We are anonymous, we are legion

UID: A Data Subject's Registration Tale

Mukta Batra — 2014-09-11T09:05:07Z

A person who registered for UIDAI shares their experience of registering for the UID Number, on the condition of anonymity.

The registration process begins with filling a form, which has a verification clause at the end. This is a statement that the data, including biometric data, is correct and is that of the registrant. The presence of the word ‘biometric’ in relation to the verification creates tacit consent in the collection of biometric data.

The data subject registered for the UID number as several utilities were being linked to the UID number at that time.

The data subject pointed out three areas for concern: (i) optional data was being collected under protest; (ii) the subjects documents were being taken out of their sight for scanning; (iii) the ownership of data.

While registering for the UID number, data subjects have a choice not to link their bank numbers to bank accounts and to utilities such as gas connections. This data subject noticed that the data operator linked these by default and the data subject had to specifically request the de-linking. The data operator did not inform the data subject of the choice not to link the UID with these services. If this is the state of affairs for the conscious registrant, it is unlikely that those who cannot read will be informed of their right to choice. Their information will then be inadvertently linked and they will be denied the right to opt out of the linkage.

This data subject additionally noted that their right to refuse to provide optional data on the registration form was blatantly disregarded by the enrolling agency. Despite protests against providing this information, the enroller forcibly entered information such as ‘ward number’, which was optional. The enroller justified these actions - stating: the company will cut our salary. Unfortunately, registrants do not know who the data collection company is.

Where the data subjects do not know who collects their data and where it is going, there can be no accountability.

This incident seems to show that the rules on personal information are being violated. The right to know: the identity and address of the entity collecting the data,[1] the purpose of data collection,[2] the restrictions on data use[3] and the right not to disclose sensitive personal data [4] are all granted by the Information Technology Rules. Data subjects also have the right to be informed about the intended recipients[5] and the entities that will retain the data. [6] The data collector has failed to perform its corresponding duty to make such disclosures and has arguably limited the control of data subjects over their privacy.

If this is what other UID registrations are like, then perhaps it is time to modify the process of data handling and processing. The law should be implemented better and amended to enable better implementation either through greater state intervention or severe liability when personal information is improperly handled.

[1] R.4(3)(d) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[2] R. 4(3)(b) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[3] R. 4(7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[4] R. 4 (7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[5] R. 4 (3) (c) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[6] R.4(3)(d) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

For more details visit https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale

Colonial yoke or bureaucratic insouciance?

praskrishna — 2014-09-08T04:21:23Z

‘Blame the British’ is an oft-invoked argument when the subject of India’s outdated laws comes up for discussion. But 68 years since Independence, can we still afford to parrot that old line?

The article by Vidya Venkat (With additional reporting by K.T. Sangameswaran in Chennai) was published in the Hindu on September 7, 2014. Pranesh Prakash gave his inputs.

Moiz Tundawala, a doctoral researcher in law at the London School of Economics and Political Science, feels that it is unfair to blame just the colonial hangover when several opportunities for reforming the legal system in India have been wasted by bureaucrats and judges. He points to Section 377 of the Indian Penal Code (IPC) as an example.

“This law pronounces illegal carnal intercourse against the order of nature, making criminals of gays and transgender persons. But why was a progressive judgment of the Delhi High Court, which struck off this section, upturned later by the Supreme Court? If we continue to bear the burden of colonial era laws, we only have ourselves to blame,” he said.

Though the Constitution-making exercise in India was inspired by the British and other western systems, it was nevertheless an independent process. But the same did not happen with the laws in India that were handed down from the British, Mr. Tundawala said. He felt that several laws enacted in the post-colonial era smacked of a colonial mindset. “Take for instance laws such as the Terrorist and Disruptive Activities (Prevention) Act, the Unlawful Activities Prevention Act, or the Armed Forces Special Powers Act. All of them aim to control and subjugate a population with little regard for their democratic aspirations. So what this country needs is a radical overhaul of the judicial and criminal justice system.”

If we continue to bear the burden of colonial era laws, we only have ourselves to blame.

The Indian Telegraph Act, 1885, continues to presume the state to be the primary owner of telecommunications networks, though the sector was privatised long ago. “The provisions on surveillance in this Act are from a colonial era and are heavy-handed, allowing for spying even without a court warrant. Up until 1998, it spoke of ‘the Provinces’ in some provisions instead of ‘India,’” Pranesh Prakash, Policy Director, Centre for Internet and Society, said.

The Police Act, 1861, is another law that has often been criticised for perpetuating colonial-era institutional practices. Despite numerous commissions and Supreme Court orders advocating reform measures, progress in changing this law has been slow. Lawyer-activist Maja Daruwala, who heads the Commonwealth Human Rights Initiative, New Delhi, said those in establishment were very comfortable with the policing law and the power that it gave them. “When governments find it convenient to use policing as a means to hold down the population, why would they bother to amend it?”

Ms. Daruwala said the main fault lay with the definition of police duties and the overall structure and the spirit of the law itself. “The police in India are often accused of bias against certain communities, such as Dalits and tribal people. This is because the issue of need for diversity in policing in a democratic country such as India has not been addressed by the law. In the U.K., the design of the policing law changed gradually with the changing needs of the population, but this has not been the case here,” she said.

Section 124-A of the IPC on sedition is another provision in the statute book that is seen as promoting the colonial mindset. Several instances of the abuse of sedition law exist in independent India. In 2010, for instance, the BJP government in Chhattisgarh used the law against activist Binayak Sen for which he was imprisoned, only to be let off by the Supreme Court later which found him innocent. S. Prabakaran, Member, Bar Council of India, and president of the Tamil Nadu Advocates’ Association, said it was shameful that India continued to keep the law that was decried by none other than Mahatma Gandhi. “This law was brought in by the British to quell the Independence movement in India. Why have we not bothered to repeal it?”

Efforts to reform the criminal justice system have been fraught with challenges. The Justice Malimath committee, set up in 2000, had recommended reforms in the system, which were met with resistance from the human rights lobby. Cautioning the present government against any sweeping changes that would tinker with the basic structure of the law, V. Suresh, national general secretary, People’s Union for Civil Liberties, said: “The Malimath committee failed in its mission because it involved an effort to change the entire structure of the law itself, which upholds presumption of innocence, burden of proof on the state, and rules on admissible evidence, in order to improve conviction rates. No doubt, it was met with resistance by the legal fraternity as the idea was to do away with essential checks and balances in the legal system.”

For more details visit https://cis-india.org/internet-governance/news/vidya-venkat-the-hindu-september-7-2014-colonial-yoke-or-bureaucratic-insouciance

CIS@IGF 2014

geetha — 2014-10-08T10:31:47Z

The ninth Internet Governance Forum (“IGF2014”) was hosted by Turkey in Istanbul from September 2 to 5, 2014.

A BestBits pre-event, which saw robust discussions on renewal of the IGF mandate, the NETmundial Initiative and other live Internet governance processes, flagged off a week of many meetings and sessions. At IGF2014, the ICANN-led processes of IANA transition and ICANN accountability found strong presence. Human rights online, access and net neutrality were also widely discussed. Centre for Internet and Society, India participated in multiple workshops and panels.

Workshops and Panel Discussions

WS206: An evidence-based framework for intermediary liability
CIS organized a workshop on developing an evidence-based framework for intermediary liability in collaboration with the Stanford Center for Internet and Society. By connecting information producers and consumers, intermediaries serve as valuable tool for growth and innovation, and also a medium for realisation of human rights. The workshop looked to a concerted approach to understanding intermediaries’ impact on human rights demands our urgent attention. Jyoti Panday of CIS was contributed to the workshop’s background paper and organisation. Elonnai Hickok of CIS was a speaker. At this workshop, a zero-draft of international principles for intermediary liability was released. The zero-draft is the interim outcome of an ongoing, global intermediary liability project, undertaken by CIS in collaboration with Article 19 and Electronic Frontier Foundation. See the video.

WS112: Implications of post-Snowden Internet localization proposals
Organised by ISOC and Center for Democracy and Technology, this panel questioned the distinctions between Internet-harmful and Internet-beneficial Internet and data localization. As a speaker at this workshop, Sunil Abraham of CIS identified state imperatives for Internet localization, such as taxation, network efficiency and security. See video.

WS63: Preserving a universal Internet: Costs of fragmentation
Internet and Jurisdiction Project organized this workshop to explore potential harms to Internet architecture, universality and openness as a result of Internet balkanisation. Sunil Abraham was one of the speakers.

WS2: Mobile, trust and privacy
Organised by GSMA, this panel discussed methods, benefits and harms of use of mobile transaction generated information and data. Sunil Abraham was a speaker. See video.

WS188: Transparency reporting as a tool for Internet governance
This GNI workshop examined transparency reporting by Internet intermediaries and companies, and sought to identify its strengths and shortcomings as a tool for Internet governance. Pranesh Prakash of CIS was a speaker. See video.

WS149: Aligning ICANN policy with the privacy rights of users
This Yale ISP panel examined ICANN’s obligations for data protection, in light of international standards and best practices. This discussion is particularly relevant as ICANN’s WHOIS policy, Registrar Accreditation Agreement, and other policies have attained the status of a global standard for the handling of personal data. Pranesh Prakash moderated this panel.

Other Participation

Launch of the GISWatch Report

Association for Progressive Communications (APC) and the Humanist Institute for Cooperation with Developing Countries (Hivos) released the Global Information Society Watch Report (GISWatch) on national and global mass surveillance. The report “explores the surveillance of citizens in today's digital age by governments with the complicity of institutions and corporations”. Elonnai Hickok of CIS contributed a thematic chapter on Intermediary Liability and Surveillance to this report.

For more details visit https://cis-india.org/internet-governance/blog/cis-at-igf-2014

The Aadhaar Case

vipul — 2014-09-05T09:12:21Z

In 2012 a writ petition was filed by Justice K.S. Puttaswamy in the Supreme Court of India challenging the policy of the government in making an Aadhaar card for every person in India and its later plans to link various government benefit schemes to the same.

Over time a number of other cases have been filed in the Supreme Court challenging the Aadhaar mechanism and/or its procedure most of which have now been linked to the main petition filed by Justice Puttaswamy.[1] This means that the Supreme Court now hears all these cases together (i.e. at the same time) since they throw up similar questions and involve the same or similar issues. The court while hearing the case made an interim order on September 23, 2013 whereby it ordered that no person should suffer on account of not having an Aadhaar card and that Aadhaar cards should not be issued to any illegal immigrants. The relevant extract from the Order of the court is reproduced below:

"No person should suffer for not getting the Aadhaar card in spite of the fact that some authority had issued a circular making it mandatory and when any person applies to get the Aadhaar card voluntarily, it may be checked whether that person is entitled for it under the law and it should not be given to any illegal immigrant."[2]

It must be noted that the above order was only an interim measure taken by the Supreme Court till the time it finally decided all the issues involved in the case, which is still pending in the Supreme Court.

In November 2013 during one of the hearings of the matter, the Supreme Court came to the conclusion that it was an important enough matter for all the states and union territories to be impleaded as parties to the case and passed an order to this effect.[3] This was probably because the Aadhaar cards will be issued in the entire country and this is a national issue and therefore it is possible that the court thought that if any of the states have any concerns regarding the issue they should have the opportunity to present their case.

In another petition filed by the Unique Identification Authority of India (UIDAI), the Supreme Court on March 24, 2014 reiterated its earlier order and held that no person shall be deprived of any service just because such person lacked an aadhaar number if he/she was otherwise eligible for the service. A direction was issued to all government authorities and departments to modify their forms/circulars, etc., so as to not compulsorily require an aadhaar number. In the same order the Supreme Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person in writing as an interim measure.[4] After passing these orders the Supreme Court linked this case as well to the petition filed by Justice Puttaswamy on which final arguments were being heard in February 2014 which so far do not seem to have concluded.

Note : Please note that the case is still being heard by the Supreme Court and the orders given so far and explained in this blog are all interim measures till the case is finally disposed off. The status of the cases can be seen on the following link:

http://courtnic.nic.in/supremecourt/casestatus_new/caseno_new_alt.asp

The names and number of the cases that have been covered in this blog are given below:

W.P(C) No. 439 of 2012 titled S. Raju v. Govt. of India and Others pending before the D.B. of the High Court of Judicature at Madras.
PIL No. 10 of 2012 titled Vickram Crishna and Others v. UIDAI and Others pending before the High Court of Judicature at Bombay.
W.P. No. 833 of 2013 titled Aruna Roy & Anr v. Union of India & Ors.
W.P. No. 829 of 2013 titled S.G. Vombatkere & Anr v. Union of India & Ors.
Petition(s) for Special Leave to Appeal (Crl) No(s).2524/2014 titled Unique Identification Authority of India & another v. Central Bureau of Investigation.

All the above cases have now been linked with the ongoing Supreme Court case of K. Puttaswamy v. Union of India.

[1] W.P(C) No. 439 of 2012 titled S. Raju v. Govt. of India and Others pending before the D.B. of the High Court of Judicature at Madras and PIL No. 10 of 2012 titled Vickram Crishna and Others v. UIDAI and Others pending before the High Court of Judicature at Bombay were transferred to the Supreme Court vide Order dated September 23, 2013. Also W.P. No. 833 of 2013 titled Aruna Roy & Anr Vs Union of India & Ors, W.P. No. 829 of 2013 titled S G Vombatkere & Anr Vs Union of India & Ors and Petition(s) for Special Leave to Appeal (Crl) No(s).2524/2014 titled Unique Identification Authority of India & another v. Central Bureau of Investigation.

[2] http://judis.nic.in/temp/494201232392013p.txt

[3] http://judis.nic.in/temp/4942012326112013p.txt

[4] http://courtnic.nic.in/supremecourt/temp/sr%20252414p.txt

For more details visit https://cis-india.org/internet-governance/blog/the-aadhaar-case

Mobile, Trust and Privacy

praskrishna — 2014-10-05T09:21:15Z

Sunil Abraham was a speaker at the event organized by GSM Association on September 4, 2014.

More consumers now use their mobiles to go online to access information and services. Mobile plays a central role in driving economic growth and social opportunities. However, it is important that people can interact and access services in a trusted and secure environment that protects their online privacy.
Increasingly, mobile ecosystems acquire consumers’ data by default, while smartphones broadcast data by default. These ‘default’ positions challenge current data protection and privacy legal frameworks, and consumers’ ability to manage their privacy and online identities.
A key ingredient for strengthening trust in a mobile connected world is a user-centred privacy framework that applies to all digital and identity services whether in retail, healthcare, government, banking or any other sector.
The GSMA recently published global research showing trust matters and that mobile users want better transparency and choice over how their personal data are used. They also expect all companies accessing their data to treat their privacy consistently.
This workshop aims to bring together leading representatives from a broad spectrum of stakeholder groups to discuss privacy-related issues and ways to enhance mobile users’ trust.
Questions to address include:

How can citizens – in both developed and developing countries – benefit from the responsible use of mobile-derived data?
What are the key emerging issues and challenges of a mobile hyper-connected world?
How can we ensure secure and trusted identities online?
eds to be done to ensure consumers are able to access services in private, trusted and secure ways?
What are the respective roles of law and industry self-regulation in enhancing trust?

For full details see the IGF website.

For more details visit https://cis-india.org/internet-governance/news/mobile-trust-and-privacy

Preserving a Universal Internet: The Costs of Fragmentation

praskrishna — 2014-10-05T09:05:39Z

Sunil Abraham was a speaker at this event organized by OECD and Centre for International Governance Innovation on September 3, 2014.

As Internet governance and Internet-related public policy issues rise to the top of the international political agenda, a variety of states are exploring measures that may lead, deliberately or inadvertently, to Internet fragmentation. Such measures include (but are not limited to) those intended to prevent or mitigate harms associated with digital connectivity, as well as measures intended to capture economic benefits resulting from online activity, such as implementing alternate models for monetizing the exchange of Internet traffic or taxation or imposing fees on online activity. Extreme efforts entail the creation of entirely separate national Internet analogues with limited or non-existent connectivity to the World Wide Web. Other efforts include extensive firewall and censorship schemes and “opt-in” regimes that, for example, require individuals to explicitly declare their intent to view adult material online.

The effectiveness of such approaches to reducing digital harm and capturing economic benefits is unclear and can pose potential risks to the end-to-end accessibility of the Internet. This workshop will focus on this latter set of issues, by attempting to scope the magnitude of the costs of Internet fragmentation. Detailed cost estimates require a great deal of economic and other research, outside the scope of an IGF workshop; however, there is value in setting the framework for such a research and policy agenda. Panelists will be invited to speak to these issues according to the nature of their expertise. The panel includes technical experts, economic policy analysts, diplomatic practitioners, Internet governance practitioners, experts in international development, and entrepreneurs.

Agenda
Panel introduction by the moderator
Introductory remarks by each panelist
Panel moderator to pose a set of questions to the panel
Moderator will open the floor to questions from attendees and remote participants
Concluding remarks by the panelists
Moderator to conclude the panel

For full details see the IGF website

For more details visit https://cis-india.org/internet-governance/news/preserving-a-universal-internet

Implications of post-Snowden Internet Localization Proposals

praskrishna — 2014-10-05T08:59:27Z

Sunil Abraham was a speaker in this workshop organized by Center for Democracy and Technology on September 2, 2014.

Following the 2013-2014 disclosures of large-scale pervasive surveillance of Internet traffic, various proposals to "localize" Internet users' data and change the path that Internet traffic would take have started to emerge.

Examples include mandatory storage of citizens' data within country, mandatory location of servers within country (e.g. Google, Facebook), launching state-run services (e.g. email services), restricted transborder Internet traffic routes, investment in alternate backbone infrastructure (e.g. submarine cables, IXPs), etc.

Localization of data and traffic routing strategies can be powerful tools for improving Internet experience for end-users, especially when done in response to Internet development needs. On the other hand, done uniquely in response to external factors (e.g. foreign surveillance), less optimal choices may be made in reactive moves.

How can we judge between Internet-useful versus Internet-harmful localisation and traffic routing approaches? What are the promises of data localization from the personal, community and business perspectives? What are the potential drawbacks? What are implications for innovation, user choice and the availability of online services in the global economy? What impact might they have on a global and interoperable Internet? What impact (if any) might these proposals have on user trust and expectations of privacy?

The objective of the session is to gather diverse perspectives and experiences to better understand the technical, social and economic implications of these proposals.

For full details see the IGF website.

For more details visit https://cis-india.org/internet-governance/news/implications-of-post-snowden-internet-localization-proposals

Zero Draft of Content Removal Best Practices White Paper

jyoti — 2014-09-10T07:11:09Z

EFF and CIS Intermediary Liability Project is aimed towards the creation of a set of principles for intermediary liability in consultation with groups of Internet-focused NGOs and the academic community.

The draft paper has been created to frame the discussion and will be made available for public comments and feedback. The draft document and the views represented here are not representative of the positions of the organisations involved in the drafting.

http://tinyurl.com/k2u83ya

3 September 2014

Introduction

The purpose of this white paper is to frame the discussion at several meetings between groups of Internet-focused NGOs that will lead to the creation of a set of principles for intermediary liability.

The principles that develop from this white paper are intended as a civil society contribution to help guide companies, regulators and courts, as they continue to build out the legal landscape in which online intermediaries operate. One aim of these principles is to move towards greater consistency with regards to the laws that apply to intermediaries and their application in practice.

There are three general approaches to intermediary liability that have been discussed in much of the recent work in this area, including CDT’s 2012 report called “Shielding the Messengers: Protecting Platforms for Expression and Innovation.” The CDT’s 2012 report divides approaches to intermediary liability into three models: 1. Expansive Protections Against Liability for Intermediaries, 2. Conditional Safe Harbor from Liability, 3. Blanket or Strict Liability for Intermediaries.^[1]

This white paper argues in the alternative that (a) the “expansive protections against liability” model is preferable, but likely not possible given the current state of play in the legal and policy space (b) therefore the white paper supports “conditional safe harbor from liability” operating via a ‘notice-to-notice’ regime if possible, and a ‘notice and action’ regime if ‘notice-to-notice’ is deemed impossible, and finally (c) all of the other principles discussed in this white paper should apply to whatever model for intermediary liability is adopted unless those principles are facially incompatible with the model that is finally adopted.

As further general background, this white paper works from the position that there are three general types of online intermediaries- Internet Service Providers (ISPs), search engines, and social networks. As outlined in the recent draft UNESCO Report (from which this white paper draws extensively);

“With many kinds of companies operating many kinds of products and services, it is important to clarify what constitutes an intermediary. In a 2010 report, the Organization for Economic Co-operation and Development (OECD) explains that Internet intermediaries “bring together or facilitate transactions between third parties on the Internet. They give access to, host, transmit and index content, products and services originated by third parties on the Internet or provide Internet-based services to third parties.”

Most definitions of intermediaries explicitly exclude content producers. The freedom of expression advocacy group Article 19 distinguishes intermediaries from “those individuals or organizations who are responsible for producing information in the first place and posting it online.” Similarly, the Center for Democracy and Technology explains that “these entities facilitate access to content created by others.” The OECD emphasizes “their role as ‘pure’ intermediaries between third parties,” excluding “activities where service providers give access to, host, transmit or index content or services that they themselves originate.” These views are endorsed in some laws and court rulings. In other words, publishers and other media that create and disseminate original content are not intermediaries. Examples of such media entities include a news website that publishes articles written and edited by its staff, or a digital video subscription service that hires people to produce videos and disseminates them to subscribers.

For the purpose of this case study we will maintain that intermediaries offer services that host, index, or facilitate the transmission and sharing of content created by others. For example, Internet Service Providers (ISPs) connect a user’s device, whether it is a laptop, a mobile phone or something else, to the network of networks known as the Internet. Once a user is connected to the Internet, search engines make a portion of the World Wide Web accessible by allowing individuals to search their database. Search engines are often an essential go-between between websites and Internet users. Social networks connect individual Internet users by allowing them to exchange messages, photos, videos, as well as by allowing them to post content to their network of contacts, or the public at large. Web hosting providers, in turn, make it possible for websites to be published and to be accessed online.”^[2]

General Principles for ISP Governance - Content Removals

The discussion that follows below outlines nine principles to guide companies, government, and civil society in the development of best practices related to the regulation of online content through intermediaries, as norms, policies, and laws develop in the coming years. The nine principles are: Transparency, Consistency, Clarity, Mindful Community Policy Making, Necessity and Proportionality in Content Restrictions, Privacy, Access to Remedy, Accountability, and Due Process in both Legal and Private Enforcement. Each principle contains subsections that expand upon the theme of the principle to cover more specific issues related to the rights and responsibilities of online intermediaries, government, civil society, and users.

Principle I: Transparency

“Transparency enables users’ right to privacy and right to freedom of expression. Transparency of laws, policies, practices, decisions, rationale, and outcomes related to privacy and restrictions allow users to make informed choices with respect to their actions and speech online. As such - both governments and companies have a responsibility in ensuring that the public is informed through transparency initiatives.” ^[3]

Government Transparency

In general, governments should publish transparency reports:

As part of the democratic process, the citizens of each country have a right to know how their government is applying its laws, and a right to provide feedback about the government’s legal interpretations of its laws. Thus, all governments should be required to publish online transparency reports that provide information about all requests issued by any branch or agency of government for the removal or restriction of online content. Further, governments should allow for the submission of comments and suggestions by a webform hosted on the same webpage where that government’s transparency report is hosted. There should also be some legal mechanism that requires the government to look at the feedback provided by its citizens, ensure that relevant feedback is passed along to legislative bodies, and provide for action to be taken on the citizen-provided feedback where appropriate. Finally, and where possible, the raw data that constitutes each government’s transparency report should be made available online, for free, in a common file format such as .csv, so that civil society may have easy access to it for research purposes.

Governments should be more transparent about content orders that they impose on ISPs
The legislative process proceeds most effectively when the government knows how the laws that it creates are applied in practice and is able to receive feedback from the public about how those laws should change further, or remain the same. Relatedly, regulation of the Internet is most effective when the legislative and judicial branches are aware of what the other is doing. For all of these reasons, governments should publish information about all of the court orders and executive requests for content removals that they send to online intermediaries. Publishing all of this information in one place necessarily requires that some single entity within the government collects the information, which will have the benefits of giving the government a holistic view of how it is regulating the internet, encouraging dialogue between different branches of government about how best to create and enforce internet content regulation, and encouraging dialogue between the government and its citizens about the laws that govern internet content and their application.

Governments should make the compliance requirements they impose on ISPs public
Each government should maintain a public website that publishes as complete a picture as possible of the content removal requests made by any branch of that government, including the judicial branch. The availability of a public website of this type will further many of the goals and objectives discussed elsewhere in this section. The website should be biased towards high levels of detail about each request and towards disclosure that requests were made, subject only to limited exceptions for compelling public policy reasons, where the disclosure bias conflicts directly with another law, or where disclosure would reveal a user’s PII. The information should be published periodically, ideally more than once a year. The general principle should be: the more information made available, the better. On the same website where a government publishes its ‘Transparency Report,’ that government should attempt to provide a plain-language description of its various laws related to online content, to provide users notice about what content is lawful vs. unlawful, as well as to show how the laws that it enacts in the Internet space fit together. Further, and as discussed in section “b,” infra, government should provide citizens with an online feedback mechanism so that they may participate in the legislative process as it applies to online content.

Governments should give their citizens a way to provide input on these policies
Private citizens should have the right to provide feedback on the balancing between their civil liberties and other public policies such as security that their government engages in on their behalf. If and when these policies and the compliance requirements they impose on online intermediaries are made publicly available online, there should also be a feedback mechanism built into the site where this information is published. This public feedback mechanism could take a number of different forms, like, for example, a webform that allowed users to indicate their level of satisfaction with prevailing policy choices by choosing amongst several radio buttons, while also providing open text fields to allow the user to submit clarifying comments and specific suggestions. In order to be effective, this online feedback mechanism would have to be accompanied by some sort of legal and budgetary apparatus that would ensure that the feedback was monitored and given some minimum level of deference in the discussions and meetings that led to new policies being created.

Government should meet users concerned about its content policies in the online domain. Internet users, as citizens of both the internet and the country their country of origin, have a natural interest in defining and defending their civil liberties online; government should meet them there to extend the democratic process to the Internet. Denying Internet users a voice in the policymaking processes that determine their rights undermines government credibility and negatively influences users’ ability to freely share information online. As such, content policies should be posted in general terms online and users should have the ability to provide input on those policies online.

ISP Transparency
“The transparency practices of a company impact users’ freedom expression by providing insight into the scope of restriction that is taking in place in specific jurisdiction. Key areas of transparency for companies include: specific restrictions, aggregate numbers related to restrictions, company imposed regulations on content, and transparency of applicable law and regulation that the service provider must abide by.”^[4]

“Disclosure by service providers of notices received and actions taken can provide an important check against abuse. In addition to providing valuable data for assessing the value and effectiveness of a N&A system, creating the expectation that notices will be disclosed may help deter fraudulent or otherwise unjustified notices. In contrast, without transparency, Internet users may remain unaware that content they have posted or searched for has been removed pursuant due to a notice of alleged illegality. Requiring notices to be submitted to a central publication site would provide the most benefit, enabling patterns of poor quality or abusive notices to be readily exposed.”^[5] Therefore, ISPs at all levels should publish transparency reports that include:

Government Requests

All requests from government agencies and courts should be published in a periodic transparency report, accessible on the intermediary’s website, that publishes information about the requests the intermediary received and what the intermediary did with them in the highest level of detail that is legally possible. The more information that is provided about each request, the better the understanding that the public will have about how laws that affect their rights online are being applied. That said, steps should be taken to prevent the disclosure of personal information in relation to the publication of transparency reports. Beyond redaction of personal information, however, the maximum amount of information about each request should be published, subject as well to the (ideally minimal) restrictions imposed by applicable law. A thorough Transparency Report published by an ISP or online intermediary should include information about the following categories of requests:

Police and/or Executive Requests
This category includes all requests to the intermediary from an agency that is wholly a part of the national government; from police departments, to intelligence agencies, to school boards from small towns. Surfacing information about all requests from any part of the government helps to avoid corruption and/or inappropriate exercises of governmental power by reminding all government officials, regardless of their rank or seniority, that information about the requests they submit to online intermediaries is subject to public scrutiny.

Court Orders
This category includes all orders issued by courts and signed by a judicial officer. It can include ex-parte orders, default judgments, court orders directed at an online intermediary, or court orders directed at a third party presented to the intermediary as evidence in support of a removal request. To the extent legally possible, detailed information should be published about these court orders detailing the type of court order each request was, its constituent elements, and the actions(s) that the intermediary took in response to it. All personally identifying information should be redacted from any court orders that are published by the intermediary as part of a transparency report before publication.

First Party
Information about court orders should be further broken down into two groups; first party and third party. First party court orders are orders directed at the online intermediary in an adversarial proceeding to which the online intermediary was a party.

Third Party
As mentioned above, ‘third party’ refers to court orders that are not directed at the online intermediary, but rather a third party such as an individual user who posted an allegedly defamatory remark on the intermediary’s platform. If the user who obtains a court order approaches an online intermediary seeking removal of content with a court order directed at the poster of, say, the defamatory content, and the intermediary decides to remove the content in response to the request, the online intermediary that decided to perform the takedown should publish a record of that removal. To be accepted by an intermediary, third party court orders should be issued by a court of appropriate jurisdiction after an adversarial legal proceeding, contain a certified and specific statement that certain content is unlawful, and specifically identify the content that the court has found to be unlawful, by specific, permalinked URL where possible.

This type of court order should be broken out separately from court orders directed at the applicable online intermediary in companies’ transparency reports because merely providing aggregate numbers that do not distinguish between the two types gives an inaccurate impression to users that a government is attempting to censor more content than it actually is. The idea of including first party court orders to remove content as a subcategory of ‘government requests’ is that a government’s judiciary speaks on behalf of the government, making determinations about what is permitted under the laws of that country. This analogy does not hold for court orders directed at third parties- when the court made its determination of legality on the content in question, it did not contemplate that the intermediary would remove the content. As such, the court likely did not weigh the relevant public interest and policy factors that would include the importance of freedom of expression or the precedential value of its decision. Therefore, the determination does not fairly reflect an attempt by the government to censor content and should not be considered as such.

Instead, and especially considering that these third party court order may be the basis for a number of content removals, third party court orders should be counted separately and presented with some published explanation in the company’s transparency report as to what they are and why the company has decided it should removed content pursuant to its receipt of one.

Private-Party Requests
Private-party requests are requests to remove content that are not issued by a government agency or accompanied by a court order. Some examples of private party requests include copyright complaints submitted pursuant to the Digital Millennium Copyright Act or complaints based on the laws of specific countries, such as laws banning holocaust denial in Germany.

Policy/TOS Enforcement
To give users a complete picture of the content that is being removed from the platforms that they use, corporate transparency reports should also provide information about the content that the intermediary removes pursuant to its own policies or terms of service, though there may not be a legal requirement to do so.

User Data Requests
While this white paper is squarely focused on liability for content posted online and best practices for deciding when and how content should be removed from online services, corporate transparency reports should also provide information about requests for user data from executive agencies, courts, and others.

Principle II: Consistency

Legal requirements for ISPs should be consistent, based on a global legal framework that establishes baseline limitations on legal immunity
Broad variation amongst the legal regimes of the countries in which online intermediaries operate increases compliance costs for companies and may discourage them from offering their services in some countries due to the high costs of localized compliance. Reducing the number of speech platforms that citizens have access to limits their ability to express themselves. Therefore, to ensure that citizens of a particular country have access to a robust range of speech platforms, each country should work to harmonize the requirements that it imposes upon online intermediaries with the requirements of other countries. While a certain degree of variation between what is permitted in one country as compared to another is inevitable, all countries should agree on certain limitations to intermediary liability, such as the following:

Conduits should be immune from claims about content that they neither created nor modified
As noted in the 2011 Joint Declaration on Freedom of Expression and the Internet, “[n]o one who simply provides technical Internet services such as providing access, or searching for, or transmission or caching of information, should be liable for content generated by others, which is disseminated using those services, as long as they do not specifically intervene in that content or refuse to obey a court order to remove that content, where they have the capacity to do so (‘mere conduit principle’).”^[6]

Court orders should be required for the removal of content that is related to speech, such as defamation removal requests
In the Center for Democracy and Technology’s Additional Responses Regarding Notice and Action, CDT outlines the case against allowing notice and action procedures to apply to defamation removal requests. They write:

“Uniform notice-and-action procedures should not apply horizontally to all types of illegal content. In particular, CDT believes notice-and-takedown is inappropriate for defamation and other areas of law requiring complex legal and factual questions that make private notices especially subject to abuse. Blocking or removing content on the basis of mere allegations of illegality raises serious concerns for free expression and access to information. Hosts are likely to err on the side of caution and comply with most if not all notices they receive, because evaluating notices is burdensome and declining to comply may jeopardize their protection from liability. The risk of legal content being taken down is especially high in cases where assessing the illegality of the content would require detailed factual analysis and careful legal judgments that balance competing fundamental rights and interests. Intermediaries will be extremely reluctant to exercise their own judgment when the legal issues are unclear, and it will be easy for any party submitting a notice to claim a good faith belief that the content in question is unlawful. In short, the murkier the legal analysis, the greater the potential for abuse.

To reduce this risk, removal of or disablement of access to content based on unadjudicated allegations of illegality (i.e., notices from private parties) should be limited to cases where the content at issue is manifestly illegal – and then only with necessary safeguards against abuse as described above.

CDT believes that online free expression is best served by narrowing what is considered manifestly illegal and subject to takedown upon private notice. With proper safeguards against abuse, for example, notice-and-action can be an appropriate policy for addressing online copyright infringement. Copyright is an area of law where there is reasonable international consensus regarding what is illegal and where much infringement is straightforward. There can be difficult questions at the margins – for example concerning the applicability of limitations and exceptions such as “fair use” – but much online infringement is not disputable.

Quite different considerations apply to the extension of notice-and-action procedures to allegations of defamation or other illegal content. Other areas of law, including defamation, routinely require far more difficult factual and legal determinations. There is greater potential for abuse of notice-and-action where illegality is less manifest and more disputable. If private notices are sufficient to have allegedly defamatory content removed, for example, any person unhappy about something that has been written about him or her would have the ability and incentive to make an allegation of defamation, creating a significant potential for unjustified notices that harm free expression. This and other areas where illegality is more disputable require different approaches to notice and action. In the case of defamation, CDT believes “notice” for purposes of removing or disabling access to content should come only from a competent court after full adjudication.

In cases where it would be inappropriate to remove or disable access to content based on untested allegations of illegality, service providers receiving allegations of illegal content may be able to take alternative actions in response to notices. Forwarding notices to the content provider or preserving data necessary to facilitate the initiation of legal proceedings, for example, can pose less risk to content providers’ free expression rights, provided there is sufficient process to allow the content provider to challenge the allegations and assert his or her rights, including the right to speak anonymously.”^[7]

Principle III: Clarity

All notices that request the removal of content should be clear and meet certain minimum requirements
The Center for Democracy and Technology outlined requirements for clear notices in a notice and action system in response a European Commission public comment period on a revised notice and action regime.^[8] They write:

“Notices should include the following features:

Specificity. Notices should be required to specify the exact location of the material – such as a specific URL – in order to be valid. This is perhaps the most important requirement, in that it allows hosts to take targeted action against identified illegal material without having to engage in burdensome search or monitoring. Notices that demand the removal of particular content wherever it appears on a site without specifying any location(s) are not sufficiently precise to enable targeted action.
Description of alleged illegal content. Notices should be required to include a detailed description of the specific content alleged to be illegal and to make specific reference to the law allegedly being violated. In the case of copyright, the notice should identify the specific work or works claimed to be infringed.
Contact details. Notices should be required to contain contact information for the sender. This facilitates assessment of notices’ validity, feedback to senders regarding invalid notices, sanctions for abusive notices, and communication or legal action between the sending party and the poster of the material in question.
Standing: Notices should be issued only by or on behalf of the party harmed by the content. For copyright, this would be the rightsholder or an agent acting on the rightsholderʼs behalf. For child sexual abuse images, a suitable issuer of notice would be a law enforcement agency or a child abuse hotline with expertise in assessing such content. For terrorism content, only government agencies would have standing to submit notice.
Certification: A sender of a notice should be required to attest under legal penalty to a good-faith belief that the content being complained of is in fact illegal; that the information contained in the notice is accurate; and, if applicable, that the sender either is the harmed party or is authorized to act on behalf of the harmed party. This kind of formal certification requirement signals to notice-senders that they should view misrepresentation or inaccuracies on notices as akin to making false or inaccurate statements to a court or administrative body.
Consideration of limitations, exceptions, and defenses: Senders should be required to certify that they have considered in good faith whether any limitations, exceptions, or defenses apply to the material in question. This is particularly relevant for copyright and other areas of law in which exceptions are specifically described in law.
An effective appeal and counter-notice mechanism. A notice-and-action regime should include counter-notice procedures so that content providers can contest mistaken and abusive notices and have their content reinstated if its removal was wrongful.
Penalties for unjustified notices. Senders of erroneous or abusive notices should face possible sanctions. In the US, senders may face penalties for knowingly misrepresenting that content is infringing, but the standard for “knowingly misrepresenting” is quite high and the provision has rarely been invoked. A better approach might be to use a negligence standard, whereby a sender could be held liable for damages or attorneys’ fees for making negligent misrepresentations (or for repeatedly making negligent misrepresentations). In addition, the notice-and-action system should allow content hosts to ignore notices from senders with an established record of sending erroneous or abusive notices or allow them to demand more information or assurances in notices from those who have in the past submitted erroneous notices. (For example, hosts might be deemed within the safe harbor if they require repeat abusers to specifically certify that they have actually examined the alleged infringing content before sending a notice).”^[9]

All ISPs should publish their content removal policies online and keep them current as they evolve
The UNESCO report states, by way of background, that “[c]ontent restriction practices based on Terms of Service are opaque. How companies remove content based on Terms of Service violations is more opaque than their handling of content removals based on requests from authorized authorities. When content is removed from a platform based on company policy, [our] research found that all companies provide a generic notice of this restriction to the user, but do not provide the reason for the restriction. Furthermore, most companies do not provide notice to the public that the content has been removed. In addition, companies are inconsistently open about removal of accounts and their reasons for doing so.”^[10]

There are legitimate reasons why an ISP may want to have policies that permit less content, and a narrower range of content, than is technically permitted under the law, such as maintaining a product that appeals to families. However, if a company is going to go beyond the minimal legal requirements in terms of content that it must restrict, the company should have clear policies that are published online and kept up-to-date to provide its users notice of what content is and is not permitted on the company’s platform. Notice to the user about the types of content that are permitted encourages her to speak freely and helps her to understand why content that she posted was taken down if it must be taken down for violating a company policy.

When content is removed, a clear notice should be provided in the product that explains in simple terms that content has been removed and why
This subsection works in conjunction with “ii,” above. If content is removed for any reason, either pursuant to a legal request or because of a violation of company policy, a user should be able to learn that content was removed if they try to access it. Requiring an on-screen message that explains that content has been removed and why is the post-takedown accompaniment to the pre-takedown published online policy of the online intermediary: both work together to show the user what types of content are and are not permitted on each online platform. Explaining to users why content has been removed in sufficient detail may also spark their curiosity as to the laws or policies that caused the content to be removed, resulting in increased civic engagement in the internet law and policy space, and a community of citizens that demands that the companies and governments it interacts with are more responsive to how it thinks content regulation should work in the online context.

The UNESCO report provides the following example of how Google provides notice to its users when a search result is removed, which includes a link to a page hosted by Chilling Effects:^[11]

“When search results are removed in response to government or copyright holder demands, a notice describing the number of results removed and the reasons for their removal is displayed to users (see screenshot below) and a copy of the request to the independent non-proft organization ChillingEffects.org, which archives and publishes the request. When possible the company also contacts the website’s owners.”^[12]

This is an example of the message that is displayed when Google removes a search result pursuant to a copyright complaint.^[13]

Requirements that governments impose on intermediaries should be as clear and unambiguous as possible
Imposing liability on internet intermediaries without providing clear guidance as to the precise type of content that is not lawful and the precise requirements of a legally sufficient notice encourages intermediaries to over-remove content. As Article 19 noted in its 2013 report on intermediary liability:

“International bodies have also criticized ‘notice and takedown’ procedures as they lack a clear legal basis. For example, the 2011 OSCE report on Freedom of Expression on the internet highlighted that: Liability provisions for service providers are not always clear and complex notice and takedown provisions exist for content removal from the Internet within a number of participating States. Approximately 30 participating States have laws based on the EU E-Commerce Directive. However, the EU Directive provisions rather than aligning state level policies, created differences in interpretation during the national implementation process. These differences emerged once the national courts applied the provisions.

These procedures have also been criticized for being unfair. Rather than obtaining a court order requiring the host to remove unlawful material (which, in principle at least, would involve an independent judicial determination that the material is indeed unlawful), hosts are required to act merely on the say-so of a private party or public body. This is problematic because hosts tend to err on the side of caution and therefore take down material that may be perfectly legitimate and lawful. For example, in his report, the UN Special Rapporteur on freedom of expression noted:

[W]hile a notice-and-takedown system is one way to prevent intermediaries from actively engaging in or encouraging unlawful behavior on their services, it is subject to abuse by both State and private actors. Users who are notiﬁed by the service provider that their content has been ﬂagged as unlawful often has little recourse or few resources to challenge the takedown. Moreover, given that intermediaries may still be held ﬁnancially or in some cases criminally liable if they do not remove content upon receipt of notiﬁcation by users regarding unlawful content, they are inclined to err on the side of safety by overcensoring potentially illegal content. Lack of transparency in the intermediaries’ decision-making process also often obscures discriminatory practices or political pressure affecting the companies’ decisions. Furthermore, intermediaries, as private entities, are not best placed to make the determination of whether a particular content is illegal, which requires careful balancing of competing interests and consideration of defenses.”^[14]

Considering the above, if liability is to be imposed on intermediaries for certain types of unlawful content, the legal requirements that outline what is unlawful content and how to report it must be clear. Lack of clarity in this area will result in over-removal of content by rational intermediaries that want to minimize their legal exposure and compliance costs. Over-removal of content is at odds with the goals of freedom of expression.

The UNESCO Report made a similar recommendation, stating that; “Governments need to ensure that legal frameworks and company policies are in place to address issues arising out of intermediary liability. These legal frameworks and policies should be contextually adapted and be consistent with a human rights framework and a commitment to due process and fair dealing. Legal and regulatory frameworks should also be precise and grounded in a clear understanding of the technology they are meant to address, removing legal uncertainty that would provide opportunity for abuse.”^[15]

Similarly, the 2011 Joint Declaration on Freedom of Expression and the Internet states:

“Consideration should be given to insulating fully other intermediaries, including those mentioned in the preamble, from liability for content generated by others under the same conditions as in paragraph 2(a). At a minimum, intermediaries should not be required to monitor user-generated content and should not be subject to extrajudicial content takedown rules which fail to provide sufficient protection for freedom of expression (which is the case with many of the ‘notice and takedown’ rules currently being applied).”^[16]

Principle IV: Mindful Community Policy Making

“Laws and regulations as well as corporate policies are more likely to be compatible with freedom of expression if they are developed in consultation with all affected stakeholders – particularly those whose free expression rights are known to be at risk.”^[17] To be effective, policies should be created through a multi-stakeholder consultation process that gives voice to the communities most at risk of being targeted for the information they share online. Further, both companies and governments should embed an ‘outreach to at-risk communities’ step into both legislative and policymaking processes to be especially sure that their voices are heard. Finally, civil society should work to ensure that all relevant stakeholders have a voice in both the creation and revision of policies that affect online intermediaries. In the context of corporate policymaking, civil society can use strategies from activist investing to encourage investors to make the human rights and freedom of expression policies of Internet companies’ part of the calculus that investors use to decide where to place their money. Considering the above;

Human rights impact assessments, considering the impact of the proposed law or policy on various communities from the perspectives of gender, sexuality, sexual preference, ethnicity, religion, and freedom of expression, should be required before:
New laws are written that govern content issues affecting ISPs or conduct that occurs primarily online
“Protection of online freedom of expression will be strengthened if governments carry out human rights impact assessments to determine how proposed laws or regulations will affect Internet users’ freedom of expression domestically and globally.”^[18]

Intermediaries enact new policies
“Protection of online freedom of expression will be strengthened if companies carry out human rights impact assessments to determine how their policies, practices, and business operations affect Internet users’ freedom of expression. This assessment process should be anchored in robust engagement with stakeholders whose freedom of expression rights are at greatest risk online, as well as stakeholders who harbor concerns about other human rights affected by online speech.”^[19]

Multi-stakeholder consultation processes should precede any new legislation that will apply to content issues affecting online intermediaries or online conduct
“Laws and regulations as well as corporate policies are more likely to be compatible with freedom of expression if they are developed in consultation with all affected stakeholders – particularly those whose free expression rights are known to be at risk.”^[20]

Civil society and public interest groups should encourage responsible investment in companies who implement policies that reflect best practices for internet intermediaries
“Over the past thirty years, responsible investors have played a powerful role in incentivizing companies to improve environmental sustainability, supply chain labor practices, and respect for human rights of communities where companies physically operate. Responsible investors can also play a powerful role in incentivizing companies to improve their policies and practices affecting freedom of expression and privacy by developing metrics and criteria for evaluating companies on these issues in the same way that they evaluate companies on other “environmental, social, and governance” criteria.”^[21]

Principle V: Necessity and Proportionality in Content Restriction

Content should only be restricted when there is a legal basis for doing so, or the removal is performed in accordance with a clear, published policy of the ISP
As CDT outlined in its 2012 intermediary liability report, “[a]ctions required of intermediaries must be narrowly tailored and proportionate, to protect the fundamental rights of Internet users. Any actions that a safe-harbor regime requires intermediaries to take must be evaluated in terms of the principle of proportionality and their impact on Internet users’ fundamental rights, including rights to freedom of expression, access to information, and protection of personal data. Laws that encourage intermediaries to take down or block certain content have the potential to impair online expression or access to information. Such laws must therefore ensure that the actions they call for are proportional to a legitimate aim, no more restrictive than is required for achievement of the aim, and effective for achieving the aim. In particular, intermediary action requirements should be narrowly drawn, targeting specific unlawful content rather than entire websites or other Internet resources that may support both lawful and unlawful uses.”^[22]

When content must be restricted, it should be restricted in the most minimal way possible (i.e., prefer domain removals to IP-blocking)
There are a number of different ways that access to content can be restricted. Examples include hard deletion of the content from all of a company’s servers, blocking the download of an app or other software program in a particular country, blocking the content on all IP addresses affiliated with a particular country (“IP-Blocking”), removing the content from a particular domain of a product (i.e., removing from a link from the .fr version of a search engine that remains accessible on the .com version), blocking content from a ‘version’ of an online product that is accessible through a ‘country’ or ‘language’ setting on that product, or some combination of the last three options (i.e., an online product that directs the user to a version of the product based on the country that their IP address is coming from, but where the user can alter a URL or manipulate a drop-down menu to show her a different ‘country version’ of the product, providing access to content that may otherwise be inaccessible).

While almost all of the different types of content restrictions described above can be circumvented by technical means such as the use of proxies, IP-cloaking, or Tor, the average internet user does not know that these techniques exist, much less how to use them. Of the different types of content restrictions described above, a domain removal, for example, is easier for an individual user to circumvent than IP-Blocked content because you only have to change the URL of the product you are using to, i.e. “.com” to see content that has been locally restricted. To get around an IP-block, you would have to be sufficiently savvy to employ a proxy or cloak your true IP address.

Therefore, the technical means used to restrict access to controversial content has a direct impact on the magnitude of the actual restriction on speech. The more restrictive the technical removal method, the fewer people that will have access to that content. To preserve access to lawful content, online intermediaries should choose the least restrictive means of complying with removal requests, especially when the removal request is based on the law of a particular country that makes certain content unlawful that is not unlawful in other countries. Further, when building new products and services, intermediaries should built in removal capability that minimally restricts access to controversial content.

If content is restricted due to its illegality in a particular country, the geographical scope of the content restriction should be as minimal as possible
Building on the discussion in “ii,” supra, a user should be able to access content that is lawful in her country even if it is not lawful in another country. Different countries have different laws and it is often difficult for intermediaries to determine how to effectively respond to requests and reconcile the inherent conflicts that result. For example, content that denies the holocaust is illegal in certain countries, but not in others. If an intermediary receives a request to remove content based on the laws of a particular country and determines that it will comply because the content is not lawful in that country, it should not restrict access to the content such that it cannot be accessed by users in other countries where the content is lawful. To respond to a request based on the law of a particular country by blocking access to that content for users around the world, or even users of more than one country, essentially allows for extraterritorial application of the laws of the country that the request came from. While it is preferable to standardize and limit the legal requirements imposed on online intermediaries throughout the world, to the extent that this is not possible, the next-best option is to limit the application of laws that are interpreted to declare certain content unlawful to the users that live in that country. Therefore, intermediaries should choose the technical means of content restriction that is most narrowly tailored to limit the geographical scope and impact of the removal.

The ability of conduits (telecommunications/internet service providers) to filter content should be minimized to the extent technically and legally possible

The 2011 Joint Declaration on Freedom of Expression and the Internet made the following points about the dangers of allowing filtering technology:

“Mandatory blocking of entire websites, IP addresses, ports, network protocols or types of uses (such as social networking) is an extreme measure – analogous to banning a newspaper or broadcaster – which can only be justified in accordance with international standards, for example where necessary to protect children against sexual abuse.

Content filtering systems which are imposed by a government or commercial service provider and which are not end-user controlled are a form of prior censorship and are not justifiable as a restriction on freedom of expression.

Products designed to facilitate end-user filtering should be required to be accompanied by clear information to end-users about how they work and their potential pitfalls in terms of over-inclusive filtering.”^[23]

In short, filtering at the conduit level is a blunt instrument that should be avoided whenever possible. Similar to how conduits should not be legally responsible for content that they neither host nor modify (the ‘mere conduit’ rule discussed supra), conduits should technically restrict their ability to filter content such that it would be inefficient for government agencies to contact them to have content filtered. Mere conduits are not able to assess the context surrounding the controversial content that they are asked to remove and are therefore not the appropriate party to receive takedown requests. Further, when mere conduits have the technical ability to filter content, they open themselves to pressure from government to exercise that capability. Therefore, mere conduits should limit or not build in the capability to filter content.

Notice and notice, or notice and judicial takedown, should be preferred to notice and takedown, which should be preferred to unilateral removal
Mechanisms for content removal that involve intermediaries acting without any oversight or accountability, or those which only respond to the interests of the party requesting removal, are unlikely to do a very good job at balancing public and private interests. A much better balance is likely to be struck through a mechanism where power is distributed between the parties, and/or where an independent and accountable oversight mechanism exists.

Considered in this way, there is a continuum of content removal mechanisms that ranges from those are the least balanced and accountable, and those that are more so. The least accountable is the unilateral removal of content by the intermediary without legal compulsion in response to a request received, without affording the uploader of the content the right to be heard or access to remedy.

Notice and takedown mechanisms fit next along the continuum, provided that they incorporate, as the DMCA attempts to do, an effective appeal and counter-notice mechanism. However where notice and takedown falls down is that the cost and incentive structure is weighted towards removal of content in the case of doubt or dispute, resulting in more content being taken down and staying down than would be socially optimal.

A better balance is likely to be struck by a “notice and notice” regime, which provides strong social incentives for those whose content is reported to be unlawful to remove the content, but does not legally compel them to do so. If legal compulsion is required, a court order must be separately obtained.

Canada is an example of a jurisdiction with a notice and notice regime, though limited to copyright content disputes. Although this regime is now established in legislation, it formalizes a previous voluntary regime, whereby major ISPs would forward copyright infringement notifications received from rightsholders to subscribers, but without removing any content and without releasing subscriber data to the rightsholders absent a court order. Under the new legislation additional record-keeping requirements are imposed on ISPs, but otherwise the essential features of the regime remain unchanged.

Analysis of data collected during this voluntary regime indicates that it has been effective in changing the behavior of allegedly infringing subscribers. A 2010 study by the Entertainment Software Association of Canada (ESAC) found that 71% of notice recipients did not infringe again, whereas a similar 2011 study by Canadian ISP Rogers found 68% only received one notice, and 89% received no more than two notices, with only 1 subscriber in 800,000 receiving numerous notices.^[24] However, in cases where a subscriber has a strong good faith belief that the notice they received was wrong, there is no risk to them in disregarding the erroneous notice – a feature that does not apply to notice and takedown.

Another similar way in which public and private interests can be balanced is through a notice and judicial takedown regime, whereby the rightsholder who issues a notice about offending content must have it assessed by an independent judicial (or perhaps administrative) authority before the intermediary will respond by taking the content down.

An example of this is found in Chile, again limited to the case of copyright.^[25] In response to its Free Trade Agreement with the United States, the system introduced in 2010 is broadly similar to the DMCA, with the critical difference that intermediaries are not required to take material down in order to benefit from a liability safe harbor, until such time as a court order for removal of the material is made. Responsibility for evaluating the copyright claims made is therefore shifted from intermediaries onto the courts.

Although this requirement does impose a burden on the rightsholder, this serves a purpose by disincentivizing the issue of automated or otherwise unjustified notices that are more likely to restrict or chill freedom of expression. In cases where there is no serious dispute about the legality of the content, it is unlikely that the lawsuit would be defended. In any case, the legislation authorizes the court to issue a preliminary injunction on an ex parte basis, on condition of payment of a bond.

Intermediaries should be allowed to charge for the time and expense associated with processing legal requests
As an intermediary, it is time consuming and relatively expensive to understand the obligations that each country’s legal regime imposes on you, and to accurately how each legal request should be handled. Especially for intermediaries without many resources, such as forum operators or owners of home Wifi networks, the costs associated with being an intermediary can be prohibitive. Therefore, it should be within their rights to charge for their compliance costs if they are either below a certain user threshold or can show financial necessity in some way.

Legal requirements imposed on intermediaries should be a floor, not a ceiling- ISPs can adopt more restrictive policies to more effectively serve their users as long as they have published policies that explain what they are doing
The Internet has space for a wide range of platforms and applications directed to different communities, with different needs and desires. A social networking site directed at children, for example, may reasonably want to have policies that are much more restrictive than a political discussion board. Therefore, legal requirements that compel intermediaries to take down content should be seen as a ‘floor,’ but not a ‘ceiling’ on the range and quantity that of content those intermediaries may remove. Intermediaries should retain control over their own policies as long as they are transparent about what those policies are, what type of content the intermediary removes, and why they removed certain pieces of content.

Principle VI: Privacy

It is important to protect the ability of Internet users to speak by narrowing and making less ambiguous the range of content that intermediaries can be held liable for, but it is also very important to make users feel comfortable sharing their view by ensuring that their privacy is protected. Protecting the user’s ability to share her views, especially when those views are controversial or have a direct bearing on important political issues, requires that the user can trust the intermediaries that she uses. This concept can be further broken down into three sub-principles:

The user’s personal information should be protected to the greatest extent possible given the state of the art in encryption, security, and policy
Users will be less willing to speak on important topics if they have legitimate concerns that their data may be taken from them. As stated in the UNESCO Report, “[b]ecause of the amount of personal information held by companies and ability to access the same, a company’s practices around collection, access, disclosure, and retention are key. To a large extent a service provider’s privacy practices are influenced by applicable law and operating licenses required by the host government. These can include requirements for service providers to verify subscribers, collect and retain subscriber location data, and cooperate with law enforcement when requested. Outcome: The implications of companies trying to balance a user’s expectation for privacy with a government’s expectation for cooperation can be serious and are inadequately managed in all jurisdictions studied.”^[26]

Where possible, ISPs should help to preserve the user’s right to speak anonymously
An important aspect of an Internet user’s ability to exercise her right to free expression online is ability to speak anonymously. Anonymous speech is one of the great advances of the Internet as a communications medium and should be preserved to the extent possible. As noted by special rapporteur Frank LaRue, “[i]n order for individuals to exercise their right to privacy in communications, they must be able to ensure that these remain private, secure and, if they choose, anonymous. Privacy of communications infers that individuals are able to exchange information and ideas in a space that is beyond the reach of other members of society, the private sector, and ultimately the State itself. Security of communications means that individuals should be able to verify that only their intended recipients, without interference or alteration, receive their communications and that the communications they receive are equally free from intrusion. Anonymity of communications is one of the most important advances enabled by the Internet, and allows individuals to express themselves freely without fear of retribution or condemnation.”^[27]

The user’s PII should never be sold or used without her consent, and she should always know what is being done with it via an easily comprehensible dashboard
The user’s trust in the online platform that she uses and relies upon is influenced not only by the relationships the intermediary maintains with the government, but also with other commercial entities. A user, who feels that her data will be constantly shared with third parties, perhaps without her consent and/or for marketing purposes, will never feel like she is able to freely express her opinion. Therefore, it is the intermediary’s responsibility to ensure that its users know exactly what information it retains about them, who it shares that information with and under what circumstances, and how to change the way that her data is shared. All of this information should be available on a dashboard that is comprehensible to the average user, and which gives her the ability to easily modify or withdraw her consent to the way her data is being shared, or the amount of data, or specific data, that the intermediary is retaining about her.

Principle VII: Access to Remedy

As noted in the UNESCO Report, “Remedy is the third central pillar of the UN Guiding Principles on Business and Human Rights, placing an obligation both on governments and on companies to provide individuals access to effective remedy. This area is where both governments and companies are almost consistently lacking. Across intermediary types, across jurisdictions and across the types of restriction, individuals whose content is restricted and individuals who wish to access such content are offered little or no effective recourse to appeal restriction decisions, whether in response to government orders, third party requests or in accordance with company policy. There are no private grievance or due process mechanisms that are clearly communicated and readily available to all users, or consistently applied.”^[28]

Any notice and takedown system is subject to abuse, and any company policy that results in the removal of content is subject to mistaken or inaccurate takedowns, both of which are substantial problems that can only be remedied by the ability for users to let the intermediary know when the intermediary improperly removed a specific piece of content and the technical and procedural ability of the intermediary to put the content back. However, the technical ability to reinstate content that was improperly removed may conflict with data retention laws. This conflict should be explored in more detail. In general, however, every time content is removed, there should be:

A clear mechanism through which users can request reinstatement of content
When an intermediary decides to remove content, it should be immediately clear to the user that content has been removed and why it was removed (see discussion of in-product notice, supra). If the user disagrees with the content removal decision, there should be an obvious, online method for her to request reinstatement of the content.

Reinstatement of content should be technically possible
When intermediaries (who are subject to intermediary liability) are building new products, they should build the capability to remove content into the product with a high degree of specificity so as to allow for narrowly tailored content removals when a removal is legally required. Relatedly, all online intermediaries should build the capability to reinstate content into their products while maintaining compliance with data retention laws.

Intermediaries should have policies and procedures in place to handle reinstatement requests
Between the front end (online mechanism to request reinstatement of content) and the backend (technical ability to reinstate content) is the necessary middle layer, which consists of the intermediary’s internal policies and processes that allow for valid reinstatement requests to be assessed and acted upon. In line with the corporate ‘responsibility to respect’ human rights, and considered along with the human rights principle of ‘access to remedy,’ intermediaries should have a system in place from the time that an online product launches to ensure that reinstatement requests can be made and will be processed quickly and appropriately.

Principle VIII: Accountability

Governments must ensure that independent, transparent, and impartial accountability mechanisms exist to verify the practices of government and companies with regards to managing content created online
“While it is important that companies make commitments to core principles on freedom of expression and privacy, make efforts to implement those principles through transparency, policy advocacy, and human rights impact assessments, it is also important that companies take these steps in a manner that is accountable to stakeholders. One way of doing this is by committing to external third party assurance to verify that their policies and practices are being implemented to a meaningful standard, with acceptable consistency wherever their service is offered. Such assurance gains further public credibility when carried out with the supervision and affirmation of multiple stakeholders including civil society groups, academics, and responsible investors. The Global Network Initiative provides one such mechanism for public accountability. Companies not currently participating in GNI, or a process of similar rigor and multi-stakeholder involvement, should be urged by users, investors, and regulators to do so.”^[29]

Civil society should encourage comparative studies between countries and between ISPs with regards to their content removal practices to identify best practices
Civil society has the unique ability to look longitudinally across this issue to determine and compare how different intermediaries and governments are responding to content removal requests. Without information about how other governments and intermediaries are handling these issues, it will be difficult for each government or intermediary to learn how to improve its laws or policies. Therefore, civil society has an important role to play in the process of creating increasingly better human rights outcomes for online platforms by performing and sharing ongoing, comparative research.

Civil society should establish best practices and benchmarks against which ISPs and government can be measured, and should track governments and ISPs over time in public reports
“A number of projects that seek, define and implement indicators and benchmarks for governments or companies are either in development (examples include: UNESCO’s Indicators of Internet Development project examining country performance, Ranking Digital Rights focusing on companies) or already in operation (examples include the Web Foundation’s Web Index, Freedom House’s Internet Freedom Index, etc.). The emergence of credible, widely-used benchmarks and indicators that enable measurement of country and company performance on freedom of expression will help to inform policy, practice, stakeholder engagement processes, and advocacy.”^[30]

Principle IX: Due Process - In Both Legal and Private Enforcement

ISPs should always consider context before removing content and Governments and courts should always consider context before ordering that certain content be removed
“Governments need to ensure that legal frameworks and company policies are in place to address issues arising out of intermediary liability. These legal frameworks and policies should be contextually adapted and be consistent with a human rights framework and a commitment to due process and fair dealing. Legal and regulatory frameworks should also be precise and grounded in a clear understanding of the technology they are meant to address, removing legal uncertainty that would provide opportunity for abuse.”^[31]

Principles for Courts

An independent and impartial judiciary exists, at least in part, to preserve the citizen’s due process rights. Many have called for an increased reliance on courts to make determinations about the legality of content posted online in order to both shift the censorship function from unaccountable private actors and to ensure that courts only order the removal of content that is actually unlawful. However, when courts do not have an adequate technical understanding of how content is created and shared on the internet, the rights of the intermediaries that facilitate the posting of the content, and who should be ordered to remove unlawful content, they do not add value to the online ecosystem. Therefore, courts should keep certain principles in mind to preserve the due process rights of the users that post content and the intermediaries that host the content.

Preserve due process for intermediaries- do not order them to do something before giving them notice and the opportunity to appear before the court

In a dispute between two private parties over a specific piece of content posted online, it may appear to the court that the easy solution is to order the intermediary who hosts the content to remove it. However, this approach does not extend any due process protections to the intermediary and does not adequately reflect the intermediary's status as something other than the creator of the content. If a court feels that it is necessary for an intermediary to intervene in a legal proceeding between two private parties, the court should provide the intermediary with proper notice and give them the opportunity to appear before the court before issuing any orders.

Necessity and proportionality of judicial determinations- judicial orders determining the illegality of specific content should be narrowly tailored to avoid over-removal of content

With regards to government removal requests, the UNESCO Report notes that “[o]ver-broad law and heavy liability regimes cause intermediaries to over-comply with government requests in ways that compromise users’ right to freedom of expression, or broadly restrict content in anticipation of government demands even if demands are never received and if the content could potentially be found legitimate even in a domestic court of law.”^[32] Courts should follow the same principle: only order the removal of the bare minimum of content that is necessary to remedy the harm identified and nothing more.

Courts should clarify whether ISPs have to remove content in response to court orders directed to third parties, or only have to remove content when directly ordered to do so (first party court orders) after an adversarial proceeding to which the ISP was a party

See discussion of the difference between first party and third party court orders (supra, section a., “Transparency”). Ideally, any decision that courts reach on this issue would be consistent across different countries.

Questions- related unresolved issues that should be kicked to the larger group

How should the conflict between access to remedy and data retention laws that say content must be hard deleted after a certain period of time be resolved? I think the access to remedy has to be subordinated to the data protection laws. Let's make that our draft position, but continue to flag it for discussion.

Should ISPs have to remove content in response to court orders directed to third parties, or only have to remove content when directly ordered to do so (first party court orders) after an adversarial proceeding to which the ISP was a party? I think first party orders. Let's make that our draft position, but continue to flag it for discussion.

[1] Center for Democracy and Technology, Shielding the Messengers: Protecting Platforms for Expression and Innovation at 4-15 (Version 2, 2012), available at https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf (see pp.4-15 for an explanation of these different models and the pros and cons of each).

[2] UNESCO, “Fostering Freedom Online: The Roles, Challenges, and Obstacles of Internet Intermediaries” at 6-7 (Draft Version, June 16th, 2014) (Hereinafter “UNESCO Report”).

[3] UNESCO Report at 56.

[4] UNESCO Report at 37.

[5] Center for Democracy and Technology, Additional Responses Regarding Notice and Action, Available at https://www.cdt.org/files/file/CDT%20N&A%20supplement.pdf.

[6] The United Nations (UN) Special Rapporteur on Freedom of Opinion and Expression, the Organization for Security and Co-operation in Europe (OSCE) Representative on Freedom of the Media, the Organization of American States (OAS) Special Rapporteur on Freedom of Expression and the African Commission on Human and Peoples’ Rights (ACHPR) Special Rapporteur on Freedom of Expression and Access to Information, Article 19, Global Campaign for Free Expression, and the Centre for Law and Democracy, JOINT DECLARATION ON FREEDOM OF EXPRESSION AND THE INTERNET at 2 (2011), available at http://www.osce.org/fom/78309 (Hereinafter “Joint Declaration on Freedom of Expression).

[7] Center for Democracy and Technology, Additional Responses Regarding Notice and Action, Available at https://www.cdt.org/files/file/CDT%20N&A%20supplement.pdf.

[8] Id.

[9] Id.

[10] UNESCO Report at 113-14.

[11] ‘Chilling Effects’ is a website that allows recipients of ‘cease and desist’ notices to submit the notice to the site and receive information about their legal rights. For more information about ‘Chilling Effects’ see: http://www.chillingeffects.org.

[12] Id. at 73. You can see an example of a complaint published on Chilling Effects at the following location. “DtecNet DMCA (Copyright) Complaint to Google,” Chilling Effects Clearinghouse, March 12, 2013, www.chillingeffects.org/notice.cgi?sID=841442.

[13] UNESCO Report at 73.

[14] Article 19, Internet Intermediaries: Dilemma of Liability (2013), available at http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf.

[15] UNESCO Report at 120.

[16] Joint Declaration on Freedom of Expression and the Internet at 2.

[17] Id.

[18] Id.

[19] Id. at 121.

[20] Id. at 104.

[21] Id. at 122.

[22] Center for Democracy and Technology, Shielding the Messengers: Protecting Platforms for Expression and Innovation at 12 (Version 2, 2012), available at https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf.

[23] Joint Declaration on Freedom of Expression at 2-3.

[24] Geist, Michael, Rogers Provides New Evidence on Effectiveness of Notice-and-Notice System (2011), available at http://www.michaelgeist.ca/2011/03/effectiveness-of-notice-and-notice/

[25] Center for Democracy and Technology, Chile’s Notice-and-Takedown System for Copyright Protection: An Alternative Approach (2012), available at https://www.cdt.org/files/pdfs/Chile-notice-takedown.pdf

[26] UNESCO Report at 54.

[27] “Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue (A/HRC/23/40),” United Nations Human Rights, 17 April 2013, http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf, § 24, p. 7.

[28] UNESCO Report at 118.

[29] UNESCO Report at 122.

[30] Id.

[31] UNESCO Report at 120.

[32] Id. at 119.

For more details visit https://cis-india.org/internet-governance/blog/zero-draft-of-content-removal-best-practices-white-paper

August 2014 Bulletin

praskrishna — 2014-10-04T06:09:57Z

Eighth issue of the newsletter (August 2014) below:

We at the Centre for Internet & Society (CIS) welcome you to the eighth issue of the newsletter (August 2014). Archives of our newsletters can be accessed at: http://cis-india.org/about/newsletters

Highlights

CIS published a policy guide on Privacy in Healthcare that seeks to understand the legal regulations governing data flow in the health sector - particularly hospitals, and how these regulations are implemented.
Nehaa Chaudhari wrote two articles on the Karnataka Goondas Act in Spicy IP. The first one is an overview on the various provisions of the law and discusses the potential impact of the amendment . The second one is a note on legislative competence .

Andhra Loyola College and CIS entered into a memorandum of understanding (MoU) to steward the growth of Telugu Wikipedia and to make available free knowledge in Telugu to all Telugus across the globe.
In July 2014, the Department of Biotechnology and the Department of Science, Ministry of Science and Technology, Government of India released a draft Open Access Policy. CIS participated in discussions along with experts brought on board by the Drafting Committee to develop and review the open access policy. As a follow-up, CIS prepared comments to the draft Policy .

Anandini K. Rathore wrote a report on the second privacy and surveillance roundtable held in New Delhi at the India International Centre on July 4, 2014.
As part of its project on mapping cyber security experts in Asia with funding from Citizen's Lab, CIS interviewed Tibetan monkGyanak Tsering and Saumil Shah, security expert.

Published a white paper on content removal best practices and put it up for feedback. The draft paper has been created to frame the discussion towards the creation of a set of principles for intermediary liability in consultation with groups of Internet-focused NGOs and the academic community.
Shyam Ponappa's monthly column Transformation, or Drift? published in Business Standard and Organizing India Blogspot was mirrored on the CIS website.
P.P. Sneha blogged on the emergence of the phenomenon of the alt-academy in the West and the nuances and possibilities of such a space in the Indian context .

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing two projects. The first project is on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India. CIS in partnership with CLPR (Centre for Law and Policy Research) compiled the National Compendium of Policies, Programmes and Schemes for Persons with Disabilities (29 states and 6 union territories). The updated draft is being reviewed by the Office of the Chief Commissioner for Persons with Disabilities. The draft chapters and the quarterly reports can be accessed on the project page. The second project is on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here.

NVDA and eSpeak

Monthly Update

Work Report for August (by Suman Dogra, August 31, 2014).

Blog Entry

Smartphones and the Return to Dependency (by Anandhi Viswanathan, August 30, 2014).

Participation in Event

Towards an Accessible Internet for People with Disabilities (organized by International Centre for Free and Open Source Software and ISOC Australia, Delhi, August 4, 2014). Sunil Abraham was a speaker at this workshop organized as part of APrIGF.

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Blog Entries

Preventive Detention for Copyright Violation: Karnataka Amends the 'Goondas' Act (by Nehaa Chaudhari, August 13, 2014).

Karnataka Goondas Act - A note on Legislative Competence (by Nehaa Chaudhari, August 28, 2014).

Interviews with App Developers: [dis]regard towards IPR vs. Patent Hype - Part II (by Samantha Cassar, August 14, 2014).

Openness

Submission

Comments on the Department of Biotechnology and Department of Science Open Access Policy (by Anubha Sinha, August 22, 2014).

Participation in Event

Connecting the Next Two Billion: The Role of FOSS (organized by ICFOSS, Noida, August 4, 2014). Sunil Abraham was a speaker at this workshop held as part of the APrIGF.

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Announcement

Andhra Loyola College and the Centre for Internet & Society sign MoU for Better Net Access (by Rahmanuddin Shaik, August 19, 2014): Ten theosophical books authored by Rev. Fr. P. Jojaiah, SJ were released under free license (CC-BY-SA-4.0); For the first time an educational institution in the state of Andhra Pradesh is signing an MoU with CIS-A2K to work collaboratively to qualitatively improve Telugu Wikipedia; ALC faculty and students will create free e-content in Telugu on Telugu Wikipedia; Digital content from the fields of Botany, Physics, Chemistry, Telugu, Statistics, Ethics and Religion, Music and Dance will be produced on Telugu Wikipedia.

News and Media Coverage

CIS-A2K team gave its inputs to the following media coverage:

Now, Christ students will contribute to Wikipedia (by H.M.Shruthi, Deccan Herald, August 5, 2014).

CIS-A2K Signs MoU with Andhra Loyola College in Vijayawada (Eenadu, August 15, 2014).

ALC signs MoU for better net access (The Hindu, August 15, 2014).

Participation in Event

Konkani Global Enclave (organized by Jagotik Konknni Songhotton, Kalaangann, Shaktinagar, August 24, 2014). T. Vishnu Vardhan participated in the event.

Internet Governance

Privacy

As part of our Surveillance and Freedom: Global Understandings and Rights Development (SAFEGUARD) project with Privacy International we are engaged in enhancing respect for the right to privacy in developing countries. We have produced the following outputs during the month:

Policy Guide

Privacy in Healthcare: Policy Guide (by Tanvi Mani, August 26, 2014).

Event Report

Second Privacy and Surveillance Roundtable (by Anandini K Rathore, August 6, 2014).

Blog Entries

Surat's Massive Surveillance Network Should Cause Concern, Not Celebration (by Joe Sheehan, August 3, 2014).

Learning to Forget the ECJ's Decision on the Right to be Forgotten and its Implications (by Divij Joshi, August 14, 2014).

Participation in Events

Learning Event - The Internet and Economic, Cultural and Social Rights (organized by the International Development Research Centre and Association for Progressive Communications, August 8 - 10, 2014). Sunil Abraham was a remote participant.

Understanding Surveillance and Privacy in India (organized by Jamia Millia Islamia, New Delhi, August 28, 2014). Bhairav Acharya delivered a lecture.

Free Speech

As part of our project on Freedom of Expression (funded through a grant from the MacArthur Foundation) to study the restrictions placed on freedom of expression online by the Indian government and contribute to the debates around Internet governance and freedom of expression at forums like ICANN, ITU, IGF, WSIS, etc., we bring you the following outputs:

White Paper

Zero Draft of Content Removal Best Practices White Paper (by Jyoti Panday, August 31, 2014).

News & Media Coverage

CIS gave its inputs to the following media coverage:

'I'm going to ruin you, dear' (by Prasun Chaudhuri with additional reporting by Varuna Verma in Bangalore, August 3, 2014).
We the goondas (by Shyam Prasad, Bangalore Mirror, August 4, 2014).
Sunil Abraham | The online warrior (by Anirban Sen, Livemint, August 9, 2014).
Dot Bharat domain to roll out on August 21 (originally published by IANS and mirrored in FirstPost, August 19, 2014).
The Uncertain Future of India's Plan to Biometrically Identify Everyone (by Jessica Mckenzie, TechPresident, August 28, 2014).
Will domain dot भारत spur the growth of Indian languages on the internet? (by Rohan Venkataramakrishnan, August 29, 2014).
SC seeks govt reply on PIL challenging powers of IT Act (by Shreeja Sen, Livemint, August 30, 2014).

Cyber Stewards

As part of its project on mapping cyber security actors in South Asia and South East Asia with the Citizen Lab, Munk School of Global Affairs, University of Toronto and the International Development Research Centre, Canada, CIS conducted 2 new interviews. With this it has finished a total of 21 interviews:

Video Interviews

Saumil Shah (August 30, 2014).

Gyanak Tsering (August 31, 2014).

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Transformation, or Drift? (by Shyam Ponappa, Business Standard, August 6, 2014 and Organizing India Blogspot, August 7, 2014).

Blog Entry

"OTTs Eating Into Our Revenue": Telcos in India (by Geetha Hariharan, August 7, 2014).

Digital Humanities

CIS is building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia:

Blog Entry

Digital Humanities and the Alt-Academy (by P.P. Sneha, August 19, 2014).

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

► Follow us elsewhere

Twitter: https://twitter.com/CISA2K
Facebook group: https://www.facebook.com/cisa2k
Visit us at: https://meta.wikimedia.org/wiki/India_Access_To_Knowledge
E-mail: a2k@cis-india.org

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration:

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, atsunil@cis-india.org or Nishant Shah, Director - Research, at nishant@cis-india.org. To discuss collaborations on Indic language Wikipedia, write to T. Vishnu Vardhan, Programme Director, A2K, at vishnu@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/august-2014-bulletin

CIS Cybersecurity Series (Part 21) – Gyanak Tsering

purba — 2014-09-06T05:08:44Z

CIS interviews Gyanak Tsering, Tibetan monk in exile, as part of the Cybersecurity Series.

“I have three mobile phones but I use only one to exchange information to and from Tibet. I don't give that number to anyone and nobody knows about it. High security forces me to use three phones. Usually a mobile phone can be tracked easily in many ways, especially by the network provider but my third mobile phone is not registered so that makes sure that the Chinese government cannot track me. The Chinese have a record of all mobile phone numbers and they can block them at anytime. But my third number cannot be traced and that allows me to communicate freely. This is only for security reasons so that my people in Tibet don't get into trouble.”

Centre for Internet and Society presents its twenty-first installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Gyanak Tsering is a Tibetan monk in exile, studying at Kirti Monastery, Dharamshala. He came to India in 1999, and has been using the internet and mobile phone technology, since 2008, to securely transfer information to and from Tibet. Tsering adds a new perspective to the cybersecurity debate and explains how his personal security is interlinked with internet security and mobile phone security.

Video

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-21-gyanak-tsering

SC seeks govt reply on PIL challenging powers of IT Act

praskrishna — 2014-09-08T04:45:51Z

Section 66A of the IT Act punishes sending offensive messages through communication services, including posts on social media websites like Facebook.

The article by Shreeja Sen was published in Livemint on August 30, 2014. Leslie D’Monte contributed to this story. Sunil Abraham gave his inputs.

The Supreme Court on Friday asked for the central government’s response in a writ petition filed by Internet and Mobile Association of India (IAMAI) challenging the arbitrary powers that the Information Technology (IT) Act confers on the government to remove user-generated content.

This is not the first time that the amended provisions of the IT Act 2000 and the IT (Intermediaries Guidelines) Rules, 2011 have been challenged. The rules were released by the government in April 2011, and laid down detailed procedures for regulation of intermediaries and online content.

A bench of justices J. Chelameswar and A.K. Sikri, while issuing notice to the central government, tagged the cases with others of a similar nature, including ones by MouthShut.com, a consumer review website, and Shreya Singhal, a public interest litigant who challenged the constitutionality of Section 66A in support of Shaheen Dhada, who was arrested for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray in 2012. Section 66A of the IT Act punishes sending offensive messages through communication services, including posts on social media websites like Facebook.

“We’re very happy at MouthShut that IAMAI decided to take a stand regarding this,” said Faisal Farooqui, chief executive officer of MouthShut.com.

The petition, which runs into 1,100 pages according to those familiar with the case, seeks to challenge Section 79(3)(b) of the Information Technology Act. The section holds an Internet service provider (ISP) responsible for content which may be unlawful, published by third parties (not the ISPs) when they’ve been intimated by the government. It takes away the safe harbour rule, which protects ISPs from being sued because of third party actions.

According to a statement by IAMAI, the industry lobby approached the apex court for “objective interpretation of the laws”. Referring to the court agreeing to hear the petition, the statement said, “This admission today allows the industry an opportunity to argue for a clear Safe Harbour Provision for the intermediaries, which is an essential pre-condition of a thriving digital content business.”

“In my view, the court may be sympathetic to this particular situation because there is a body of research and evidence that demonstrates that the private censorship regime instituted by Section 79A that places unconstitutional limits of freedom of speech and expression,” said Sunil Abraham, executive director of the Centre for Internet and Society (CIS), India, a non-profit organization involved with research in freedom of expression, privacy and open access to literature.

On 27 April 2012, CIS-India had released a paper which, among other things, listed why the IT Rules 2011 could have a “chilling” effect on intermediaries. No much has changed since. The paper argued that not all intermediaries have sufficient legal competence or resources (or the willingness to devote such legal resources) to deliberate on the legality of an expression, as a result of which, intermediaries have a tendency to err on the side of caution. It also pointed out that the qualifications and due diligence requirements of different classes of intermediaries have not been clearly defined in the Rules resulting in uncertainty in the steps to be followed by the intermediary. It noted that depending on the nature of a service, it may be technically unfeasible for an intermediary to comply with the takedown within 36 hours.

“The chilling effect can primarily be attributed to the requirement for private intermediaries to perform subjective judicial determination in the course of administering the takedown. From the responses to the takedown notices, it is apparent that not all intermediaries have sufficient legal competence or resources to deliberate on the legality of an expression, as a result of which, such intermediaries have a tendency to err on the side of caution and chill legitimate expressions in order to limit their liability,” the paper said.

Another privacy lobby body, SFLC.in, had submitted feedback to the government when the draft IT Rules were put up for consultation but said that “when the final Rules were notified we found that most of our concerns were not addressed and that the Rules exceeded the scope of the parent act”.

In a July paper, SFLC.in reiterated that “Words and phrases like grossly harmful, harassing, blasphemous, disparaging and “harm minors in any way” are not defined in these Rules or in the Act or in any other legislation. These ambiguous words make the Rules susceptible to misuse…(and have a) chilling effect on free speech rights of users by making them too cautious about the content they post and byforcing them to self-censor…As technology evolves at a fast pace, the law should not be found wanting. The law should be an enabling factor that ensures that citizens enjoy their right to freedom of speech and expression without any hindrance. India, being the largest democracy in the world should lead the world in ensuring that the citizens enjoy the right to express themselves freely online.”

SFLC.in is a donor-supported legal services organization that brings together lawyers, policy analysts, technologists, and students.

According to a March study commissioned by the Global Network Initiative, a multistakeholder group of companies, civil society organizations, investors, and academics and conducted by Copenhagen Economics, an economic consultancy, the GDP contribution of online intermediaries may increase to more than 1.3 % ($ 241 billion) by 2015, provided the current liability regime is improved.

In another development, hearing a petition asking to take down pornographic website, the court deemed it fit to send it to an advisory committee that has been set up under Section 88 of the Information Technology Act. The petition, filed by lawyer Kamlesh Vaswani in 2013, asked for a direction to the central government to block pornography websites, platforms, links or downloading. Speaking to reporters, Vaswani’s lawyer Vijay Panjwani said, “as on date, there are 4 crore pornographic websites. For 18 months, the government has not blocked them.”

The central government informed the committee was considering several options to address the issue of including methods used in the US and UK. This case was being heard by a three-judge bench headed by the chief justice of India R.M. Lodha, who said that to address these technological issues, a “synthesis of law, technology and governance is required.”

For more details visit https://cis-india.org/internet-governance/news/livemint-august-30-2014-shreeja-sen-sc-seeks-govt-reply-on-pil-challenging-powers-of-it-act

CIS Cybersecurity Series (Part 20) – Saumil Shah

purba — 2014-09-06T05:03:00Z

CIS interviews Saumil Shah, security expert, as part of the Cybersecurity Series.

“If you look at the evolution of targets, from the 2000s to the present day, the shift has been from the servers to the individual. Back in 2000, the target was always servers. Then as servers started getting harder to crack, the target moved to the applications hosted on the servers, as people started using e-commerce applications even more. Eventually, as they started getting harder to crack, the attacks moved to the user's desktops and the user's browsers, and now to individual user identities and to the digital personas.”

Centre for Internet and Society presents its twentieth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Saumil Shah is a security expert based in Ahmedabad. He has been working in the field of security and security related software development for more than ten years, with a focus on web security and hacking.

Video

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-20-saumil-shah

Will domain dot भारत spur the growth of Indian languages on the internet?

praskrishna — 2014-09-08T05:50:11Z

Modi's effort to promote the use of Hindi and e-governance has given hope to those who want to see more vernacular content online, but many challenges have to be overcome.

Rohan Venkataramakrishnan's blog post was published in Scroll.in on August 29, 2014. Sunil Abraham gave his inputs.

For most of its short history, the internet has been the English speaker’s playground. Though English is the world’s third-most spoken language (after Mandarin and Spanish), it is by far the most commonly used language on the internet. If you wanted to make sense of most of what’s on the World Wide Web, you had to be able to read and write English.

This is slowly changing. The launch of Devanagari script web addresses on Sunday, allowing people to use .भारत domain names, was another step in the slow effort to bring about a multilingual Web. Already, Indian languages like Hindi – one of the most commonly-spoken languages on Earth – lag far behind. The move gels well with the new government’s effort to promote the use of Hindi, and its push to increase digital services available to all citizens. The next few years could well see a spurt in vernacular content online.

But first many challenges have to be overcome. “At present, not a single Indian language figures in the top 10 languages prevalent on the Internet, though Chinese, Arabic and Russian feature in the list,” said a McKinsey report on the internet's impact on India. “The next wave of internet adoption in India will be dominated by local language speakers, which underscores the need for much more content and applications to be offered in local languages.”

Vernacular internet
Early studies of the internet attempted to quantify how much of the web was in English. A 1997 estimate put the number at 80% of all websites, while the Online Computer Library’s study in 2003 concluded that 72% of all online content was in English. Today that number is much lower.

W3Techs, which conducts surveys of the internet, now estimates that about 55% of content on the Internet is in English, followed by German, Russian and Japanese. Indian languages don’t crack the top 35.

The analysis is by its nature imprecise. The internet is vast and mostly uncharted. Estimates suggest search engines have indexed only 40% of Web content, leaving much off the mainstream radar. Measuring language becomes even harder because, in the early years, when fonts were harder to render, most non-English content on the internet was spelt out in Roman letters.

Indian Wiki
The rise of multilingual scripts has changed that, and made it easier to evaluate the diversity of the internet. Yet even the best approach relies more on sampling than measurement. There is one section of the Web, however, that does allow for comparisons of absolute numbers.

Relative to other tongues, Indian language-articles still comprise a minuscule portion of Wikipedia. English, Spanish and French are perhaps expected, but even languages like Vietnamese have nearly 10 times the number of pages that Hindi does. Waray-Waray, the fifth-most commonly spoken language in the Philippines, appears to be an outlier because of an automated translation method that creates pages in that language.

Hindi content has been growing on the internet encyclopedia, from no pages in 2003 to more than one lakh in 2011, but it still falls far behind the languages that are spoken as commonly as it, like Spanish and Arabic, let alone those with much smaller reach. Of course in many countries English is not spoken at all, so Internet users need web pages in their own language. In India, because of the language-class association, the majority of Internet users are at least conversant in English.

Obstacle Course
The impediments to further growth are all too apparent. For one, internet infrastructure still leaves much to be desired. Though India has the third-largest internet user-base in the world, only 10% of the country is actually online. Even by 2015, when internet access is expected to reach 28% of the population, the equivalent rural figure is likely to be just 9%, according to estimates.

“A lot of the core infrastructure that is necessary for language computing is missing,” said Sunil Abraham, executive director of the Centre for Internet & Society. “There’s no mandate by the government that these languages must be supported, no comprehensive dictionaries, no thesauri, no machine translation capabilities, no optical character recognition capabilities. Because our market is so insignificant for proprietary software makers, they haven’t done enough to develop these. Meanwhile, the free software community is too small and mostly English-speaking.”

The government has launched some initiatives in this regard, like a National Translation Mission aimed at machine translating text from English into Indic languages, as well as banks of fonts that are free to use. But Abraham said that while the government is clear this should be a priority area, it underestimates the scale of the problem.

“We need large scale investment by the government into each language,” he said. “We’re looking at maybe even Rs 100 crore per language, to bring each of our traditional languages into the internet age.”

For more details visit https://cis-india.org/openness/news/scroll-in-rohan-venkataramakrishnan-will-domain-dot-bharat-spur-the-growth-of-Indian-languages-on-the-internet

Understanding Surveillance and Privacy in India

praskrishna — 2014-09-08T06:08:49Z

Bhairav Acharya delivered a lecture at the Jamia Millia Islamia in New Delhi on August 28, 2014.

Abstract
While privacy seems intuitive to most people, its legal codification and protection is complex. This is because varying expectations of privacy exist in different social contexts demanding different forms and degrees of protection. In India, an unambiguous and enforceable constitutional right to privacy does not exist. The Supreme Court of India has, intermittently and unconvincingly, recognised a limited right to privacy in certain situations. Recent debates on privacy focus primarily on two areas: surveillance, and data protection. The interception of communications – phone calls, emails, and letters, – which is a type of surveillance, is statutorily regulated in India in an uneven way. A colonial law permits and regulates wiretaps in India. A derivative law governs emails and electronic communications. Both these laws suffer serious shortcomings. Indian law permits executive authorisations – by bureaucrats – of wiretaps without an independent audit and oversight mechanism. No legal provisions exist to redress improper wiretaps or information leaks – the Radia tapes controversy illustrates this. These lacunae remain unaddressed even as large-scale techno-utopian projects, such as the Central Monitoring System, move forward. However, the recent governmental push for privacy law does not stem from surveillance concerns but from international commerce in personal data. There is also a growing domestic constituency that is alarmed by the state’s collection of personal data without regulatory safeguards.

About the Speaker
Bhairav Acharya is a constitutional lawyer in India who joined the Bar in 2004 after graduating from the National Law School of India University, Bangalore. From 2004 - 2009, he was the Deputy Director of the Public Interest Legal Support and Research Centre (PILSARC), an organisation established to provide institutional legal support and credible research to popular movements, and to ideas and communities marginalised by law. He headed a UNHCR project to draft a refugee protection law for India and is a member of the NHRC’s National Experts Group on Refugee Law. He litigated – mostly constitutional law – in the chambers of a senior counsel in the Supreme Court of India, where he became especially interested in free speech law. From 2009 - 2010, he advised a leading Indian multinational information technology major on privacy law and data protection. At present, he independently advises the Centre for Internet and Society, Bangalore, on privacy law, and is drafting a proposed privacy statute to regulate data protection and surveillance in India to provide a participatory and consensus - based legal submission to the Indian government.

Event Details
Venue: CCMG Network Governance Lab,
Date: Thursday, August 28, 2014
Time: 11.30 a.m.

For more details visit https://cis-india.org/internet-governance/news/understanding-privacy-and-surveillance-in-india

The Uncertain Future of India's Plan to Biometrically Identify Everyone

praskrishna — 2014-09-08T05:31:28Z

Last Sunday an 11-year-old boy in Andhra Pradesh, a state in southeast India, hung himself from a ceiling fan as his family slept.

Jessica Mckenzie's blog post was published in Techpresident on August 28, 2014. Sunil Abraham gave his inputs.

He was allegedly driven to this act after being denied an Aadhaar card—formally known as Unique Identification (UID)—which he was told he needed to attend school. The card is one arm of India's sprawling scheme to collect the biometric data, including fingerprints and iris scans, of its 1.2 billion citizens and residents, and is quickly becoming practically, if not legally, mandatory, for nearly every aspect of life, from getting married to buying cooking gas to opening a bank account. More than 630 million residents have already enrolled and received their unique 12-digit identification number.

Since its launch in 2010, people have raised a number of questions and concerns about Aadhaar, citing its effects on privacy rights, potential security flaws, and failures in functionality. India's poor, who were supposed to be the biggest beneficiaries of the program, are actually most at risk of being excluded from UID, and there is no evidence that biometric identification has curtailed corruption. The newly-elected Prime Minister Narendra Modi lambasted the UID program as a candidate but in July did an about-face, calling for the enrollment process to be expedited and supporting a UID-linked social assistance program. In all likelihood, the world's largest experiment in biometric identification will continue.

There are still a number of unanswered questions about the future of the program. Although created in large part as a way of more efficiently and less corruptly dispersing government subsidies, last year the Supreme Court ruled that the Aadhaar card could not be made mandatory to receive government assistance. The Unique Identification Authority of India (UIDAI) operates in a kind of legal limbo. Modi is said to have instructed his Finance Minister Arun Jaitley to resolve these legal problems.

Sorting out the legal issues is imperative if UID numbers are going to be linked to Modi's proposed financial inclusion program that aims to bring 75 million additional households into the country's banking system by 2018.

There is also the possibility that UID will be merged, absorbed or superseded by the National Population Register (NPR), yet another biometric identification system. The NPR, unlike Aadhaar, is mandatory for all residents. In addition to fingerprints and iris scans, NPR collects information on familial relationships, nationality, occupation and education level. There is a great deal of overlap between the two programs, which has been a source of conflict between government agencies in the past. The home ministry, for example, argues that government subsidies should be disbursed through NPR, not UID.

There is also speculation that UID could be picked up as part of Digital India, Modi's ambitious plan to modernize India by building national broadband infrastructure, ensuring universal mobile service access, creating e-government services, and establishing a “cradle-to-grave digital identity for every citizen of the country—unique, lifelong, online and authenticable [sic].”

In spite of UID's tenuous position and uncertain future, it has become “essential” in nearly every facet of life. The Delhi government is rolling out a suite of e-government services, starting with marriage registration, that will require a UID. Fishermen in Gujarat have been told they cannot go out to sea without biometric identification.

Then there is Kora Balakrishna, the 11-year-old who committed suicide after being denied an Aadhaar card because he has webbed fingers. His school headmaster had instructed him to get one as a prerequisite for study and, per one news outlet, a mid-day meal. An investigation into the incident has been ordered. Pravin Kumar, a local administrative official, said webbed fingers are not a legitimate reason for rejection from the program.

For more details visit https://cis-india.org/internet-governance/news/tech-president-jessica-mckenzie-august-28-2014-the-uncertain-future-of-indias-plan-to-biometrically-identify-everyone