We are anonymous, we are legion

If MNCs make early inroads, they will keep market share: Sunil Abraham, CIS

praskrishna — 2014-10-24T15:03:03Z

The article by J. Anand was published in the Financial Express on October 23, 2014. Sunil Abraham gave his inputs.

The recent visits of the high-profile CEOs of internet/technology companies have made it clear that India, with its 200-million internet users, is increasingly becoming important for the multinational corporations (MNCs). Bangalore-based Centre for Internet and Society (CIS) is a bit skeptical and feels some of these companies are trying to influence the internet policy-making of the country. Sunil Abraham, executive director of CIS, talks to FE’s Anand J regarding the government’s use of social media, the regulations and the plan for a Digital India. Edited excerpts:

We see a heightened interest in India from technology/internet companies, with their top CEOs visiting the country. What do you think is the reason?

In India, with little domestic competition, if these companies make early inroads, they will be able to keep the market share. The other reason is, the Indian government has made several proposals such as data localisation, mandatory data routing and so on, which have been demonised by the West as something that will balkanise the internet. Because India represents a big market, companies might be indulging in some amount of tokenism in the form of data centres. This is to show the government that they are willing to listen and lead the conversation to an agenda item that they are comfortable with and block some of the more dramatic proposals. The third reason could be that internet penetration might grow dramatically in the country and if the policy levers are moved appropriately, it will grow even more.

What is your stand on the government proposals?

In some ways, I agree with MNCs that some of the government proposals could break the architecture of internet. But then there are other proposals that are completely kosher. The domestic routing of an email if it travels within India is good as it will be difficult for the NSA to intercept then. From an internet design perspective, more fibre is good.

Data localisation though will result in balkanisation and might not yield desirable results. For instance, if you are watching a YouTube video, all the information about the user is stored by Google and all of that is stored outside the country. They might store some of this information as cache in a Google server temporarily. From a surveillance perspective, this user data called metadata is what the NSA might want. Even when it is collected in a local server, it might still be sent upstream.

What about the Indian government doing surveillance then?

There are different views on the surveillance capabilities of the Indian government. Some think that today the Indian government has the capability of engaging in mass surveillance. Others like me think that it can only do targeted surveillance and not mass surveillance. It does not have the infrastructure to pull that off and if it is doing targeted surveillance, it is mostly in compliance with the local laws.

Is the increasing use of social media by the government for its communication with citizens a concern?

If the government uses this private infrastructure to communicate with its citizens, there could be a variety of challenges and complications. First, all of these government communications must be mirrored on the government infrastructure as well. Otherwise, there is a concern around data retention. The government needs to have a copy in case a person goes to RTI for all the government communications to citizens. Secondly, the government is unwittingly becoming the salesperson for these global corporations.

Mark Zuckerberg has said that internet is a human right. Do you agree?

Internet is not a human right according to the UN. TV and Radio were never rights. All the basic human rights are to be protected irrespective of the communication medium of choice and will be legitimate even 100 years from now. The success of telecommunication and internet is market generated. If it becomes a human right, the companies are not delivering a service, but a human right and this complicates the issue. There will be new demands from citizens and litigations by citizens. If everybody demands 1GB every month, state does not have those resources.

India is a phone internet market. Indian internet is tied to Google now. Does the Android dominance — with a market share of around 90% — concern you?

It is hugely worrisome and yet another monopoly. It is not “free” software. From a privacy and national security perspective, it is a terrible development. Considering that it is based on Linux, there should have been several national and international competitors.

Has the era of hetergeneous internet with a million websites passed?

Internet is no longer decentralised; 80% of users’ time is now spent on a few products. And anywhere on internet, ad networks are tracking you. We ended up with the world’s biggest surveillance machine and surveillance is the business model of internet. It is very difficult to change this as we face the inertia of user behaviour.

What do you think of the government’s Digital India plan?

The government can use the billions from the Universal Service Obligation fund for broadband connectivity. The markets cannot handle back haul infrastructure and in most countries, some amount of state investment is necessary. Some of the open access details have to be worked out. The government seems to have a monopoly position in execution. We agree with the vision that every Indian should have a smartphone by 2019 and have a broadband connection too.

What are the regulations you want to see in place in India?

Internet users are currently overregulated with restrictions on what you can say. Let what is illegal offline be illegal online too. And government needs to think of enforceability.

The regulatory infrastructure for the government is limited. We want powerful companies to be regulated and follow global norms. The regulatory best practices are emerging from Europe in terms of competition, privacy, data protection, etc, and we need to follow them.

For more details visit https://cis-india.org/internet-governance/news/financial-express-october-23-2014-j-anand-if-mncs-make-early-inroads-they-will-keep-market-share

The India Conference on Cyber Security and Cyber Governance

praskrishna — 2014-10-13T07:10:19Z

Following the success of CYFY 2013 the CYFY 2014 will be held from October 15 to 17, 2014 in New Delhi. The Centre for Internet and Society is a knowledge partner for this event and Sunil Abraham is participating as a panelist in the session "Privacy is Dead".

Click to download the event details. The event brochure can be downloaded here.

For more details visit https://cis-india.org/internet-governance/news/india-conference-cyber-security-and-cyber-governance

Is India the next frontier for Facebook?

praskrishna — 2014-11-05T00:43:00Z

Pushing to bring hundreds of millions of Indians into the online world, Facebook founder Mark Zuckerberg on Thursday called for expanding his pet project to provide free mobile Internet for developing countries into India.

The article by Rama Lakshmi was published in Washington Post on October 9, 2014. Sunil Abraham was one of the signatories.

Zuckerberg, 30, the billionaire founder of the Facebook empire, arrives in India at a time when Facebook is losing its luster among American teens, but India’s vast market has yet to be fully tapped. A democratic country with a growing economy like India’s, with 1.2 billion people, two-thirds of whom are under the age of 35, is a market the company cannot afford to ignore.

India has the third-largest population of Internet users in the world at 205 million now, ranking after the United States and China. Yet the majority of its rural poor don’t have Internet access, and less than a tenth of its people, about 100 million, are on Facebook.

“Connectivity can’t be restricted to just the rich and powerful,” Zuckerberg said at a conference on connectivity in New Delhi. Rather, he said, it’s a basic “human right.”

Zuckerberg hopes to use his Internet.org connectivity initiative, which he started with a handful of other tech companies in 2013, to expand Indians’ online footprint and promote Facebook. He said the program will set aside $1 million to help develop local language apps for farmers, women and students in developing countries, including India.

In the past year, Zuckerberg said, Internet.org helped nearly 3 million people around the world gain access to the Internet and Facebook by working with cellphone operators in Indonesia, the Philippines, Paraguay, Tanzania and Zambia. In those countries, cellphone users signed up for data plans that included free but limited access to health and job information, Wikipedia, Google — and, of course, Facebook.

About 4.4 billion people in the world have no access to the Internet, and “the offline population is . . . disproportionately rural, low income, elderly, illiterate, and female,” said a report by McKinsey and Facebook. Countries such as Egypt, India and Indonesia face the greatest challenges with respect to incentives and infrastructure, the report said.

“It took 10 years for India to touch 100 million Internet users, but it grew to 200 million in just the last two years,” said Subho Roy, president of the Internet and Mobile Association of India. There are 930 million cellphone users in India today. “Cellphones have acted as the primary driver pushing Internet usage in the last two years,” Roy said.

Researchers note that new users’ first experience on the Internet is often on Facebook.

The free basic services that Facebook has promoted in different countries help cellphone users “to experience the Internet, use some things, to understand why it would be valuable for them and get exposure to other services that they might over time want to pay for,” Zuckerberg said.

But many critics say that commerce is driving Zuckerberg’s push for connectivity rather than philanthropy. They say many new users may not pay for wider Web access and that can create entrenched monopolies for companies like Facebook and Google.

“You are allowing people to roam the walled garden of Internet for free. But if they don’t pay to use unlimited Web access, you are also creating monopolies and blocking competition in the Internet space,” said Sunil Abraham, executive director of the Center for Internet and Society in Bangalore. “But in India, we are so hungry for Internet access that we cannot afford to look a gift horse in the mouth. Until India builds physical Internet infrastructure, this will help us in the short term to get connected.”

Zuckerberg said cellphone operators are free to choose which services they want to include in the package: “There is no rule that says that Facebook or any other company has to be included in this. All we are saying is that this is a model that works to get more people on the Internet.”

And Facebook’s India push is not all about chasing numbers, Zuckerberg said.

“The sheer numbers are obviously a very important part of it,” he said. “If you can do it in a country like India, you are improving hundreds of millions, or maybe a billion, people’s lives, whereas doing it in almost any other country, you wouldn’t be able to have that impact.”

India’s new prime minister, Narendra Modi, a user of social media, has set an ambitious target of building a broadband highway connecting 250,000 village councils across the country in the next three years. Zuckerberg said he will meet Modi on Friday to “see how Facebook can help” in India’s new connectivity drive.

For more details visit https://cis-india.org/internet-governance/news/washington-post-october-9-2014-rama-lakshmi-is-india-the-next-frontier-for-facebook

Training for Internet Governance Activists

praskrishna — 2014-11-07T00:38:55Z

Geetha Hariharan attended a training session for Internet rights activists in Cambridge, organised by Global Partners Digital, UK on September 23 and 24, 2014.

Day 1. Final session was on privacy, surveillance and data protection by Mike Rispoli and Alexandrine Pirlot de Corbion from PI. Got caught up in the discussion, so no notes from that. Of interest is session on communication by Mike - a nine-step process he's outlined (in bold at the very end), and the problem tree and stakeholder mapping approach that Alex spoke of.

Day 2. Great session on the ITU and on lobbying by lobbyist Matthew McDermott of Access Partners. The ITU is a complex beast with activity at multiple levels and different levels of effectiveness at different levels. From conversations, I gathered that any effective strategy for any policy change in Internet governance at the ITU will involve lobbying national governments, and then at sub-regional, regional and global levels.

Day 3. Tim Maurer's session on cyber security. Issues of terminology and politicisation discussed. Also info on in what forums cyber security debate is taking place. The Netherlands is hosting the Global Conference on Cyber Space in April 2015.

Resources

Unedited notes from the meeting can be downloaded here (Zip File, 739 Kb)

For more details visit https://cis-india.org/internet-governance/news/training-for-internet-governance-activists

Big Data and Positive Social Change in the Developing World: A White Paper for Practitioners and Researchers

nishant — 2014-10-01T03:52:35Z

I was a part of a working group writing a white paper on big data and social change, over the last six months. This white paper was produced by a group of activists, researchers and data experts who met at the Rockefeller Foundation’s Bellagio Centre to discuss the question of whether, and how, big data is becoming a resource for positive social change in low- and middle-income countries (LMICs).

Bellagio Big Data Workshop Participants. (2014). “Big data and positive social change in the developing world: A white paper for practitioners and researchers.” Oxford: Oxford Internet Institute. Available online: http://ssrn.com/abstract=2491555.

Summary

Our working definition of big data includes, but is not limited to, sources such as social media, mobile phone use, digitally mediated transactions, the online news media, and administrative records. It can be categorised as data that is provided explicitly (e.g. social media feedback); data that is observed (e.g. mobile phone call records); and data that is inferred and derived by algorithms (for example social network structure or inflation rates). We defined four main areas where big data has potential for those interested in promoting positive social change: advocating and facilitating; describing and predicting; facilitating information exchange and promoting accountability and transparency.

In terms of advocating and facilitating, we discussed ways in which volunteered data may help organisations to open up new public spaces for discussion and awareness-building; how both aggregating data and working across different databases can be tools for building awareness, and howthe digital data commons can also configure new communities and actions (sometimes serendipitously) through data science and aggregation. Finally, we also looked at the problem of overexposure and howactivists and organisations can protect themselves and hide their digital footprints. The challenges we identified in this area were how to interpret data correctly when supplementary information may be lacking; organisational capacity constraints around processing and storing data, and issues around data dissemination, i.e. the possible negative consequences of inadvertently identifying groups or individuals.

Next, we looked at the way big data can help describe and predict, functions which are particularly important in the academic, development and humanitarian areas of work where researchers can combine data into new dynamic, high-resolution datasets to detect new correlations and surface new questions. With data such as mobile phone data and Twitter analytics, understanding the data’s comprehensiveness, meaning and bias are the main challenges, accompanied by the problem of developing new and more comprehensive ethical systems to protect data subjects where data is observed rather than volunteered.

The next group of activities discussed was facilitating information exchange. We looked at mobile-based information services, where it is possible for a platform created around a particular aim (e.g. agricultural knowledge-building) to incorporate multiple feedback loops which feed into both research and action. The pitfalls include the technical challenge of developing a platform which is lean yet multifaceted in terms of its uses, and particularly making it reliably available to low-income users. This kind of platform, addressed by big data analytics, also offers new insights through data discovery and allows the provider to steer service provision according to users’ revealed needs and priorities.

Our last category for big data use was accountability and transparency, where organisations are using crowdsourcing methods to aggregate and analyse information in real time to establish new spaces for critical discussion, awareness and action. Flows of digital information can be managed to prioritise participation and feedback, provide a safe space to engage with policy decisions and expose abuse. The main challenges are how to keep sensitive information (and informants) safe while also exposing data and making authorities accountable; how to make the work sustainable without selling data, and how to establish feedback loops so that users remain involved in the work beyond an initial posting. In the crowdsourcing context, new challenges are also arising in terms of how to verify and moderate real-time flows of information, and how to make this process itself transparent.

Finally, we also discussed the relationship between big and open data. Open data can be seen as a system of governance and a knowledge commons, whereas big data does not by its nature involve the idea of the commons, so we leaned toward the term ‘opening data’, i.e. processes which could apply to commercially generated as much as public-sector datasets. It is also important to understand where to prioritise opening, and where this may exclude people who are not using the ‘right’ technologies: for example, analogue methods (e.g. nailing a local authority budget to a town hall door every month) may be more open than ‘open’ digital data that’s available online.

Our discussion surfaced many questions to do with representation and meaning: must datasets be interpreted by people with local knowledge? For researchers to get access to data that is fully representative, do we need a data commons? How are data proprietors engaging with the power dynamics and inequalities in the research field, and how can civil society engage with the private sector on its own terms if data access is skewed towards elites? We also looked at issues of privacy and risk: do we need a contextual risk perspective rather than a single set of standards? What is the role of local knowledge in protecting data subjects, and what kinds of institutions and practices are necessary? We concluded that there is a case to be made for building a data commons for private/public data, and for setting up new and more appropriate ethical guidelines to deal with big data, since aggregating, linking and merging data present new kinds of privacy risk. In particular, organisations advocating for opening datasets must admit the limitations of anonymisation, which is currently being ascribed more power to protect data subjects than it merits in the era of big data.

Our analysis makes a strong case that it is time for civil society groups in particular to become part of the conversation about the power of data. These groups are the connectors between individuals and governments, corporations and governance institutions, and have the potential to promote big data analysis that is locally driven and rooted. Civil society groups are also crucially important but currently underrepresented in debates about privacy and the rights of technology users, and civil society as a whole has a responsibility for building critical awareness of the ways big data is being used to sort, categorise and intervene in LMICs by corporations, governments and other actors. Big data is shaping up to be one of the key battlefields of our era, incorporating many of the issues civil society activists worldwide have been working on for decades. We hope that this paper can inform organisations and
individuals as to where their particular interests may gain traction in the debate, and what their contribution may look like.

Click to download the full white paper here. (PDF, 1.95 Mb)

For more details visit https://cis-india.org/internet-governance/blog/big-data-and-positive-social-change-in-developing-world

CPDP 2015

praskrishna — 2014-09-30T09:52:52Z

The eighth international conference on computers, privacy and data protection will be held in Brussels from January 21 to 23, 2015. The Centre for Internet and Society is a moral supporter of CPDP.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University and has grown into a platform carried by 20 academic centers of excellence from the EU, the US and beyond. As a world-leading multidisciplinary conference CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. Within an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world in Brussels offering them an arena to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world. CPDP2014 welcomed 854 guests including 343 speakers from 43 different countries dispersed over more than 60 panels which took place during three full days. It attracted another 500 people in several public evening events including debates, a pecha kucha evening and an art exhibition. CPDP2015 aims to repeat the success of last year and will stage panels within the following main topical themes: Data Protection Reform: European and Global Developments, Mobility (mobile technologies, wearable technologies, border surveillance), EU-US developments concerning the regulation of government surveillance, Health, privacy and data protection, Love and lust in the digital age, Internet governance and privacy.

In 2015 CPDP will take place from January 21 to 23, 2015 in the Halles de Schaerbeek, Brussels, Belgium. Registrations are already open: http://www.cpdpconferences.org/Registration.html. For more details see here.

For more details visit https://cis-india.org/internet-governance/news/cpdp-2015

Workshop on Enabling Information Systems for Local Governance

praskrishna — 2014-09-30T08:18:42Z

This event was organized by Jamia Milla Islamia at Tagore Hall in New Delhi on September 18, 2014. Sunil Abraham was a participant.

The One day workshop brings together practitioners, researchers and thinkers from the overlapping fields of IT, sociology and governance to seek mechanisms for involvement of local communities as active participants in information systems for governance. Conventional technological models are based on certain apriori assumptions on how engineers and designers expect people to use technologies as well as the social universe in which the information systems function. Social scientists and ethnographers on the other hand, concern themselves with how people use and interpret technologies and tend to have a better understanding of the role of technologies in the everyday life of users.

The first panel concerns itself with how these two diverse and possibly complementary ways of approaching technologies may synergise as a combined sociotechnical process rather than a purely technological one. Another useful way to understand the information systems as inherently socio-technical amalgamations is to examine the “informational model” – or the concepts, categories, and relationships – underlying the systems.Describing the systems in terms of their informational models enables people who understand issues of governance to speak to technologists on a common platform. Thus, the idea in the second panel is to discuss whether there is a need to rethink the mechanisms for building information models for local governance.

Some of the questions relevant to the workshop are:

What is the role of local communities in information systems for governance? How can local participation in governance be enabled/enhanced?
What are some of the existing applications and mechanisms for creating the concepts, categories, relationships, rules and constraints (the information model) used in building information systems for governance and is there a need to rethink them?

Workshop Program - 18 Sep 2014

9:30-10:00 - Registration

10:00-10:15 - Introduction to the Symposium

10:15-11:45 - Panel 1: Community Participation in IT Processes.

Information systems for governance generally involve many different kinds of users and stakeholders. The presentations in this panel are reflect how the role that these communities play at different stages of the technical process shape the conceptualization and outcomes of these diverse systems.

Atanu Garai (Fellow, Society for New Communications Research, Bubhaneshwar): Mechanisms of Community Enrollment in mHealth

Jagdish Mitra (CEO, CanvasM,A Tech Mahindra Company) – Arriving at Saral Zindagi: A suite of mobile applications to ease consumer life styles.

Chair: Dr Biswajit Das, Director, Centre for Culture Media and Governance (CCMG), Jamia Millia Islamia, New Delhi

Discussant: Dr. Richa Kumar (Department of Humanities and Social Sciences, IIT-Delhi)

11:45-12:00 – Tea/Coffee break

12:00-13:30 - Panel 2: Community Representation in Information Modelling.

This panel describes the (often) implicit "Information Model" underlying IT enabled systems of governance. Making these models explicit also opens up the discussion of how social concepts and categories may be included as part of the model.

Dr Vignesh Ilavarasan P (Department of Management Studies, IIT-Delhi) – Information Models for Service Delivery in the Telecom Sector
Ravi Shukla (CCMG, JMI)–Prototyping Community Participation in Informational Models.
Chair: Dr. Arul Chib (NTU, Singapore)
Discussant: Sunil Abraham (CIS, Bangalore)

1 3:30-14:30 – Lunch

14:30 - 16:00 – Focus Group Workshop - Mechanisms for Community Participation in Information Systems.

The current research with communities around the Jamia Nagar area is taken as a case study. Participants are divided into two groups, the "process" group which is to suggest ways for community involvement in the process, and the "informational model" structure group. Each group is to suggest 5 ways in which communities can participate in IT systems.

List of People in the Second Half (there maybe more/different people):

Atanu Garai, P Vignesh, Ravi Shukla, Arul Chib, Sunil Abraham, Amit Prakash, Vibodh Parthasarathi, Pankaj Aggarwal, Biswajit Das.
Chair: Amit Prakash - I will speak to him beforehand about this.
Introducer: Ravi Shukla (5 Mins) - Q & A (10 mins)
Group Sessions (these can be in different parts of the same room) - it will require writing pads, pens , two white boards and markers/busters. Time is 20 mins.
Group 1 (Processes and Procedures to Involve Communities in Information Systems):

Facilitator: Arul Chib

Participants: Atanu Garai, Pankaj Aggarwal, Vibodh Parthasarthi

This group builds on their own experiences and comes up with 5 suggestions on how the IT process can be made more inclusive. This could mean - what are the different stages at which communities may get involved and how - as well as new ways of involvement.

Group 2 (Inclusion of Communities in Information Models)

Facilitator: Ravi Shukla
Participants: P Vignesh, Sunil Abraham

This group builds on their experiences to come up 5 suggestions on how community voices and concerns may be included in the Information Model. This could mean for instance - how to include minority voices in the model, or other factors of geography, culture, scale and temporality.

After this there are 10 minutes of presentation each by one representative from each group (this gives other people the space to wind-up/present).

This is followed by a summary by the discussant (Arul Chib) followed by discussion and winding up/ thanks giving by VP. (30 + 5 mins)

For more details visit https://cis-india.org/internet-governance/news/workshop-on-enabling-information-systems-for-local-governance

National Consultation on Media Law

praskrishna — 2014-09-30T06:52:50Z

The Law Commission of India and the National University, Delhi have joined hands to organize the National Consultation on Media Law at the India Habitat Centre in New Delhi on September 27 and 28, 2014. Nehaa Chaudhari participated in this event.

Click to view the:

For more details visit https://cis-india.org/internet-governance/news/national-consultation-on-media-law

The Power of Communication: The Media, Public Space and Participatory Democracy

praskrishna — 2014-09-30T05:49:27Z

Bhairav Acharya will be presenting a paper at this event to be held in the Indian Institute of Advanced Study in Shimla on October 13 and 14, 2014.

For more details, see here.

Bhairav would talk about the tension in defamation law, between its deontological command (Kant's categorical imperative of truth) and its consequentialism (harm, to reputation or to public peace).

The talk would explore the utility of our present common law construction of libel; and, if it's not too bold, he hopes to make the case that Indian libel law should incorporate a new test of serious and actual harm as its primary defence to libel, and that the defence of truth should be done away with. This is because Bhairav believes that free speech law should strictly construe Mill's harm principle. In other words, lies and rumours after all, if the state can freely engage in questionable propanganda, people should be allowed to spread baseless rumours — are good for health and should not be criminalised.

Background note

The media has been a growth sector over two decades and more of liberalisation. All evidence points towards the media industry having substantially outrun the overall rate of growth of the economy. This is not surprising since advertising which has been the principal driver of media growth, tends to leave behind other sectors in times of economic buoyancy. Technology has been another powerful driver of media growth over the last two decades. From the first glimmers of satellite broadcasting over the C band which enabled local cable operators to provide a menu of untold variety in the early 1990s, to the recent spurt in the “direct to home” transmissions, the Indian TV scenario has been transformed from a tightly controlled government monopoly, to a state of unregulated proliferation.

A further enabling mechanism has been the rapid growth of internet access. The digital divide remains very much a reality and the numbers that are able to tap into the full potential of the internet, is still a rather small fraction of the total population. The proliferation of cellular telephony though, has made limited modes of access a reality for growing numbers. And the damage potential is at the same time manifest in the growth of the politics of rumour.

It has been a central dilemma of the recent phase of media growth in India that the physical infrastructure has expanded, but the rules of the game are yet to be agreed. The official response has been to put in place a doctrine of intermediary liability, which has had a special bearing on the emerging sector of the social media. This is a principle that is being fought in the court-rooms by well-endowed internet giants. But at the level of individual users, section 66A of the Information Technology Act -- enacted in 2009 – remains a source of peril for social media users.

There are worries often expressed that competition among media channels has fuelled a race to the bottom. “Sting operations” which are by definition illegal unless they serve a strong public interest, have become a common recourse. Respect for privacy and personal reputation has become a rather loosely observed component of the code of media ethics.

Incidents in the recent past when media coverage has been directly paid for by political and business entities have fuelled public concerns about spurious and inauthentic information circulating in the public domain merely to serve profit objectives.

Episodes when the media has amplified public discontent and caused severe stress within the apparatuses of the state, have led to frequent expressions of concern. Serving and retired intelligence officials have remarked on the destabilisation potential of the new social media. And current and past prime ministers have spoken of the need to be vigilant about the use of the social media, but also to ensure that the free speech right is respected and the potential of the new media in serving larger national goals is realised.

The global financial meltdown in September 2008 made deep inroads into the fortunes of the media. The months that followed sharply highlighted the vulnerability of the media industry to corporate pressures. Despite its very loud voice and its pervasive presence in the lives of several million citizens, the media industry is dwarfed by India’s major corporate players. Illustratively, the advertising budget of just one among the leading players in the “fast moving consumer goods” (FMCG) space would be of the same order of magnitude as the total revenue of India’s biggest media groups.

This has been the context in which certain very large corporate entities – possibly among a host of smaller ones – have moved into the media space. The official response to this complex of changes has been marked by fits and spurts, which finally subside into indecision and inaction.

Efforts to transform the state-owned broadcasting agencies into public service media have faltered. And with commercial motives being dominant, large numbers of citizens who are of no conceivable interest to advertisers have fallen between the cracks, losing their voice within the public sphere.
Older experiments in using the official media as a vehicle for transmitting a message of development and diversity, have fallen into obscurity and neglect. While the ambitious experiment of using satellite-enabled broadcast media for developmental objectives is yet to be evaluated, the state-owned media are seen to have not transformed their approach according to the times.

Radio, which could be the most democratic and accessible of broadcast media, remains underdeveloped in its potential because of a refusal by the government to surrender its monopoly over news and current affairs content over the media.

A broad-based and critical debate on media policy, which looks at its promise as a space for participatory democracy, has been sorely lacking. This is in part because media industry players have worked themselves into the vantage position of setting the terms of the discourse. The voices of civil society and in particular, of those who stand to gain the most from a broadening of democratic spaces, have remained unheard.

This is the context in which an event under the above title is proposed at the institute. The ground covered in the event could include:

public understanding and perceptions of the media;
media representations of the “public” – “in” and “out” groups; voices heard and unheard;
“development” as represented in the media and the public space;
the voice afforded to diverse communities in determining development priorities;
the means afforded to diverse communities in voicing their opinion;
how the technical means of getting diverse opinions into the public space have evolved: from print, to the tightly controlled broadcasting space, to the unregulated broadcast space of the 1990s onwards;
securing transparency and public accountability in the media space;
from the perception of the telephone as a luxury irrelevant to the lives of the majority in the country, to its current status as an irreplaceable accessory of everyday life across all categories;
the plus and minus side of the ledger on the new communication possibilities;
the rights to privacy and personal reputation – reconciling these with accountability and the public right to information;
the politics of rumour; the damage potential of rumour and how rumour is also a means of enforcing public accountability;
how efforts to politically manage information invariably prove self-defeating, whether it is in the 1975-77 Emergency or today;
where do we go for a free and democratic media universe.

The event would seek to look back, look at current realities and look ahead to how things could be made better within a democratic order.

For more details visit https://cis-india.org/internet-governance/news/the-power-of-communication-media-public-space-participatory-democracy

Anvar v. Basheer and the New (Old) Law of Electronic Evidence

bhairav — 2014-12-04T15:53:01Z

The Supreme Court of India revised the law on electronic evidence. The judgment will have an impact on the manner in which wiretap tapes are brought before a court.

Read the original published by Law and Policy in India on September 25, 2014.

The case

On 18 September 2014, the Supreme Court of India delivered its judgment in the case of Anvar v. P. K. Basheer (Civil Appeal 4226 of 2012) to declare new law in respect of the evidentiary admissibility of the contents of electronic records. In doing so, Justice Kurian Joseph, speaking for a bench that included Chief Justice Rajendra M. Lodha and Justice Rohinton F. Nariman, overruled an earlier Supreme Court judgment in the 1995 case of State (NCT of Delhi) v. Navjot Sandhu alias Afsan Guru(2005) 11 SCC 600, popularly known as the Parliament Attacks case, and re-interpreted the application of sections 63, 65, and 65B of the Indian Evidence Act, 1872 (“Evidence Act”). To appreciate the implications of this judgment, a little background may be required.

The hearsay rule

The Evidence Act was drafted to codify principles of evidence in the common law. Traditionally, a fundamental rule of evidence is that oral evidence may be adduced to prove all facts, except documents, provided always that the oral evidence is direct. Oral evidence that is not direct is challenged by the hearsay rule and, unless it is saved by one of the exceptions to the hearsay rule, is inadmissible. In India, this principle is stated in sections 59 and 60 of the Evidence Act.

The hearsay rule is both fundamental and complex; a proper examination would require a lengthy excursus, but a simple explanation should suffice. In the landmark House of Lords decision in R v. Sharp [1988] 1 All ER 65, Lord Havers – the controversial prosecutor who went on to become the Lord Chancellor – described hearsay as “Any assertion other than one made by a person while giving oral evidence in the proceedings is inadmissible as evidence of any fact or opinion asserted.” This definition was applied by courts across the common law world. Section 114 of the United Kingdom’s (UK) Criminal Justice Act, 2003, which modernised British criminal procedure, uses simpler language: “a statement not made in oral evidence in the proceedings.”

Hearsay evidence is anything said outside a court by a person absent from a trial, but which is offered by a third person during the trial as evidence. The law excludes hearsay evidence because it is difficult or impossible to determine its truth and accuracy, which is usually achieved through cross examination. Since the person who made the statement and the person to whom it was said cannot be cross examined, a third person’s account of it is excluded. There are a few exceptions to this rule which need no explanation here; they may be left to another post.

Hearsay in documents

The hearsay rule is straightforward in relation to oral evidence but a little less so in relation to documents. As mentioned earlier, oral evidence cannot prove the contents of documents. This is because it would disturb the hearsay rule (since the document is absent, the truth or accuracy of the oral evidence cannot be compared to the document). In order to prove the contents of a document, either primary or secondary evidence must be offered.

Primary evidence of the contents of a document is the document itself [section 62 of the Evidence Act]. The process of compelling the production of a document in court is called ‘discovery’. Upon discovery, a document speaks for itself. Secondary evidence of the contents of a document is, amongst other things, certified copies of that document, copies made by mechanical processes that insure accuracy, and oral accounts of the contents by someone who has seen that document. Section 63 of the Evidence Act lists the secondary evidence that may prove the contents of a document.

Secondary evidence of documentary content is an attempt at reconciling the hearsay rule with the difficulties of securing the discovery of documents. There are many situations where the original document simply cannot be produced for a variety of reasons. Section 65 of the Evidence Act lists the situations in which the original document need not be produced; instead, the secondary evidence listed in section 63 can be used to prove its content. These situations arise when the original document (i) is in hostile possession; (ii) has been stipulated to by the prejudiced party; (iii) is lost or destroyed; (iv) cannot be easily moved, i.e. physically brought to the court; (v) is a public document of the state; (vi) can be proved by certified copies when the law narrowly permits; and (vii) is a collection of several documents.

Electronic documents

As documents came to be digitised, the hearsay rule faced several new challenges. While the law had mostly anticipated primary evidence (i.e. the original document itself) and had created special conditions for secondary evidence, increasing digitisation meant that more and more documents were electronically stored. As a result, the adduction of secondary evidence of documents increased. In the Anvar case, the Supreme Court noted that “there is a revolution in the way that evidence is produced before the court”.

In India before 2000, electronically stored information was treated as a document and secondary evidence of these electronic ‘documents’ was adduced through printed reproductions or transcripts, the authenticity of which was certified by a competent signatory. The signatory would identify her signature in court and be open to cross examination. This simple procedure met the conditions of both sections 63 and 65 of the Evidence Act. In this manner, Indian courts simply adapted a law drafted over one century earlier in Victorian England. However, as the pace and proliferation of technology expanded, and as the creation and storage of electronic information grew more complex, the law had to change more substantially.

New provisions for electronic records

To bridge the widening gap between law and technology, Parliament enacted the Information Technology Act, 2000 (“IT Act”) [official pdf here] that, amongst other things, created new definitions of “data”, “electronic record”, and “computer”. According to section 2(1)(t) of the IT Act, an electronic record is “data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche” (sic).

The IT Act amended section 59 of the Evidence Act to exclude electronic records from the probative force of oral evidence in the same manner as it excluded documents. This is the re-application of the documentary hearsay rule to electronic records. But, instead of submitting electronic records to the test of secondary evidence – which, for documents, is contained in sections 63 and 65, it inserted two new evidentiary rules for electronic records in the Evidence Act: section 65A and section 65B.

Section 65A of the Evidence Act creates special law for electronic evidence:

65A. Special provisions as to evidence relating to electronic record. – The contents of electronic records may be proved in accordance with the provisions of section 65B.

Section 65A of the Evidence Act performs the same function for electronic records that section 61 does for documentary evidence: it creates a separate procedure, distinct from the simple procedure for oral evidence, to ensure that the adduction of electronic records obeys the hearsay rule. It also secures other interests, such as the authenticity of the technology and the sanctity of the information retrieval procedure. But section 65A is further distinguished because it is a special law that stands apart from the documentary evidence procedure in sections 63 and 65.

Section 65B of the Evidence Act details this special procedure for adducing electronic records in evidence. Sub-section (2) lists the technological conditions upon which a duplicate copy (including a print-out) of an original electronic record may be used: (i) at the time of the creation of the electronic record, the computer that produced it must have been in regular use; (ii) the kind of information contained in the electronic record must have been regularly and ordinarily fed in to the computer; (iii) the computer was operating properly; and, (iv) the duplicate copy must be a reproduction of the original electronic record.

Sub-section (4) of section 65B of the Evidence Act lists additional non-technical qualifying conditions to establish the authenticity of electronic evidence. This provision requires the production of a certificate by a senior person who was responsible for the computer on which the electronic record was created, or is stored. The certificate must uniquely identify the original electronic record, describe the manner of its creation, describe the device that created it, and certify compliance with the technological conditions of sub-section (2) of section 65B.

Non-use of the special provisions

However, the special law and procedure created by sections 65A and 65B of the Evidence Act for electronic evidence were not used. Disappointingly, the cause of this non-use does not involve the law at all. India’s lower judiciary – the third tier of courts, where trials are undertaken – is vastly inept and technologically unsound. With exceptions, trial judges simply do not know the technology the IT Act comprehends. It is easier to carry on treating electronically stored information as documentary evidence. The reasons for this are systemic in India and, I suspect, endemic to poor developing countries. India’s justice system is decrepit and poorly funded. As long as the judicial system is not modernised, India’s trial judges will remain clueless about electronic evidence and the means of ensuring its authenticity.

By bypassing the special law on electronic records, Indian courts have continued to apply the provisions of sections 63 and 65 of the Evidence Act, which pertain to documents, to electronically stored information. Simply put, the courts have basically ignored sections 65A and 65B of the Evidence Act. Curiously, this state of affairs was blessed by the Supreme Court in Navjot Sandhu (the Parliament Attacks case), which was a particularly high-profile appeal from an emotive terrorism trial. On the question of the defence’s challenge to the authenticity and accuracy of certain call data records (CDRs) that the prosecution relied on, which were purported to be reproductions of the original electronically stored records, a Division Bench of Justice P. Venkatarama Reddi and Justice P. P. Naolekar held:

According to Section 63, secondary evidence means and includes, among other things, “copies made from the original by mechanical processes which in themselves ensure the accuracy of the copy, and copies compared with such copies”. Section 65 enables secondary evidence of the contents of a document to be adduced if the original is of such a nature as not to be easily movable. It is not in dispute that the information contained in the call records is stored in huge servers which cannot be easily moved and produced in the court. That is what the High Court has also observed at para 276. Hence, printouts taken from the computers/servers by mechanical process and certified by a responsible official of the service-providing company can be led into evidence through a witness who can identify the signatures of the certifying officer or otherwise speak to the facts based on his personal knowledge.

Flawed justice and political expediency in wiretap cases

The Supreme Court’s finding in Navjot Sandhu (quoted above) raised uncomfortable questions about the integrity of prosecution evidence, especially in trials related to national security or in high-profile cases of political importance. The state’s investigation of the Parliament Attacks was shoddy with respect to the interception of telephone calls. The Supreme Court’s judgment notes in prs. 148, 153, and 154 that the law and procedure of wiretaps was violated in several ways.

The Evidence Act mandates a special procedure for electronic records precisely because printed copies of such information are vulnerable to manipulation and abuse. This is what the veteran defence counsel, Mr. Shanti Bhushan, pointed out in Navjot Sandhu [see pr. 148] where there were discrepancies in the CDRs led in evidence by the prosecution. Despite these infirmities, which should have disqualified the evidence until the state demonstrated the absence of mala fide conduct, the Supreme Court stepped in to certify the secondary evidence itself, even though it is not competent to do so. The court did not compare the printed CDRs to the original electronic record. Essentially, the court allowed hearsay evidence. This is exactly the sort of situation that section 65B of the Evidence Act intended to avoid by requiring an impartial certificate under sub-section (4) that also speaks to compliance with the technical requirements of sub-section (2).

When the lack of a proper certificate regarding the authenticity and integrity of the evidence was pointed out, this is what the Supreme Court said in pr. 150:

Irrespective of the compliance of the requirements of Section 65B, which is a provision dealing with admissibility of electronic records, there is no bar to adducing secondary evidence under the other provisions of the Evidence Act, namely, Sections 63 and 65. It may be that the certificate containing the details in sub-section (4) of Section 65B is not filed in the instant case, but that does not mean that secondary evidence cannot be given even if the law permits such evidence to be given in the circumstances mentioned in the relevant provisions, namely, Sections 63 and 65.

In the years that followed, printed versions of CDRs were admitted in evidence if they were certified by an officer of the telephone company under sections 63 and 65 of the Evidence Act. The special procedure of section 65B was ignored. This has led to confusion and counter-claims. For instance, the 2011 case of Amar Singh v. Union of India (2011) 7 SCC 69 saw all the parties, including the state and the telephone company, dispute the authenticity of the printed transcripts of the CDRs, as well as the authorisation itself. Currently, in the case of Ratan Tata v. Union of India Writ Petition (Civil) 398 of 2010, a compact disc (CD) containing intercepted telephone calls was introduced in the Supreme Court without following any of the procedure contained in the Evidence Act.

Returning sanity to electronic record evidence, but at a price

In 2007, the United States District Court for Maryland handed down a landmark decision in Lorraine v. Markel American Insurance Company241 FRD 534 (D. Md. 2007) that clarified the rules regarding the discovery of electronically stored information. In American federal courts, the law of evidence is set out in the Federal Rules of Evidence. Lorraine held when electronically stored information is offered as evidence, the following tests need to be affirmed for it to be admissible: (i) is the information relevant; (ii) is it authentic; (iii) is it hearsay; (iv) is it original or, if it is a duplicate, is there admissible secondary evidence to support it; and (v) does its probative value survive the test of unfair prejudice?

In a small way, Anvar does for India what Lorraine did for US federal courts. In Anvar, the Supreme Court unequivocally returned Indian electronic evidence law to the special procedure created under section 65B of the Evidence Act. It did this by applying the maxim generalia specialibus non derogant (“the general does not detract from the specific”), which is a restatement of the principle lex specialis derogat legi generali (“special law repeals general law”). The Supreme Court held that the provisions of sections 65A and 65B of the Evidence Act created special law that overrides the general law of documentary evidence [see pr. 19]:

Proof of electronic record is a special provision introduced by the IT Act amending various provisions under the Evidence Act. The very caption of Section 65Aof the Evidence Act, read with Sections 59 and 65B is sufficient to hold that the special provisions on evidence relating to electronic record shall be governed by the procedure prescribed under Section 65B ofthe Evidence Act. That is a complete code in itself. Being a special law, the general law under Sections 63 and 65 has to yield.

By doing so, it disqualified oral evidence offered to attest secondary documentary evidence [see pr. 17]:

The Evidence Act does not contemplate or permit the proof of an electronic record by oral evidence if requirements under Section 65B of the Evidence Act are not complied with, as the law now stands in India.

The scope for oral evidence is offered later. Once electronic evidence is properly adduced according to section 65B of the Evidence Act, along with the certificate of sub-section (4), the other party may challenge the genuineness of the original electronic record. If the original electronic record is challenged, section 22A of the Evidence Act permits oral evidence as to its genuineness only. Note that section 22A disqualifies oral evidence as to the contents of the electronic record, only the genuineness of the record may be discussed. In this regard, relevant oral evidence as to the genuineness of the record can be offered by the Examiner of Electronic Evidence, an expert witness under section 45A of the Evidence Act who is appointed under section 79A of the IT Act.

While Anvar is welcome for straightening out the messy evidentiary practice regarding electronically stored information that Navjot Sandhuhad endorsed, it will extract a price from transparency and open government. The portion of Navjot Sandhu that was overruled dealt with wiretaps. In India, the wiretap empowerment is contained in section 5(2)of the Indian Telegraph Act, 1885 (“Telegraph Act”). The Telegraph Act is an inherited colonial law. Section 5(2) of the Telegraph Act was almost exactly duplicated thirteen years later by section 26 of the Indian Post Office Act, 1898. When the latter was referred to a Select Committee, P. Ananda Charlu – a prominent lawyer, Indian nationalist leader, and one of the original founders of the Indian National Congress in 1885 – criticised its lack of transparency, saying: “a strong and just government must not shrink from daylight”.

Wiretap leaks have become an important means of discovering governmental abuse of power, corruption, and illegality. For instance, the massive fraud enacted by under-selling 2G spectrum by A. Raja, the former telecom minister, supposedly India’s most expensive corruption scandal, caught the public’s imagination only after taped wiretapped conversations were leaked. Some of these conversations were recorded on to a CD and brought to the Supreme Court’s attention. There is no way that a whistle blower, or a person in possession of electronic evidence, can obtain the certification required by section 65B(4) of the Evidence Act without the state coming to know about it and, presumably, attempting to stop its publication.

Anvar neatly ties up electronic evidence, but it will probably discourage public interest disclosure of inquity.

Video

For more details visit https://cis-india.org/internet-governance/blog/anvar-v-basheer-new-old-law-of-electronic-evidence

Centre for Internet and Society joins the Dynamic Coalition for Platform Responsibility

jyoti — 2014-10-07T10:54:03Z

The Centre for Internet and Society (CIS) has joined the multistakeholder cooperative engagement amidst stakeholders towards creating Due Diligence Recommendations for online platforms and Model Contractual Provisions to be enshrined in ToS. This blog provides a brief background of the role of dynamic coalitions within the IGF structure, establishes the need for the coalition and provides an update on the action plan and next steps for interested stakeholders.

"Identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations."
Tunis Agenda (Para 72.g)

The first United Nations Internet Governance Forum (IGF), in 2006 saw the emergence of the concept of Dynamic Coalition and a number of coalitions have been established over the years. The IGF is structured to bring together multistakeholder groups to,

"Discuss public policy issues related to key elements of Internet governance in order to foster the sustainability, robustness, security, stability and development of the Internet."
Tunis Agenda (Para 72.a)

While IGF workshops allow various stakeholders to jointly analyse "hot topics" or to examine progress that such issues have undertaken since the previous IGF, dynamic coalitions are informal, issue-specific groups comprising members of various stakeholder groups. With no strictures upon the objects, structure or processes of dynamic coalitions claiming association with the IGF, and no formal institutional affiliation, nor any access to the resources of the IGF Secretariat, IGF Dynamic Coalitions allow collaboration of anyone interested in contributing to their discussions. Currently, there are eleven active dynamic coalitions at the IGF and can be divided into three distinct types—networks, working groups and Birds of Feather (BOFs).

Workshops at the IGF are content specific events that, though valuable in informing participants, are limited in their impact by being confined to the launch of a report or by the issues raised within the conference room. The coalitions on the other hand are expected to have a broader function, acting as a coalescing point for interested stakeholders to gather and analyse progress around identified issues and plan next steps. The coalitions can also make recommendations around issues, however, no mechanism has been developed so far, by which the recommendations can be considered by the plenary body. The long-term nature of coalition is perhaps, most suited to engage stakeholders in heterogeneous groups, towards understanding and cooperating around emerging issues and to make recommendations to inform policy making.

Platform Responsibility

Social networks and other interactive online services, give rise to 'cyber-spaces' where individuals gather, express their personalities and exchange information and ideas. The transnational and private nature of such platforms means that they are regulated through contractual provisions enshrined in the platforms' Terms of Service (ToS). The provisions delineated in the ToS not only extend to users in spite of their geographical location, the private decisions undertaken by platform providers in implementing the ToS are not subject to constitutional guarantees framed under national jurisdictions.

While ToS serve as binding agreement online, an absence of binding international rules in this area despite the universal nature of human rights represented is a real challenge, and makes it necessary to engage in a multistakeholder effort to produce model contractual provisions that can be incorporated in ToS. The concept of 'platform responsibility' aims to stimulate behaviour in platform providers to provide intelligible and solid mechanisms, in line with the principles laid out by the UN Guiding Principles on Business and Human Rights and equip platform users with common and easy-to-grasp tools to guarantee the full enjoyment of their human rights online. The utilisation of model contractual provisions in ToS may prove instrumental in fostering trust in online services for content production, use and dissemination, increasing demand of services and ultimately consumer demand may drive the market towards human rights compliant solutions.

The Dynamic Coalition on Platform Responsibility

To nurture a multi-stakeholder endeavour aimed at the elaboration of model contractual-provisions, Mr. Luca Belli, Council of Europe / Université Paris II, Ms Primavera De Filippi, CNRS / Berkman Center for Internet and Society and Mr Nicolo Zingales, Tilburg University / Center for Technology and Society Rio, initiated and facilitated the creation of the Dynamic Coalition on Platform Responsibility (DCPR). DCPR has over fifty individual and organisational members from civil society organisations, academia, private sector organisations and intergovernmental organisations and held its first meeting at the IGF in Istanbul. The meeting began with an overview of the concept of platform responsibility, highlighting relevant initiatives from Council of Europe, Global Network Initiative, Ranking Digital Rights and the Center for Democracy and Technology have undertaken in this regard. Existing issues such as difficulty in comprehension and lack of standardization of redress across rights were raised along with the fundamental lack of due process in terms of transparency across existing mechanisms.

Online platforms compliance to human rights is often framed around the duty of States to protect human rights and often, Internet companies do not sufficient consideration of the effects of their business practices on users fundamental rights undermining trust.

The meeting focused it efforts with a call to identify issues of process and substance and specific rights and challenges to be addressed by the DCPR. The procedural issues raised concerned 'responsibility' in decision-making e.g., giving users the right to be heard and an effective remedy before an impartial decision-making body, and obtaining their consent for changes in the contractual terms. The concerns raised around substantive rights such as privacy and freedom of expression eg., disclosure of personal information and content removal and need to promote 'responsibility' through establishing concrete mechanisms to deal with such issues.

It was suggested that concept of responsibility including in case of conflict between different rights could be grounded in Human Rights case law eg., from European Court of Human Rights jurisprudence. It was also established that any framework that would evolve from this coalition would consider the distinction between users (eg., adults, children, and people with or without continuous access to the Internet) and platforms (eg., in terms of size and functionality).

Action Plan

The participants at the DCPR meeting agreed to establish a multistakeholder cooperative engagement amidst stakeholders that will go beyond dialogue and produce concrete proposals. Particularly, participants suggested developing:

Due Diligence Recommendations: Recommendations to online platforms with regard to processes of compliance with internationally agreed human rights standards.
Model Contractual Provisions: Elaboration of a set of principles and provisions protecting platform users’ rights and guaranteeing transparent mechanisms to seek redress in case of violations.

DCPR will ground the development of these frameworks in the preliminary step of compilation of existing projects and initiatives dealing with the analysis of ToS compatibility with human rights standards. Members, participants and interested stakeholders are invited to highlight and share relevant initiatives by 10th October regarding:

Processes of due diligence for human rights compliance;
The evaluation of ToS cocompliance with human rights standards;

Further to this compilation, a first recommendation draft regarding online platforms' due diligence will be circulated on the mailing list by 30th October 2014. CIS will be contributing to the drafting which will be led and elaborated by the DCPR coordinators. This draft will be open for comments via the DCPR mailing list until 30th November 2014 and we encourage you to sign up to the mailing list (http://lists.platformresponsibility.info/listinfo/dcpr).

A second draft will be developed compiling the comments expressed via the mailing-list and shared for comments by 10 December 2014. The final version of the recommendation will be drafted by 30 December. Subsequently, the first set of model contractual provisions will be elaborated building upon such recommendation. A call for inputs will be issued in order to gather suggestions on the content of these provisions.

For more details visit https://cis-india.org/internet-governance/blog/cis-joins-dynamic-coalition-for-platform-responsibility

Report on CIS' Workshop at the IGF:'An Evidence Based Framework for Intermediary Liability'

jyoti — 2014-09-24T10:47:30Z

An evidence based framework for intermediary liability' was organised to present evidence and discuss ongoing research on the changing definition, function and responsibilities of intermediaries across jurisdictions.

The discussion from the workshop will contribute to a comprehensible framework for liability, consistent with the capacity of the intermediary and with international human-rights standards.

Electronic Frontier Foundation (USA), Article 19 (UK) and Centre for Internet and Society (India) have come together towards the development of best practices and principles related to the regulation of online content through intermediaries. The nine principles are: Transparency, Consistency, Clarity, Mindful Community Policy Making, Necessity and Proportionality in Content Restrictions, Privacy, Access to Remedy, Accountability, and Due Process in both Legal and Private Enforcement. The workshop discussion will contribute to a comprehensible framework for liability that is consistent with the capacity of the intermediary and with international human-rights standards. The session was hosted by Centre for Internet and Society (India) and Centre for Internet and Society, Stanford (USA) and attended by 7 speakers and 40 participants.

Jeremy Malcolm, Senior Global Policy Analyst EFF kicked off the workshop highlighting the need to develop a liability framework for intermediaries that is derived out of an understanding of their different functions, their role within the economy and their impact on human rights. He went on to structure the discussion which would follow to focus on ongoing projects and examples that highlight central issues related to gathering and presenting evidence to inform the policy space.

Martin Husovec from the International Max Planck Research School for Competition and Innovation, began his presentation, tracking the development of safe harbour frameworks within social contract theory. Opining that safe harbour was created as a balancing mechanism between a return of investments of the right holders and public interest for Internet as a public space, he introduced emerging claims that technological advancement have altered this equilibrium. Citing injunctions and private lawsuits as instruments, often used against law abiding intermediaries, he pointed to the problem within existing liability frameoworks, where even intermediaries, who diligently deal with illegitimate content on their services, can be still subject to a forced cooperation to the benefit of right holders. He added that for liability frameworks to be effective, they must keep pace with advances in technology and are fair to right holders and the public interest.

He also pointed that in any liability framework because the ‘law’ that prescribes an interference, must be always sufficiently clear and foreseeable, as to both the meaning and nature of the applicable measures, so it sufficiently outlines the scope and manner of exercise of the power of interference in the exercise of the rights guaranteed. He illustrated this with the example of the German Federal Supreme Court attempts with Wi-Fi policy-making in 2010. He also raised issues of costs of uncertainty in seeking courts as the only means to balance rights as they often, do not have the necessary information. Similarly, society also does not benefit from open ended accountability of intermediaries and called for a balanced approach to regulation.

The need for consistency in liability regimes across jurisdictions, was raised by Giancarlo Frosio, Intermediary Liability Fellow at Stanford's Centre for Internet and Society. He introduced the World Intermediary Liability Map, a project mapping legislation and case law across 70 countries towards creating a repository of information that informs policymaking and helps create accountability. Highlighting key takeaways from his research, he stressed the necessity of having clear definitions in the field of intermediary liability and the need to develop taxonomy of issues to deepen our understanding of the issues at stake towards an understanding of type of liability appropriate for a particular jurisdiction.

Nicolo Zingales, Assistant Professor of Law at Tilburg University highlighted the need for due process and safeguards for human rights and called for more user involvement in systems that are in place in different countries to respond to requests of takedown. Presenting his research findings, he pointed to the imbalance in the way notice and takedown regimes are structured, where content is taken down presumptively, but the possibility of restoring user content is provided only at a subsequent stage or not at all in many cases. He cited several examples of enhancing user participation in liability mechanisms including notice and notice, strict litigation sanction inferring the knowledge that the content might have been legal and shifting the presumption in favor of the users and the reverse notice and takedown procedure. He also raised the important question, if multistakeholder cooperation is sufficient or adequate to enable the users to have a say and enter as part of the social construct in this space? Reminding the participants of the failure of the multistakeholder agreement process regarding the cost for the filters in the UK, that would be imposed according to judicial procedure, he called for strengthening our efforts to enable users to get more involved in protecting their rights online.

Gabrielle Guillemin from Article 19 presented her research on the types of intermediaries and models of liability in place across jurisdictions. Pointing to the problems associated with intermediaries having to monitor content and determine legality of content, she called for procedural safeguards and stressed the need to place the dispute back in the hands of users and content owners and the person who has written the content rather than the intermediary. She goes on to provide some useful and practically-grounded solutions to strengthen existing takedown mechanisms including, adding details to the notices, introducing fees in order to extend the number of claims that are made and defining procedure regards criminal content.

Elonnai Hickok introduced CIS' research to the UNESCO report Fostering Freedom Online: the Role of Internet Intermediaries, comparing a range of liability models in different stages of development and provisions across jurisdictions. She argued for a liability framework that tackles procedural and regulatory uncertainty, lack of due process, lack of remedy and varying content criteria.

Francisco Vera, Advocacy Director, Derechos Digitales from Chile raised issues related to mindful community policy-making expounding on Chile's implementation of intermediary liability obligation with the USA, the introduction of judicial oversight under Chilean legislation which led to US objection to Chile on grounds of not fulfilling their standards in terms of Internet property protection. He highlighted the tensions that arise in balancing the needs of the multiple communities and interests engaged over common resources and stressed the need for evidence in policy-making to balance the needs of rights holders and public interest. He stressed the need for evidence to inform policy-making and ensure it keeps pace with technological developments citing the example of the ongoing Transpacific Partnership Agreement negotiations that call for exporting provisions DMCA provisions to 11 countries even though there is no evidence of the success of the system for public interest. He concluded by cautioning against the development of frameworks that are or have the potential to be used as anti-competitive mechanisms that curtail innovation and therby do not serve public interest.

Malcolm Hutty associated with the European Internet Service Providers Association, Chair of the Intermediary Reliability Committee and London Internet Exchange brought in the intermediaries' perspective into the discussion. He argued for challenging the link between liability and forced cooperation, understated the problems arising from distinction without a difference and incentives built in within existing regimes. He raised issues arising from the expectancy on the part of those engaged in pre-emptive regulation of unwanted or undesirable content for intermediaries to automate content. Pointing to the increasing impact of intermediaries in our lives he underscored how exposing vast areas of people's lives to regulatory enforce, which enhances power of the state to implement public policy in the public interest and expect it to be executed, can have both positive and negative implications on issues such as privacy and freedom of expression.

He called out practices in regulatory regimes that focus on one size fits all solutions such as seeking automating filters on a massive scale and instead called for context and content specific solutions, that factor the commercial imperatives of intermediaries. He also addressed the economic consequences of liability frameworks to the industry including cost effectiveness of balancing rights, barriers to investments that arise in heavily regulated or new types of online services that are likely to be the targeted for specific enforcement measures and the long term costs of adapting old enforcement mechanisms that apply, while networks need to be updated to extend services to users.

The workshop presented evidence of a variety of approaches and the issues that arise in applying those approaches to impose liability on intermediaries. Two choices emerged towards developing frameworks for enforcing responsibility on intermediaries. We could either rely on a traditional approach, essentially court-based and off-line mechanisms for regulating behaviour and disputes. The downside of this is it will be slow and costly to the public purse. In particular, we will lose a great deal of the opportunity to extend regulation much more deeply into people's lives so as to implement the public interest.

Alternatively, we could rely on intermediaries to develop and automate systems to control our online behaviour. While this approach does not suffer from efficiency problems of the earlier approach it does lack, both in terms of hindering the developments of the Information Society, and potentially yielding up many of the traditionally expected protections under a free and liberal society. The right approach lies somewhere in the middle and development of International Principles for Intermediary Liability, announced at the end of the workshop, is a step closer to the developing a balanced framework for liability.

See the transcript on IGF website.

For more details visit https://cis-india.org/internet-governance/report-on-cis-workshop-at-igf

Re-Wiring Women's Rights Debates in the Digital Age

praskrishna — 2015-02-12T17:07:32Z

IT for Change in partnership with Kutch Mahila Vikas Sangathan and ANANDI organized this event on September 13 and 14, 2014. Rohini Lakshane participated as a speaker.

Website:
http://www.itforchange.net/ITfC_Course_Re-wiring_womens_rights/index.php/Agenda

Speakers List:
http://www.itforchange.net/ITfC_Course_Re-wiring_womens_rights/index.php/Session_speakers

Video

For more details visit https://cis-india.org/internet-governance/news/re-wiring-women-rights-debates-in-digital-age

Biometrics: An ‘Angootha Chaap’ nation?

Mukta Batra — 2014-09-19T06:12:17Z

This blog post throws light on the inconsistencies in biometric collection under the UID and NPR Schemes.

Introduction

Fingerprints and iris scans. The Unique Identification (UID) Number aims to serve as a proof of identity that can be easily verified and linked to subsidies and to bank accounts. Four years into its implementation, the UID Scheme seems to have the vote of confidence of the public. More than 65 Crore Indians have been granted UID Numbers,[1] and only a few have been concerned enough to seek clarity through Right to Information Requests to the UIDAI about the finances and legal authority backing the scheme.[2] Parallel to the UID scheme, the National Population Register scheme is also under way, with enrolment in some areas, such as Srinagar, Shimla and Panchkula, having reached 100% of the estimated population.[3]

The NPR scheme is an offshoot of the census. It began in census cycle 2010-11, pursuant to the amendment of the Citizenship Act in 2004, under which national identity cards are to be issued. The desired outcome of the NPR scheme is an NPR card with a chip embedded with three bits of information built into a card: (i) biometric information, (ii) demographic information and (iii) UID Number.

Both the UID and NPR schemes aspire to be conduits that subsidies, utilities, and other benefits are routed through. While the UID and NPR schemes are distinct in terms of their legal sanctity, purpose and form, the harmonization of these two schemes is one of the UIDAI’s functions.

There are substantial overlaps in the information collected and the purpose they serve leading to the argument that having two schemes is redundant. The compatibility of the two schemes was questioned and it was initially thought that a merger would be unreasonable. While there has been speculation that the UID scheme may terminate, or that it would be taken over by the Home Ministry, it has been reported that the new government has directed expedited enrolments through the UID scheme. [4]

Both schemes are incomplete and suffer from vagaries, including, but not limited to: their legality, safeguards against misuse of the data, the implementation of the schemes – including the collection and storage of biometric information and their convergence or divergence.

This blog will focus on understanding the process of collecting biometric data in each scheme – calling out similarities and differences – as well as areas in which data collected under one scheme is incompatible with the other scheme. It will look at existing and missing safeguards in the collection of biometrics, overlap in the collection of biometrics by the two schemes, and existing practice in the collection of biometrics. In doing so the blog will highlight the lack of privacy safeguards for the biometric information and conclude that since the policies for data collection and use policy are unclear, the data subjects do not know how their data is being collected, used, and shared between the UID and the NPR schemes.

Unreliability of Biometric Data

Biometric data has been qualified as being unreliable.[5] It cannot always be successfully used to identify a person, especially in India, where manual labour degrades the fingerprint[6] and nutritional deficiencies mar the iris. Even experts working with the UIDAI[7] admit that fingerprints are not always good indicators of identity. If the very identification of a person fails, which is what the UID seeks to do, then the purpose of the UID is defeated.

Biometric Data Collection under the UID Scheme

In the current structure of the scheme, collected biometric information is stored by, and vests with the UIDAI for an undefined period. The data if used only for identification and authentication purposes, as originally intended, could very well fail to serve its intended purpose. But amassing the personal data of the entire country is lucrative, particularly to the service providers who collect the information and are mandated with the task to manually collect the data before it is fed into the UID system and encrypted. Most of the service providers that collect information, including biometric data, for the UID are engaged in information services such as IT or online marketing service providers.[8]

The below chart delineates the process followed for the collection of biometrics under the UID Scheme:

Under the NIAI Bill, all data collected or authenticated by the UIDAI, until the Bill is enacted and the National Identification Authority of India is created, vests with the UIDAI. In practice this means that the UIDAI owns the biometric data of the data-subject, without clear safeguards against misuse of the data.

In the UID scheme, the collection of biometrics at the time of enrollment by the UIDAI is severely flawed for a number of reasons:

1. Lack of clear legal authority and procedure for collection of biometrics: The only legal authority the UIDAI has to collect biometric information is via the notification of its constitution. Even then, the powers of the UIDAI are vague and broad. Importantly, the notification tells us nothing of how biometric data is to be collected and how it is to be used. These standards have only been developed by the UIDAI in an ad-hoc manner when the need arises or after a problem is spotted. The lack of purpose-specification is in violation of the law[9] and prevents the data subject from giving informed consent to data collection. This is discussed at a later stage.

2. The collection of Biometrics is regulated through only a Bill, which delegates the development of safeguards to Rules: The National Identification Authority of India (NIAI) Bill[10] confers the National Information Authority of India (NOT THE UIDAI) with the power to pass rules to collect biometric data and to prescribe standards for collection.[11] This is a rule-making power, which is conferred under a Bill. Neither has the Bill been enacted, nor have rules for the collection of biometrics been framed and notified.

3. Collection of biometric data only with implied consent: Though collection of biometrics is mentioned in the enrolment form, explicit consent for the collection of biometrics is not collected and only implied consent may be inferred. The last line in the enrollment form is titled ‘CONSENT’ and is a declaration that all data, including biometric information, is true.[12]

4. Collection of biometric data outsourced to third party: Collection of biometric information in the UID scheme is outsourced to third parties through tenders. For instance, Accenture has been declared a biometric service provider under a contract with the UID.[13] The third party may be a company, firm, educational institution or an accreditation agency. The eligibility criteria are quite straightforward, they relate to the entity’s structure and previous experiences with small projects.[14] Since the ability to protect privacy of the data subject is entirely absent from the eligibility criteria, a successful bidder may not have adequate procedure in place or sufficient experience in managing confidential data, to ensure the privacy of the data subject. By outsourcing the data collection, the UIDAI has arguably delegated a function it never had the legal authority to perform. Thus, the agency of the data collection is equally defective. To heighten the irregularity, these contract agents can sub-contract the job of physical data collection.[15] This means that the data operator and the ground supervisors, who come into direct contact with the raw data, including biometric data, are not appointed by the government, or the UIDAI, but by a private agency, who is further removed from the chain. The data operator scans the documents submitted for verification and has physical access to the document.[16]

5. Biometric data is admittedly vulnerable to sale and leakage: In an ongoing case in the Supreme Court of India, the national Capital Territory of Delhi has, in its counter-affidavit, admitted that data collected under the UID is vulnerable to sale and leakage.[17] To quote from the counter-affidavit ‘..in any exercise of gathering identities whether it is by census authority… or through the present process… there is always a possibility of leakage. Enumerators can scan and keep copies of all the forms and sell them for a price.- this (sic) it can never be said that the data gathered… is safe.’[18] Anyone who has registered for either UID is therefore a candidate for identity theft or unsolicited commercial information. This is also true for the NPR, as census data is the basis for the NPR.

Data collection under the NPR Scheme

The declaration of courts that it is unnecessary to link the UID number for public utilities and the admission by Delhi in the case that a data subject cannot be compelled to provide biometrics or to obtain a UID Number under the Aadhaar scheme[19] are steps forward in ensuring the voluntariness of UID. However, the UID Number is mandatory by implication. It is a pre-requisite for registration under the National Population Register, which is compulsory, pursuant to S. 14-A of the Citizenship Act. The below diagram delineates the collection of biometric information under the NPR scheme:

DATA FLOW PROCESS

Flaws in the collection of biometric data under the NPR scheme

Compulsion: Registration in the NPR is legally mandated and individuals who fail to do so can face penalty. As a note, arguably, the compulsion to register for the NPR is untenable, as the Rules prescribe penalty, whereas the Act does not. [20] A word of caution is appropriate here. The penalty under the Rules stands till it is deleted by the legislature or declared void by courts and one may be held liable for refusing to register for the NPR, though the above argument may be a good defense.
Duplicity: Duplicity is a problem under the NPR Scheme. Biometric data is collected twice before the NPR exercise is completed. Even if one has registered under the UID scheme, they have to give their biometric information again under the NPR scheme. The first instance of collection of biometric information is for the UID number and the second, under the NPR scheme. The latter is necessary even if the data has already been collected for the UID number. Since the parties collecting biometric information for NPR are empanelled by the UIDAI and the eligibility is the same, the data is subject to the same or similar threats of data leakage that may arise when registering for the UID. The multi-level data collection only amplifies the admitted vulnerability of data as unauthorized actors can unlawfully access the data at any stage. This, coupled with the fact that UIDAI has to harmonize the NPR and UID schemes, and that the data comes to the UIDAI for de-duplication, means that the NPR data could be used by the UIDAI, but it may not result in a UID Number. There is no data that disproves this potential. This is a matter of concern, as one who wishes not to register for a UID number, in protection of their privacy, is at peril for their data falls into the hands of the UIDAI.
Biometric data collectors under the NPR scheme empanelled by the UIDAI: The service providers collecting biometric data under the NPR are selected through bids and need to be empanelled with the UIDAI.[21] Most enrolment agencies that are empanelled with the UIDAI are either IT or online marketing companies[22], making the fear of targeted marketing even more likely.
Public display and verification: Under the NPR scheme, the biometric and demographic information and UID number of registrants is publicly displayed in their local area for verification.[23] However, it is a violation of privacy to have sensitive personal data, such as biometrics put up publicly. Not only will the demographic information be readily accessible, nothing will prohibit the creation of a mailing list or collection of data for either data theft or for sending unsolicited commercial communication. The publicly available information is the kind of information that can be used for verification (Know Your Customer) and to authorize financial transactions. Since the personal information is displayed in the data subject’s local area, it is arguably a more invasive violation of privacy, since the members of the local area can make complex connections between the data subject and the data.
Smart Card: The desired outcome of the NPR scheme is an NPR card. This card is to contain a chip, which is embedded with information such as the UID Number, biometrics and the demographic information. It is still unclear as to whether this information will be machine-readable. If so, this information may be just a swipe away. However, this cannot be confirmed without information on the level encryption and how the data will be stored on the chip.

‘Privacy safeguards available under the UID and NPR schemes are ad-hoc and incomplete

The safeguards under both the UID and NPR schemes are quite similar, since the UIDAI and its empanelled biometric service providers are involved in collecting biometric information for both the UID and the NPR.

Pilot studies for the UID scheme, including the use of biometrics, were not conducted in advance to implementation. In line with this, the enactment of a legislation governing the UID and the implementation of policies with respect to data handling and use will be made as and when the need arises. The development of safeguards in relation to the NPR will also be ad-hoc.

Also, the data standards for one will potentially influence that of the other scheme. For instance, the change in privacy standards for handling biometrics under the UID may affect the empanelment of biometric service providers. This will automatically affect the data security level the NPR can seek to achieve.

Being developed ad-hoc and after the fact, there is a risk that these regulations may unreasonably curtail the rights of data subjects.

The existing Indian laws on data protection and privacy are not comprehensive. Certain laws protect privacy only in specific situations. For instance, the IT Act and related rules protect privacy in relation to digital information.

Any body that collects sensitive personal data such as biometric data, or any other data for processing and storage has a legal mandate under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 to make certain disclosures BEFORE OR WHILE THE DATA IS COLLECTED. This includes, inter-alia, disclosures of (i) the purpose of information collection, (ii) the intended recipients of the information and (iii) name and addresses of the collector and of the party retaining the data.[24]

Under the Rules, the data collector has a duty to give the data subject an option to withhold personal sensitive information.[25] A conversation with a data subject shows that this safeguard has not been upheld. The subject also conveyed a lack of knowledge of who the collection agency was. This is a problem of lack of accountability, as the data path cannot be traced and the party responsible for misuse or breach of security cannot be held liable.

Conclusion

The data collection under the NPR and UID schemes shows several vulnerabilities. Apart from the vulnerabilities with biometric information, there is a real risk of misuse of the data and documents submitted for enrolment under these schemes. Since the data collectors are primarily online marketing or IT service providers, there is likelihood that they will use this data for marketing.

We can only hope that in time, data subjects will be able to withdraw their personal data from the UID database and surrender their UID number. We can only wait and watch to see whether (i) the UID Number is a legal prerequisite for the NPR Card and (ii) whether the compulsion to register for NPR is done away with.

[1] https://portal.uidai.gov.in/uidwebportal/dashboard.do accesed: 21 August, 2014

[2] As of January 2013, only 25 RTI requests were made to the UIDAI http://uidai.gov.in/rti/rti-requests.html accessed: 21 August, 2014

[3] DIT-NPR Management Information System accessed: 22 August, 2014 http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx

[4] Cloud Still Hangs Over Aadhaar’s Future, Business Standard, accessed 28 August, 2014. http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html

[5] Frost & Sullivan, Best Practices Guide to Biometrics, accessed: 13 August, 2014 http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CD8QFjAE&url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&ei=6VbsU4m8HcK58gWx64DYDQ&usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&sig2=cOOPm1JJ79AcJq2Gfq1_3Q&bvm=bv.73231344,d.dGc

[6] Malavika Jayaram, “India’s Identity Crisis”, Internet Monitor 2013, reflections of a digital world, accessed: 13 August, 2014 http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1

[7]M. Vatsa, et.al, “Analyzing Fingerprints of Indian Population Using Image Quality: A UIDAI Case Study” , accessed: 13 August, 2014 https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf

[8] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[9] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[10] National Identification Authority of India Bill, 2010 (Bill No. LXXV of 2010), accessed: 26 August,2014 http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/national%20ident.pdf

[11] Clause 23 of the NIAI Bill, 2010

[12]The UID Enrollment form, accessed: 26 August, 2014 http://uidai.gov.in/images/uid_download/enrolment_form.pdf

[13] Documents filed and relied on in Puttuswamy v Union of India

[14] Request for empanelment, accessed: 28 August, 2014. http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf

[15] This information is available from the documents filed and relied on in Puttuswamy v Union Of India, which is being heard in the Supreme Court of India

[16] An anonymous registrant observes that the data was scanned behind a screen and was not visible from the registered counter. The registrant is concerned that, in addition to collection of information for the UID, photocopies or digital copies could be taken for other uses and the registrant would not know.

[17] Counter Affidavit filed in the Supreme Court of India on behalf on New Delhi in K. Puttuswamy v Union of India

It is also admitted that the census is equally vulnerable. The information collected through census is used for the NPR exercise.

[18] Para. 48 in the Counter Affidavit filed by NCR Delhi.

[19] Affidavit in K. Puttuswamy v Union of India.

See also: FAQs: Enrollment Agencies, accessed 22 August, 2014 http://uidai.gov.in/faq.html?catid=37

[20] Usha Ramanathan, A Tale of Two Turfs, The Statesman, accessed: 20 August, 2014 http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3

[21] RFQ for Engaging MSP for Biometric Enrolment for the Creation of NPR, accessed: 26 August, 2014 http://ditnpr.nic.in/pdf/120102_RFQBiometricUrban_rebidding-Draft.pdf

[22] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[23] http://censusindia.gov.in/2011-Common/IntroductionToNpr.html, accessed: 26 August, 2014

[24] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[25] R. 5(7) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011.

For more details visit https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation

UID and NPR: Towards Common Ground

Mukta Batra — 2014-10-15T13:06:40Z

The UID (Unique Identification) and NPR (National Population Register) are both government identity schemes that aggregate personal data, including biometric data for the provision of an identification factor, and aim to link them with the delivery of public utility services.

The differences between the two exist in terms of collection of data, the type of identification factor issued, authorities involved and the outcome.

Despite the differences, there has been talk of combining the two schemes because of the overlap.[1] In the same breath, it has been argued that the two schemes are incompatible. [2]

One of the UIDAI’s (Unique Identification Authority of India) functions is to harmonize the two schemes. [3]

As it stands, the schemes are distinct. Enrolment for a UID does not lead to automatic enrolment in the NPR. The NPR website expressly states that even if a data subject has undergone census or has been granted a UID Number, it is necessary to visit a data collection centre to provide biometric data for the NPR.[4]

UID and NPR: The Differences

The Basis of identity/ Unit of Survey

The most striking difference between the UID and NPR Schemes is their notion of identity. The UID is individual based, whereas the NPR scheme focuses on the household or the family as a composite unit. Thus, the UID seeks to enroll individuals while the NPR seeks to gather data of the members of a household or family as a composite unit during the census and later register each person for an NPR Card, on the basis of the census data. To this extent, analysis of the data gathered from the two schemes will be different and will require differing analytical tools. The definition of the data subject and the population is different. In one scheme, the unit is an individual; in the other it is the household/family. Though the family is the composite unit in the NPR, the data is finally extracted it is unpaired to provide individuals NPR cards, but the family based association is not lost and it is argued that this household association of NPR should be used to calculate and provide subsidies. Some states have put on hold transfer of cooking gas subsidy, which is calculated for each household, through Aadhar-linked bank accounts.[5] If both schemes were merged, the basis for determining entitlement to subsidies would be non-uniform.

Differences in Information Collection

The UID and NPR have different procedures for collection of information. In the UID scheme, all data is collected in data collection centres whereas NPR data is collected door to door in part and in collection centres for the other part.

UID data is collected by the UIDAI themselves or by private parties, under contract. These contractors are private parties: often, online marketing service providers.[6] The data subjects were initially allowed registration through an introducer and without any documentation. This was replaced with the verification system where documents were to be produced for registration for UID.

The NPR involves a dual collection process- the first stage is the door-to-door collection of data as part of the Census. This information is collected through questionnaire. No supporting documents/ proof is produced to verify this data. The verification happens at a later stage, through public display of the information. This data is digitized. The data subjects are then to give their biometric data at the data collection centres, on the production of the census slip. The biometric data collectors are parties who are empanelled by the UIDAI and are eligible to collect data under the UID Scheme. A subject’ s data is aggregated and then de-duplicated by the UIDAI. [7]

This shows two points of merger. It can be suggested that when data is collected for the UID number, then the subject should not have to give their biometrics for the NPR Scheme again. The sharing of biometrics across the schemes will reduce cost and redundancy. While sharing of UID data with NPR is feasible, the reverse is not true, since UID is optional and NPR is not. If NPR data is to be shared with UID, then the subject has the right to refuse. However, the consent for using NPR data for the UID is a default YES in the UID form. [8] Prohibiting the information sharing is no option.

Differences in Stated Purposes

The NPR is linked to citizenship status. The NPR exercise is being conducted to create a national citizen register and to assist in identifying and preventing illegal immigration. The NPR card, a desired outcome, is aimed to be a conduit for transactions relating to subsidies and public utilities.[9] So is the UID Number, which was created to provide the residents of India an identity. The linkage and provision of subsidies through the NPR and UID cards have not taken off on a large scale and there is a debate as to which will be more appropriate for direct benefit transfer, with some leaders proclaiming that the NPR scheme is more suited to direct benefit transfer.[10] Since the UID Number is linked to direct benefit transfer, but not to citizenship, benefits such as those under the MNREGA scheme, may be availed by non-citizens as well, though only citizens are eligible for the scheme.[11]

C. Chandramouli, the Registrar General and Census Commissioner of India, states that the conflict between the two schemes is only perceived, and results from a poor understanding of the differences in objective. The NPR, he states is created to provide national security through the creation of a citizen register, starting with a register of residents after authentication and verification of the residence of the subjects. On the other hand, the UID exercise is to provide a number that will be used to correctly identify a person.[12]

Difference in Legal Sanctity

The UIDAI was set up through an executive notification, which dictates a few of its responsibility, including: assigning a UID number, collating the UID and NPR schemes, laying down standards for interlinking with partner databases and so on. However, the UIDAI has not expressed responsibility to collect, or authorize collection of data under this scheme. The power to authorize the collection of biometrics is vested with the National Identification Authority of India (NIAI), which will be set up under the National Identification Authority of India Bill, (NIAI Bill, which is at times referred to as the UID Bill).

The NPR Scheme has been created pursuant to the 2004 Amendment of the Citizenship Act. Under S. 14A of the Citizenship Act, the central government has the power to compulsorily register citizens for an Identity Card. This gives the NPR exercise sanctity. However, no authority to collect biometric information has been given either under this Act or Rules framed under it.

Future of Aadhaar

The existence of both the UID and NPR Schemes leads to redundancy. Therefore, many have advocated for their merger. This seems impractical, as the standards in collection and management of data are not the same.

For some time, it was thought that the Aadhaar Scheme would be scrapped. This belief was based on the present government’s opposition to the scheme during and before the election. This was further strengthened by the fact that they did not expressly mention the continuance of the scheme in their manifesto. The Cabinet Committee on UIDAI was disbanded and the enrolment for the UID Number was stopped, only to be resumed a short while later.[13]

However, recent events show that the Aadhaar scheme will continue. First, the new government has stated that the UID scheme will continue. In support of the UID Scheme, the government has made budgetary allocation for the scheme to enable, inter-alia, it being sped-up. The Government even intends to enact a law to give the scheme sanctity. [14]

Second, the Government is assigning the UID Number new uses. To track attendance of government employees, the Government shall use a biometric attendance system, which is linked to the employees UID Number. [15] The attendance will be uploaded onto a website, to boost transparency.

Third, direct benefit transfers under the UID will become more vigorous.

The UID is already necessary for registration under the NPR, which is compulsory.

Providing one’s UID Number for utilities such as cooking gas is also compulsory in several areas, despite the Courts diktat that it should not be so.[16]

Conclusion

The government is in favour of continuing both the schemes. Therefore, it is unlikely that either scheme will be scrapped or that the two schemes will be combined. The registration for UID is becoming compulsory by implication as it is required for direct benefit transfers and for utilities. Data collected under NPR is being shared with the UIDAI by default, when one registers for a UID number. However, the reverse is unlikely, as the UID collects secondary data, whereas NPR requires primary data, which it collects through physical survey and authentication. Perhaps the sharing of data could be incorporated when one goes to the data collection centre to submit biometrics for the NPR. The subject could fill in the UID form and submit verification documents at this stage, completing both exercises in one go. This will drastically reduce the combined costs of the two exercises.

[1] Rajesh Aggarwal, Merging UID and NPR???, Igovernment, accessed 5 September, 2014 http://www.igovernment.in/igov/opinion/41631/merging-npr-uid; Bharti Jain, Rajnath Hints at Merger of NPR and Aadhar, Times of India, accessed 5 September, 2014 http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms

[2] Raju Rajagopal, The Aadhar-NPR Conundrum, Mint, accessed 5 September, 2014 http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html .

[3] Cl, 4 of the Notification on the creation o fthe UIDAI, No. A-43011/02/2009-Admin.1 of the Planning Commission of India, dated 28 January, 2009

[4] FAQ for NPR, accessed: 3 September, 2014. http://censusindia.gov.in/2011-Common/FAQs.html

[5] A Jolt for Aadhar: UPA Shouldn’t Have to Put on Hold its Only Good Idea,Business Standard, accessed 5 September, 2014 http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html

[6] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[7] NPR Activities, accessed 5 September, 2014, http://ditnpr.nic.in/NPR_Activities.aspx

[8] R. Dinakaran, NPR and Aadhar- A Confused Process, The Hindu BusinessLine, accessed: 4 September, 2014 http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece

[9] More than sixty-five thousand NPR cards have been issued and biometric data of more than twenty-five lakh people has been captured, as on 28 August, 2014 http://censusindia.gov.in

[10] NPR, not Aadhaar, best tool for cash transfer: BJP's Sinha, accessed: 3 September, http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033

[11] Bharati Jain, NDA's national ID cards may kill UPA's Aadhaar, accessed 3 September, 2014 http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms

[12] Id.

[13] Aadhar Enrolment Drive Begins Again, accessed 3 Spetember, 2014 http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms

[14] Mahendra Singh, Modi govt to give legal backing to Aadhaar, Times of India, http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms

[15] Narendra Modi Government to Launch Website to Track Attendance of Central Government Employees, DNA, accessed: 4 September, 2014 http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684

[16] No gas supply without Aadhaar card, Deccan Chronicle, accessed: 4 September, 2014, http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card

Note: This is an anonymous post.

For more details visit https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground