of narendramodi.in, the personal website of Narendra Modi and also of the Narendra Modi mobile app. So it is his personal app.”

The question of why a personal app of the prime minister is then called his “official” app remains unanswered. Also, why is it then that the bulk text messages sent by a government entity, MyGov, direct the public to the prime minister’s personal app to send a message to the armed forces? Is it personal or official?

Meanwhile, the traffic directed by the prime minister’s official website to his personal portal can make use of the e-greeting section in it to send a Diwali e-card to family, relatives, colleagues, etc.

To send such an e-card, the user needs to follow four mandatory steps – choosing a card from the available options, selecting a pre-written Diwali message; selecting a quote of the prime minister from an exhaustive list made available to the user, and adding the name, salutation and email address of the recipient of the card.

The list of quotes – in English and Hindi – have been culled out of the prime minister’s speeches that straddle a variety of categories including Pakistan, terrorism, ASEAN, Nepal, Bhutan, Swacchh Bharat mission, the idea of India, secularism, disability, caste, dalits, governance, yoga, youth, et al.

It also has “motivation” as a category of prime minister’s sayings. Clicking it will give a user the choice of a long list of the prime minister’s quotes which begins with the need for the world to recognise the sacrifice made by Indian soldiers in the two world wars and ends with a quote on the 2010 judgment given by the Allahabad high court on the disputed site at Ayodhya:

Diwali greetings that can be sent along with the prime minister’s quote on the Ayodhya judgement which has been stayed by the Supreme Court

The quote said, “The Ayodhya judgment will work as a catalyst to maintain peace and unity in the country. This judgment has given a respect to belief and self esteem of the people of India, and it should be linked to self esteem of the country.”

Reacting to the judgment in 2010, the Rashtriya Swayamsevak Sangh chief Mohan Bhagwat had expressed “satisfaction”, adding, “The judgment has paved the way for the construction of Ram temple in Ayodhya. The judgment is not a win or loss for anybody. We invite everybody, including Muslims, to help build the temple.”

Constructing the Ram temple in Ayodhya was also in the manifesto of the BJP for the 2014 Lok Sabha polls with Modi as the party’s prime ministerial candidate.

So, even if the Supreme Court had put a stay on the judgment and has been hearing some petitions for and against it, this Diwali, if you wish to send an e-card using that quote of the prime minister to express his mind on the issue, you can.

“I think it is not only improper of the prime minister to allow such a quote to feature in an e-card with his name but it is also contempt of court. Being the prime minister of the country, he has to maintain neutrality. As per the constitution, there is separation of the state from religion. So being the prime minister, he can’t possibly allow someone to use that quote of him,” says well-known constitutional expert and senior Supreme Court lawyer Rajeev Dhavan.

Dhavan points out a precedent: “In 1969, the Supreme Court held as contempt a comment made by the then West Bengal chief minister P.C. Sen in a speech aired by All India Radio. The speech was made at a time when someone had challenged an order of the state government on milk production. Sen’s adverse comment supporting the order was presented first in front of the West Bengal High Court which took cognisance of it and termed it contempt of court. Thereafter, the case came to the SC which also termed it contempt of court as the comment was made while the case was pending in the court.”

Swaying public opinion

As per media reports, the comment on the September 30, 2010, HC order was made by Modi, then the Gujarat chief minister, on the same day, before the SC stayed that order in May, 2011.

Dhavan felt, “That he, as the prime minister, is now openly allowing a user to circulate that quote after the SC has begun hearing the case will attract criminal contempt of court as it can be seen as interfering with the working of the judiciary. He can obviously affect public opinion and can be seen as trying to decide the question. It can be seen as usurping the function of the Judiciary by the Executive.”

The traffic directed by the prime minister’s official website to the personal portal can also make use of any Diwali e-greeting card by picking a quote from a category named “political-general”. Many of the quotes under that category are from the prime minister’s multiple attacks on the main opposition party, the Congress, some of which must have been made before the 2014 Lok Sabha polls, such as this one: “The UPA government is non-serious, it has taken the people for granted & it is not bothered about the youth. Their approach shows lack of faith in democracy. Our goal is to win the trust of the people & give dignity to them…”

“That the prime minister’s official website links people to surf his personal website where they can send e-cards using anti-opposition quotes of the prime minister is extremely contentious. Whichever party had come to power, there has always been a Chinese wall between the institution of the prime minister and the politician. Unfortunately, both have come together in the current dispensation. The common man doesn’t understand it well, so it is taking advantage of technology to erase that difference,” former Information and Broadcasting minister and Congress spokesperson Manish Tiwari said.

Such e-cards are not restricted to Diwali. You can send them on occasions like “Holi, Rakshabandhan, Navaratri, Christmas, Independence Day, Gudi Padwa, Kite Festival, Namo Birthday, Ram Navami, Swami Vivekananda Janma Jayanti” and at any other time by opting for the “political (general)” category.

Narendra Modi implemented the idea of launching e-cards that could go with his quotes in the run-up to the 2014 parliamentary elections. Reports said that “Narendra Modi E-cards” were used by the BJP as a “new marketing strategy” to canvas for its prime ministerial candidate before Holi to bypass the Election Commission of India’s model code of conduct as there was “no mention of rules for social media usage by political parties”.

Meanwhile, those who have signed up for the Narendra Modi mobile app only to send a message to the armed forces have begun receiving regular “infographics” based on the prime minister’s speeches, and also data culled out of news and study reports that are deemed favourable to him and his government. A registered user can further pass on those “infographics” by sharing them on her Facebook page and twitter handle.

The app, though termed “official”, also forwards to a registered user tweets posted only from his personal twitter handle and not from his official handle, @pmoindia. One such tweet that this correspondent received through the app had little to do with the government and entirely with the persona of the politician behind the prime minister. The tweet said, “When @narendramodi demonstrated true leadership at the Patna rally, on this day in 2013…”

Clicking on the link in the tweet takes you to a write-up that talks of the “true grit” of the “BJP’s then prime ministerial candidate” by addressing a rally after a bomb blast in Patna.

For more details visit https://cis-india.org/internet-governance/news/the-wire-october-29-2016-sangeeta-barooah-pisharoty-behind-modis-heartwarming-diwal-ad-for-soldiers-an-app-that-is-primed-for-political-messaging

Bridging the gap: Tech giants bring the internet to women in rural India

praskrishna — 2016-10-30T07:23:05Z

This Diwali is going to be a cracker of a festival for Nisha Chanderwal, a second year BA student.

The article by KumKum Dasgupta was published in the Hindustan Times on October 28, 2016. Pranesh Prakash and Rohini Lakshané were quoted.

“I bought a bright red kurta with gold-colour zari dupatta from Snapdeal, my first online purchase,” the 19-year-old resident of Alwar’s Umren village told HT recently.

“No courier service reaches my village. So I gave my aunt’s home address in Alwar. They paid in cash…I paid her when I picked up the parcel,” she added, explaining the circuitous delivery and payment process that is common in rural India.

Nisha is elated for one more reason: She has finally got even with her 20-year-old brother, Ashok. “He has a smartphone, but doesn’t even let me touch it, saying girls should not use the Internet. But now thanks to Google’s Internet Saathi Programme (ISP), I don’t need his phone or his help,” said an elated Nisha.

In July 2015, technology giant Google launched ISP in partnership with Tata Trusts, one of the country’s oldest philanthropic organisations, to bring rural women online in India. Today, the initiative is live in 25,000 villages across 10 states with 1,900 saathis. The final mission is to reach 300,000 villages. Google is adding up to 500 additional ‘saathis’ per week. More than 100,000 women have been trained so far.

Google started this programme because Internet usage by women in rural areas is low.

“Only one in 10 Internet users in rural India is a woman,” Sapna Chadha, marketing head, Google India, told HT. “With ISP, we are creating an enabling environment that empowers them while also bridging the technology gender divide. We believe that easy access to information can transform lives. Our mission is to organise the world’s information and make it universally accessible”.

Along with access to information, getting more and more women online has other benefits: “If women are a minority online, they become vulnerable to harassment and violence. Women can’t only be consumers of the Internet but must contribute their views, and make the space equitable,” said Rohini Lakshané of the Bangalore-based The Centre for Internet and Society (CIS), which is funded by the Kusuma Trust.

Google and Tata Trusts are leveraging their core strengths for ISP. While Google provides the hardware (phones and tablets), training and Internet connectivity. Tata Trusts does the identification of saathis and the monitoring.

“We tie up with government departments to roll out the project. For example, in Rajasthan and Andhra Pradesh, we are working with the rural livelihood mission. The government helps us to identify villages, set selection criteria and logistics such as venues,” explained Prabhat Pani, project director, Tata Trusts.

The programme first chooses a few women and trains them on how to use a mobile phone, shoot photos and videos and the basics of Internet. Then the women are sent out on bicycles with a smartphone and a tablet to teach others in their villages.

The programme has opened a new world for many. “Google is like a book. You can get whatever information you need. I am illiterate but I use voice search for information,” said Phoolwati, a 45-year-old resident of Nangli Jamawat, Umren.

Her friend Manju is now the village’s undisputed ‘selfie queen’. “I love taking videos and photos,” she said, adding that she also searches for information on MGNREGA or education loans for her children.

According to Google, the new online entrants are searching for news, recipes, designs for clothes, images and information on pilgrimages, farming and cattle-related information and government schemes.

For Google, it makes immense sense to get more people online. “The company is targeting huge and untapped demographics who are entry-level users. Going forward, they will have a huge first-mover advantage if there is scope to monetise Google’s services,” explained Lakshané.

By 2020, about 315 million rural Indians will be connected to the Internet, compared to around 120 million now. That’s about 36% of the country’s online population. By 2020, this share of rural India will jump to 48%, creating a huge opportunity for brands and marketers in places where establishing stores is a challenge,” says a study by the Boston Consulting Group, The Rising Connected Consumer in Rural India.

The first signs of this market potential were evident during the pre-Diwali online festival season sale. E-tailers posted growth in sales compared to last year thanks to growing smartphone penetration in small towns and villages, cheaper data tariffs and free hotspots. While Google did not divulge the exact revenues that it is spending on ISP, Chadha said it has helped the company to understand the needs of users in rural areas and what role the Internet can play.

Along with ISP, Google is also working with the Indian government on two projects that aims to give more people access to the Internet.

First, the Project Loon, which uses high-altitude balloons to create an aerial wireless network with up to 4G speeds for providing Internet access to rural and remote areas.

Second, the company is partnering with RailTel to provide free wi-fi access in stations.

“The ISP has no immediate profits for Google. The average revenue Indian per user is less than say a user in US. But getting more people online helps Google because its search engine is most used,” Pranesh Prakash, policy director, CIS, told HT. “In the long run, the company will earn when people access its services and also from advertising revenue.”

Nevertheless, the ISP is addressing a major problem. “Many are afraid to go online because they don’t know how they can benefit. While the Saathi programme is not a philanthropic effort, it’s good that Google is addressing this issue through its training programmes,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-october-28-2016-kumkum-dasgupta-bridging-the-gap

Some Key Words Are Missing

praskrishna — 2016-10-23T01:40:12Z

Google manipulating search results? The Competition Commission is on its case.

The article by Arindam Mukherjee was published by Outlook on October 23, 2016. Nehaa Chaudhari was quoted.

G’s Global Woes

Google’s problems aren’t restricted to India. It is facing similar cases around the world.

Europe: The search giant has been accused of using its dominant position on the web to dominate the market for online product searches. There’s another probe on possible abuse of dominant position with Android.

Brazil: Is being investigated for favouring its own services over others on the internet

Hong Kong & Argentina: Facing issues about collecting user data

Spain: Had to shut down Google News over copyright issues.

Germany: Its Google Street View navigation service got into problems over privacy issues

Mexico: The local regulator has brought up issues similar to those in Europe

***

There is an uneasy calm at Google’s India offices these days. Spokespersons are giving measured statements, watched over by an army of lawyers who are busy looking at the finer points. A case against Google’s advertising and search practices with the Competition Commission of India (CCI) has the potential to derail the search giant’s operations in India. Why, a nervous Google has even sought to make hearings in this case in-camera to totally shut out the media.

There is a lot at stake. An investigation report of the CCI has found Google squarely guilty of abusing its dominant position to manipulate search results on the internet and online advertising results to its own advantage and to those of companies paying for it. Google was found to “have abused its dominant position in the relevant markets of online general web search service in India and online search advertising in India in violation of the Competition Act 2002”.

Indeed, the report (which has been reviewed by Outlook) is blunt on many of the issues: “Google is found to be indulging in practices of search bias and by doing so it causes harm to its competitors as well as users.... Google steers users to its own products and services and produces biased results. This structure offers abundant opportunities for leveraging and has also raised issues of conflict of interest.” It says that through such practices Google was adversely affecting the competitive landscape in the markets for online general web search, search advertising as well as adjacent markets like travel, maps, social networking and e-commerce.

The whole brouhaha started with complaints from two parties—Chennai-based matchmaking portal Bharatmatrimony.com and Jaipur-based consumer rights organisation CUTS International—in 2012. “People who are subscribing to Google’s Adwords and are paying Google or are buying keywords are getting preference in their search results. Many of the search results on Google are either ads or sponsored links and not genuine search results. Google is pushing ads as news items which normal users would be unable to distinguish,” says Sharad Bhansali, managing partner, APJ SLG Law Offices which is representing CUTS.

CUTS also complained that Google was promoting its own products through search. Says Udai Singh Mehta, CUTS director, “Preference was being given by Google to its products and subsidiaries in search.” This, being a dominant player in search and online advertising, amounts to abusing its position. According to market estimates, Google enjoys a 93 per cent share of the search market and gets about 85 per cent of the revenues of online advertising. Says Nikhil Pahwa, editor-in-chief of Medianama: “In search cases, Google is clearly the dominant player in the market. So when they start integrating content into search, there is a problem and it becomes an issue.”

“In search cases, Google is clearly the dominant player. So when they integrate content into search, it’s a problem.”
Nikhil Pahwa, Medianama

In the course of the investigation, the CCI D-G also sought opinion from about 30 companies—most of them gave similar feedback about Google’s practices. The list includes Flipkart, mapmyindia.com, makemytrip.com, Microsoft and Nokia Maps.

Google will now have to appear before the full CCI bench on September 17 for a hearing based on the D-G report. After this, the CCI will take a final call on the issue. Of course, Google can seek an extension of this hearing. According to company insiders, they have not sought an extension yet. Google will have the right to appeal any order the CCI comes out with. The first appeal would be at the court of a competition appellate tribunal headed by a retired SC judge. The final appeal can happen only with the Supreme Court.

As expected, Google denies any wrongdoing and says the abuse of dominant position will need to be proved. Manas Chaudhuri, lawyer with Khaitan & Co which deals with competition cases, told Outlook, “The report says that Google is dominant, which is correct. If it is dominant, there is nothing wrong under the Competition Act. The issue is whether or not it has abused its dominance. The ‘abuse’ is a rule-of-reason argument and as such the CCI will have to assess quite a few international best practices theories eg, ‘objective justification’, ‘analysing the statutory mandate of meeting the competition in the relevant market’, ‘consumer harm’ and ‘counterfactuals’.”

In response to queries, a Google spokesperson said, “We’re currently reviewing the report from the CCI’s ongoing investigation. We continue to work closely with the CCI and remain confident that we comply fully with India’s competition laws. Regulators and courts around the world, including in the US, Germany, Taiwan, Egypt and Brazil, have looked into and found no concerns on many of the issues raised in this report.” Actually, Google is facing a similar case in the EU, while similar issues have been raised in Brazil, Hong Kong, Argentina and Mexico (see box).

Outlook’s cover from Oct 28, 2013

Sure, at first blush, the report appears tilted against Google. What may go in its favour is the CCI’s dismal record in treating such cases. Though it is the final investigation report, experts say it is not sacrosanct: the CCI bench might not agree with it. In the last six years, over 20 such investigation reports have been dismissed by the CCI after the final hearing. And Google will try its best to bring forth the fact that it has been exonerated in similar cases in the US, Germany and Taiwan.

But with the D-G’s final investigation report giving a clear verdict against Google’s practices, it might not be so easy for the search giant to come out cleanly from this one. Says Nehaa Chaudhari, lawyer with the Centre for Internet and Society (cis), “Given that India is not the only jurisdiction where Google is using its secret algorithm to promote its own products, there is enough for the CCI to proceed on against it.” What will also help is the testimony of several companies who have said that they have suffered because of Google’s web practices.

The entire world is watching India. Clearly, if the CCI upholds the D-G report and pronounces Google guilty, it could seriously affect the search giant’s growth in India, one of the fastest growing internet markets for Google with over 300 million internet users and an even faster growing Android landscape (where also it is a dominant player). With the final EU verdict on the case yet to come out, will India set a new example for the world to follow?

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-october-23-2016-some-key-words-are-missing

How Long Have Banks Known About The Debit Card Fraud?

tiwari — 2016-10-22T08:06:51Z

The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.

The article was published by Bloomberg on October 22, 2016.

The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.

Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.

The Modus Operandi

According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.

The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.

Massive Financial Implications


Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News)

The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.

This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.

Are Banks Concealing Information?


A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)

The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.

Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud

RBI Directions on Account Aggregators

Vipul Kharbanda and Elonnai Hickok — 2016-10-21T15:25:01Z

The Reserve Bank of India's (RBI) Directions for account aggregator services in India seem to lay great emphasis on data security by allowing only direct access between institutions and do away with data scraping techniques.

These days’ people have access to various financial services and manage their finances in a diverse manner while dealing with a large number of financial service providers, each providing one or more services that the user may need such as banking, credit card services, investment services, etc. This multiplicity of financial service providers could make it inconvenient for the users to keep track of their finances since all the information cannot be provided at the same place. This problem is sought to be solved by the account aggregators by providing all the financial data of the user at a single place. Account aggregation is the consolidation of online financial account information (e.g., from banks, credit card companies, etc.) for online retrieval at one site. In a typical arrangement, an intermediary (e.g., a portal) agrees with a third party service provider to provide the service to consumers, the intermediary would then generally privately label the service and offer consumers access to it at the intermediary’s website.[1] There are two major ways in which account aggregation takes place, (i) direct access: wherein the account aggregator gets direct access to the data of the user residing in the computer system of the financial service provider; and (ii) scraping: where the user provides the account aggregator the username and password for its account in the different financial service providers and the account aggregator scrapes the information off the website/portal of the different financial service providers.

Since account aggregation involves the use and exchange of financial information there could be a number of potential risks associated with it such as (i) loss of passwords; (ii) frauds; (iii) security breaches at the account aggregator, etc. It is for this reason that on the advice of the Financial Stability and Development Council,[2] the Reserve Bank of India (“RBI”) felt the need to regulate this sector and on September 2, 2016 issued the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 to provide a framework for the registration and operation of Account Aggregators in India (the “Directions”). The Directions provide that no company shall be allowed to undertake the business of account aggregators without being registered with the RBI as an NBFC-Account Aggregator. The Directions also specify the conditions that have to be fulfilled for consideration of an entity as an Account Aggregator such as:

the company should have a net owned fund of not less than rupees two crore, or such higher amount as the Bank may specify;
the company should have the necessary resources and wherewithal to offer account aggregator services;
the company should have adequate capital structure to undertake the business of an account aggregator;
the promoters of the company should be fit and proper individuals;
the general character of the management or proposed management of the company should not be prejudicial to the public interest;
the company should have a plan for a robust Information Technology system;
the company should not have a leverage ratio of more than seven;
the public interest should be served by the grant of certificate of registration; and
Any other condition that made be specified by the Bank from time to time.[3]

The Direction further talk about the responsibilities of the Account Aggregators and specify that the account aggregators shall have the duties such as: (a) Providing services to a customer based on the customer’s explicit consent; (b) Ensuring that the provision of services is backed by appropriate agreements/ authorisations between the Account Aggregator, the customer and the financial information providers; (c) Ensuring proper customer identification; (d) Sharing the financial information only with the customer or any other financial information user specifically authorized by the customer; (e) Having a Citizen's Charter explicitly guaranteeing protection of the rights of a customer.[4]

The Account Aggregators are also prohibited from indulging in certain activities such as: (a) Support transactions by customers; (b) Undertaking any other business other than the business of account aggregator; (c) Keeping or “residing” with itself the financial information of the customer accessed by it; (d) Using the services of a third party for undertaking its business activities; (e) Accessing user authentication credentials of customers; (f) Disclosing or parting with any information that it may come to acquire from/ on behalf of a customer without the explicit consent of the customer.[5] The fact that there is a prohibition on the information accessed from actually residing with the Account Aggregator will ensure greater security and protection of the information.

Consent Framework

The Directions specify that the function of obtaining, submitting and managing the customer’s consent should be performed strictly in accordance with the Directions and that no information shall be retrieved, shared or transferred without the explicit consent of the customer.[6] The consent is to be taken in a standardized artefact, which can also be obtained in electronic form,[7] and shall contain details as to (i) the identity of the customer and optional contact information; (ii) the nature of the financial information requested; (iii) purpose of collecting the information; (iv) the identity of the recipients of the information, if any; (v) URL or other address to which notification needs to be sent every time the consent artefact is used to access information; (vi) Consent creation date, expiry date, identity and signature/ digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI.[8] The account aggregator is required to inform the customer of all the necessary attributes to be contained in the consent artefact as well as the customer’s right to file complaints with the relevant authorities.[9] The customers shall also be provided an option to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information.[10]

Comments: While the Directions have specific provisions regarding how the financial data shall be dealt with, it is pertinent to note that the actual consent artefact also has personal information and it is not clear whether Account Aggregators are allowed disclose that information to third parties are not.

Disclosure and sharing of financial information

Financial information providers such as banks, mutual funds, etc. are allowed to share information with account aggregators only upon being presented with a valid consent artifact and also have the responsibility to verify the consent as well as the credentials of the account aggregator.[11] Once the verification is done, the financial information provider shall digitally sign the financial information and transmit the same to the Account Aggregator in a secure manner in real time, as per the terms of the consent.[12] In order to ensure smooth flow of data, the Directions also impose an obligation on financial information providers to:

implement interfaces that will allow an Account Aggregator to submit consent artefacts, and authenticate each other, and enable secure flow of financial information;
adopt means to verify the consent including digital signatures;
implement means to digitally sign the financial information; and
maintain a log of all information sharing requests and the actions performed pursuant to such requests, and submit the same to the Account Aggregator.[13]

Comments: The Directions provide that the Account Aggregator will not support any transactions by the customers and this seems to suggest that in case of any mistakes in the information the customer would have to approach the financial information provider and not the Account Aggregator.

Use of Information

The Directions provide that in cases where financial information has been provided by a financial information provider to an Account Aggregator for transferring the same to a financial information user with the explicit consent of the customer, the Account Aggregator shall transfer the same in a secure manner in accordance with the terms of the consent artefact only after verifying the identity of the financial information user.[14] Such information, as well as information which may be provided for transferring to the customer, shall not be used or disclosed by the Account Aggregator or the Financial Information user except as specified in the consent artefact.[15]

Data Security

The Directions specify that the business of an Account Aggregator will be entirely Information Technology (IT) driven and they are required to adopt required IT framework and interfaces to ensure secure data flows from the financial information providers to their own systems and onwards to the financial information users.[16] This technology should also be scalable to cover any other financial information or financial information providers as may be specified by the RBI in the future.[17] The IT systems should also have adequate safeguards to ensure they are protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.[18] Information System Audit of the internal systems and processes should be in place and be conducted at least once in two years by CISA certified external auditors whose report is to be submitted to the RBI.[19] The Account Aggregators are prohibited from asking for or storing customer credentials (like passwords, PINs, private keys) which may be used for authenticating customers to the financial information providers and their access to customer’s information will be based only on consent-based authorisation (for scraping).[20]

Grievance Redressal

The Directions require the Account Aggregator to put in place a policy for handling/ disposal of customer grievances/ complaints, which shall be approved by its Board and also have a dedicated set-up to address customer grievances/ complaints which shall be handled and addressed in the manner prescribed in the policy.[21] The Account Aggregator also has to display the name and details of the Grievance Redressal Officer on its website as well as place of business.[22]

Supervision

The Directions require the Account Aggregators to put in place various internal checks and balances to ensure that the business of the Account Aggregator does not violate any laws or regulations such as constitution of an Audit Committee, a Nomination Committee to ensure the “fit and proper” status of its Directors, a Risk Management Committee and establishment of a robust and well documented risk management framework.[23] The Risk Management Committee is required to (a) give due consideration to factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities; and b) have oversight of technology risks and ensure that the organisation’s IT function is capable of supporting its business strategies and objectives.[24] Further the RBI also has the power to inspect any Account Aggregator at any time.[25]

Penalties

The Directions themselves do not provide for any penalties for non compliance, however since the Directions are issued under Section 45JA of the Reserve Bank of India Act, 1934 (“RBI Act”), this means that any contravention of these directions will be punishable under Section 58B of the RBI Act which provides for an imprisonment of upto 3 years as well as a fine for any contravention of such directions.

Conclusion

The Directions by the RBI provide a number of regulations and checks on Account Aggregators with the view to ensure safety of customer financial data. These Directions appear to be quite trendsetting in the sense that in most other jurisdictions such as the United States or even Europe there are no specific regulations governing Account Aggregators but their activities are mainly being governed under existing privacy or consumer protection legislations.[26]

The entire regulatory regime for Account Aggregators seems to suggest that the RBI wants Account Aggregators to be like funnels to channel information from various platforms right to the customer (or financial information user) and it does not want to take a chance with the information actually residing with the Account Aggregators. Further, by prohibiting Account Aggregators from accessing user authentication credentials, the RBI is trying to eliminate the possibility of this information being leaked or stolen. Although this may make it more onerous for Account Aggregators to provide their services, it is a great step to ensure the safety and security of customer data.

In recent months the RBI has been trying to actively engage with the various new products being introduced in the financial sector owing to various technological advancements, be it the circular informing the public about the risks of virtual currencies including Bitcoin, the consultation paper on P2P lending platforms or these current guidelines on Account Aggregators. These recent actions of the RBI seem to suggest that the RBI is well aware of various technological advancements in the financial sector and is keeping a keen eye on these technologies and products, but appears to be taking a cautious and weighted approach regarding how to deal with them.

[1] Ann S. Spiotto, Financial Account Aggregation: The Liability Perspective, Fordham Journal of Corporate & Financial Law, 2006, Volume 8, Issue 2, Article 6, available at http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1181&context=jcfl

[2] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=34345

[3] Clause 4.2.2 of the Directions.

[4] Clause 5 of the Directions.

[5] Clause 5 of the Directions.

[6] Clauses 6.1 and 6.2 of the Directions.

[7] Clause 6.4 of the Directions.

[8] Clause 6.3 of the Directions.

[9] Clause 6.5 of the Directions.

[10] Clause 6.6 of the Directions.

[11] Clauses 7.1 and 7.2 of the Directions.

[12] Clauses 7.3 and 7.4 of the Directions.

[13] Clause 7.5 of the Directions.

[14] Clause 7.6.1 of the Directions.

[15] Clause 7.6.2 of the Directions.

[16] Clause 9(a) of the Directions.

[17] Clause 9(c) of the Directions.

[18] Clause 9(d) of the Directions.

[19] Clause 9(f) of the Directions.

[20] Clause 9(b) of the Directions.

[21] Clauses 10.1 and 10.2 of the Directions.

[22] Clause 10.3 of the Directions.

[23] Clauses 12.2, 12.3 and 12.4 of the Directions.

[24] Clause 12.4 of the Directions.

[25] Clause 15 of the Directions.

[26] http://www.canadiancybersecuritylaw.com/2016/07/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/

For more details visit https://cis-india.org/internet-governance/blog/rbi-directions-on-account-aggregators