We are anonymous, we are legion

Privacy Law in India: A Muddled Field - I

bhairav — 2014-05-05T06:17:06Z

The absence of a statute expressing the legislative will of a democracy to forge a common understanding of privacy is a matter of concern, says BHAIRAV ACHARYA in the first of a two part series.

The article was published in the Hoot on April 15, 2014.

Privacy evades definition and for this reason sits uneasily with law. The multiplicity of everyday privacy claims and transgressions by ordinary people, and the diversity of situations in which these occur, confuse any attempt to create a common meaning of privacy to inform law. Instead, privacy is negotiated contextually, and the circumstances that permit a privacy claim in one situation might form the basis for its transgression in another.

It is easy to understand privacy when it is claimed in relation to the body; it is beyond argument that every person has a right to privacy in relation to their bodies, especially intimate areas. It is also accepted that homes and private property secure to their owners a high degree of territorial privacy. But what of privacy from intrusive stares, or even from camera surveillance, when in a public place? Or of biometric privacy to protect against surreptitious fingerprint capturing or DNA collection from the things we touch and the places we visit every day? Or the privacy of a conversation in a restaurant from other patrons? Clearly, there are multiple meanings of privacy that are negotiated by individuals all the time.

Law has, where social custom has demanded, clothed some aspects of human activity with an expectation of privacy. In relation to bodily privacy, this is achieved by both ordinary common law without reference to privacy at all, such as the offences of battery and rape; and, by special criminal law that is premised on an expectation of privacy, such as the discredited offences regarding women’s modesty in sections 354 and 509 of the Indian Penal Code, 1860 (IPC), and the new offences of voyeurism and stalking contained in sections 354C and 354D of the IPC.

The law also privileges communications that are made through telephones, letters, and emails by regulating the manner of their interception in special circumstances. Conditional interception provisions with procedural safeguards – which, for several reasons, are flawed and ineffective – exist to protect the privacy of such communications in section 5(2) of the Indian Telegraph Act, 1885, section 26 of the Indian Post Office Act, 1898, and section 69 of the Information Technology Act, 2000.

Territorial privacy, which is afforded by possession of private property, is ordinarily protected by the broad offence of trespass – in India, these are the offences of criminal trespass, house trespass, and lurking house-trespass contained in sections 441 to 443 of the IPC – and house-breaking, which is akin to the offence of breaking and entering in other jurisdictions, in section 445 of the IPC.

Some measure of protection is provided to biometric information, such as fingerprints and DNA, by limiting their lawful collection by the state: sections 53, 53A, and 54 of the Code of Criminal Procedure, 1973 permit collections of biometric information from arrestees in certain circumstances; this is in addition to a colonial-era collection regime created by the Identification of Prisoners Act, 1920. However, nothing expressly prohibits the police or anybody else from non-consensually developing DNA profiles from human material that is routinely left behind by our bodies, for instance, saliva on restaurant cutlery or hair at the barbershop.

Physical surveillance, by which a person is visually monitored to invade locational privacy, is also inadequately regulated. Besides man-on-woman stalking, which was criminalised only one year ago, no effective measures exist to otherwise protect locational privacy. Indian courts regularly employ their injunctive power but have been loath to issue equitable remedies such as restraining orders to secure privacy. Police surveillance, which is usually covert, is an executive function that is practised with wide latitude under every state police statute and government-issued rules and regulations thereunder with little or no oversight. The risk of misuse of these powers is compounded by the increasingly widespread use of surveillance cameras sans regulation.

Other technologies too compromise privacy: GPS-enabled mobile phones offer precise locational information, presumably consensually; cell-tower tracking, almost always non-consensually, is ordered by Indian police without any procedurally built-in safeguards; radio frequency identification to locate vehicles is sought to be made mandatory; and, satellite-based surveillance is available to intelligence agencies, none of which are registered or regulated unlike in other liberal democracies.

No uniform privacy standard in law

None of these laws applies a uniform privacy standard nor are they measured against a commonly understood meaning of privacy. The lack of a statutory definition is not the issue; the lack of a statute that expresses the legislative will of a democracy to forge a common understanding of privacy to inform all kinds of human activity is the concern. Ironically, the impetus to draft a privacy law has come from abroad. Foreign senders of personal information – credit card data, home addresses, phone numbers, and the like – to India’s information technology and outsourcing industry demand institutionalised protection for their privacy.

Pressure from the European Union, which has the world’s strongest information privacy standards and with which India is currently negotiating a free trade agreement, to enact a data protection regime to address privacy has not gone unanswered. The Indian government – specifically, the Department of Personnel and Training, the same department that administers the Right to Information Act, 2005 – is currently drafting a privacy law to govern data protection and surveillance. At stake is the continued growth of India’s information technology and outsourcing sectors that receive significant amounts of European personal data for processing, which drives national exports and gross domestic product.

An inferred right

For its part, the Supreme Court has examined more than a few privacy claims to find, intermittently and unconvincingly, that there is a constitutional right to privacy, but the contours of this right remain vague. In 1962, the Supreme Court rejected the existence of a privacy right in Kharak Singh’s case which dealt with intrusive physical surveillance by the police.

The court was not unanimous; the majority of judges expressly rejected the notion of locational privacy while declaring that privacy was not a constituent of personal liberty, a lone dissenting judge found the opposite to be true and, furthermore, held that surveillance had a chilling effect on freedom. In 1975, in the Gobind case that presented substantially similar facts, the Supreme Court leaned towards, but held short of, recognising a right to privacy. It did find that privacy flowed from personal autonomy, which bears the influence of American jurisprudence, but subjected it to the interests of government; the latter prevailed.

However, in the PUCL case of 1997 that challenged inadequately regulated wiretaps, the Supreme Court declared that phone conversations were protected by a fundamental right to privacy that flowed from Article 21 of the Indian Constitution. To intrude upon this right, the court said, a law was necessary that is just, fair, and reasonable. If this principle were to be extended beyond communications privacy to, say, identity cards, the Aadhar project, which is being implemented without the sanction of an Act of Parliament, would be judicially stopped.

But what does “law” mean? Is it only the law of our Constitution and courts? What of the law that governed Indian societies before European colonisation brought the word ‘privacy’ to our legal system? Classical Hindu law – distinct from colonial and post-independence Hindu law – also recognises and enforces expectations of privacy in different contexts. It recognised the sanctity of the home and family, the autonomy of the community, and prescribed penalties for those who breached these norms. So, too, does Islamic law: all schools of Islamic jurisprudence – ‘fiqh’ – recognise privacy as an enforceable right.

Different words and concepts are used to secure this right, and these words have meanings and connotations of their own. But, the hermeneutics of privacy notwithstanding, this belies the common view that privacy is not an Indian value. Privacy may or may not be a cultural norm, but it has existed in India and South Asia in different forms for millennia.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-bhairav-acharya-april-15-2014-privacy-law-in-india-a-muddled-field-1

Very Big Brother

sunil — 2014-04-14T11:39:09Z

The Centre for Internet and Society, the organization I work for, currently serves on a committee established by the Government of India's Department of Biotechnology, Ministry of Science and Technology in January 2013. The committee has been charged with preparing a report on the draft Human DNA Profiling Bill.

The article was originally published in GeneWatch (January - April 2014) issue.

Why should an organization that focuses on the Internet be invited to such a committee? There are some obvious reasons related to data protection and big data. CIS had previously served on the Justice AP Shah committee that was tasked by the Planning Commission to make recommendations on the draft Privacy Bill in 2012. There are also some less obvious connections, such as academic research into cyborgs wherein the distinction between human and machine/technology is blurred; where an insulin pump makes one realize that the Internet of Things could include the Internet of Body Parts. But for this note I will focus on biometrics - quantifiable data related to individual human characteristics - and their gate-keeping function on the Internet.

The bouquet of biometric options available to technologists is steadily expanding - fingerprint, palm print, face recognition, DNA, iris, retina, scent, typing rhythm, gait, and voice. Biometrics could be used as authentication or identification to ensure security and privacy. However, biometrics are different from other types of authentication and identification factors in three important ways that have implications for human rights in information societies and the Internet.

Firstly, biometrics allow for non-consensual authentication and identification. Newer, more advanced and more expensive biometric technologies usually violate human rights more extensively and intensively than older, more rudimentary and inexpensive biometrics. For example, it is possible to remotely harvest iris information when a person is wide awake without even being aware that their identification or authentication factors have been compromised. It isn't difficult to imagine ways to harvest someone's fingerprints and palm prints without their knowledge, and you cannot prevent a security camera from capturing your gait. You could use specialized software like Tor to surf the World Wide Web anonymously and cover your digital tracks, but it is much harder to leave no trail of DNA material in the real world.

Secondly, biometrics rely on probabilistic matching rather than discrete matching - unlike, for example, a password that you use on a social media platform. In the 2007 draft of India's current Human DNA Profiling Bill, the preamble said "the Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead, without any doubt." This extract from the bill was quoted in an ongoing court case to use tampered chain of custody for DNA as the means to seek exoneration of the accused. And the scientists on the committee insist that the DNA Data Bank Manager "...shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency ... as to whether the DNA profile received is already contained in the Data Bank" - in other words, a "yes" or "no" answer. This is indeed odd for those who come from the world of Internet policy - especially when one DNA lab worker confidentially shared that after a DNA profile was generated the "standard operating procedure" included checking it against the DNA profile of the lab worker to ensure that there was no contamination during the process of generating the profile. This would not be necessary for older forms of biometrics such as the process of developing a photograph. In other words, chain of custody issues with every generation of biometric technology are getting more and more complex. In the developing world, the disillusioned want to believe that "technology is the solution." The fallibility of technology must determine its evidentiary status.

Finally, biometrics are only machine-scrutable. This means machines and not human beings will determine whether you are guilty or innocent; whether you should get subsidized medicine, grain, or fuel; whether you can connect to the Internet via mobile phone, cybercafe or broadband. DNA evidence is not directly observable by judges and therefore the technology and equipment have to be made increasingly transparent so that ordinary citizens as well as the scientific community can audit their effectiveness. In 2009, the Second District Court of Appeal and Circuit Court in Florida upheld a 2005 ruling requiring CMI Inc, the manufacturer of Intoxilyzer 5000, to release source code, failing which evidence from the breathalyzer would be rendered inadmissible in more than 100 drunk driving cases. If the transparency of machines is important when prosecuting misdemeanors then surely this is something we must advocate for when culpability for serious crimes is determined through DNA evidence and other types of biometric technologies. This could be accomplished by the triad of mandates for free/open source software, open standards and open hardware. This is not necessary for all DNA technology and equipment that is used in the market, but only for a small sub-set of these technologies that impinge on our rights as human beings via law enforcement and the judicial system.

It has been nine years since India started the process of drafting this bill. We hope that the delays will only result in a robust law that upholds human rights, justice and scientific progress.

Sunil Abraham is Executive Director of the Centre for Internet and Society, based in Bangalore, India.

For more details visit https://cis-india.org/internet-governance/blog/council-for-responsible-genetics-april-2014-sunil-abraham-very-big-brother

Lok sabha polls: Social media companies launch special pages for polls

praskrishna — 2014-04-14T11:28:54Z

Internet and social media giants such as Google and Facebook have launched special campaigns, pages and services around the Indian Lok Sabha elections to make the most of the world's largest democratic exercise that kicked off on Monday.

The article by Varuni Khosla was published in the Economic Times on April 10, 2014. Sunil Abraham is quoted.

Big and small social media companies are looking to use the poll fever to augment their businesses by wooing new users and generating more traffic.

Google, for example, recently launched an election page along with a Google Hangout series and a 'Pledge to Vote' and 'Know Your Candidates' campaign that featured 97-year-old Shyam Saran Negi from Himachal Pradesh who has voted in every election in Independent India. Twitter has come up with a 'Discover' section of curated tweets while Facebook has launched an election trackers as well as a 'Facebook Talks' page.

Indian social platform Vebbler has unveiled 'Ungli' campaign while telecom operator MTS has tied up with Social Samosa for an election tracker.

"While in the short run it may just be a branding exercise, in the long run it could result in more sign-ups and convert into a wider user base for these companies," said Bhupendra Khanal, CEO and co-founder at social business intelligence company Simplify360.

"But it also shows how important India is as a market for these companies — that they are looking at generating information beyond short-term revenues," he added. Khanal said the most popular hashtags with mentions in last 30 days are #Elections2014, which got 46,000 mentions, and #Election2014:, with 36,000 mentions.

This shows that social media users are following and discussing the elections and candidates constantly. Raheel Khursheed, head of news, politics and government at Twitter India, said election candidates across political parties are using Twitter platform to break news, answer questions and post 'selfies'.

"This page lets voters see all the official Twitter feeds from political parties and candidates and will let voters make an informed choice before they go and vote," he said.

Sunil Abraham, executive director at non-profit charitable organisation Centre for Internet and Society, said social media companies are looking at earning close to 10% of the entire media spend by political parties.

"When they have election related features on their site, they can tell their advertisers (political parties) that they are a serious platform that talks politics," he said. "Also, when a user clicks on these ads that are being put up by parties, social media companies are able to gain granular information about the user's likes and dislikes and therefore figure out how to advertise to them in the future," Abraham added.

These make it doubly attractive for social media companies to have such services.

Also, experts say that it doesn't cost much at all to set up these special pages and launch campaigns. "Spends on these campaigns could cost social media companies just about Rs 10-20 lakh - including making videos and setting up pages," a social media agency head said.

This person said that about 60 million people have been discussing Indian Elections on social media, even though there are just about 40 million Twitter users in India. "So, a lot of interest has been taken in the elections from other countries," the person added.

Close to 65% of India's population is under the age of 35 and more and more young people in the country are using social media.

The Internet and Mobile Association of India (IMAI) estimates that a well-executed social media campaign can swing 3%–4% of votes. "Digital advertising in India has increased by 30% this year and around Rs 3402 crore is expected to be spent in 2014. Of this, social media spend is close to Rs 300 crore according to IMRB," says James Drake-Brockman, head of digital marketing division, DMG :: events.

For more details visit https://cis-india.org/news/economic-times-april-10-2014-varuni-khosla-lok-sabha-polls

Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill

elonnai — 2014-04-14T06:10:20Z

Following our previous post comparing the leaked 2014 Privacy Bill with the leaked 2011 Privacy Bill, this post will compare the recommendations provided in the Report of the Group of Experts on Privacy by the Justice AP Shah Committee to the text of the leaked 2014 Privacy Bill. Below is an analysis of recommendations from the Report that are incorporated in the text of the Bill, and recommendations in the Report that are not incorporated in the text of the Bill.

Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill

Constitutional Right to Privacy

The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.

Nine National Privacy Principles

The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data. An analysis of the principles as compared in the Report and the Bill is below:

Notice: The principle of notice as recommended by the Report of the Group of Experts on Privacy differs from the principle of notice in the 2014 Privacy Bill. According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons; Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information; Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.

In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.

Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.

Choice and Consent: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data.

Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.

Collection Limitation: The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken.

Purpose Limitation: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data.

Access and Correction: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual.

Disclosure of Information: The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim). As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.

Security: The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.

Openness: The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect.

Accountability: The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles.

Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).

With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised.

With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.

Additional Protection for Sensitive Personal Data

The Report of the Group of Experts on Privacy broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The 2014 Privacy Bill incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions; password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including: collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual; such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India, the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.

Privacy Officers

The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.

Co-regulatory Framework

The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.

Recommendations in the Report that are not in the Bill

Scope

The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India. The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.

Exceptions

The Report of the Group of Experts recommends the following as exceptions to the right to privacy:

National security
Public order
Disclosure in the public interest
Prevention, detection, investigation, and prosecution of criminal offenses
Protection of the individual and rights and freedoms of others

The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.

The Privacy Bill 2014 reflects only the exception of “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:

Sovereignty, integrity or security of India or
Strategic, scientific or economic interest of India; or
Preventing incitement to the commission of any offence; or
Prevention of public disorder; or
The investigation of any crime; or
Protection of rights and freedoms others; or
Friendly relations with foreign states; or
Any other legitimate purpose mentioned in this Act.

Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.

Constitution of Infringement of Privacy

The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.

The Data Protection Authority

The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.

Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.

The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs, and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers. Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.

Tribunal and System of Complaints

Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization. The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.

Penalties and Offenses

The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.

Conclusion

The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.

In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.

References

For more details visit https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill

Net Neutrality, Free Speech and the Indian Constitution - I

gautam — 2014-04-29T08:03:57Z

In this post, I will explore net neutrality in the context of Indian law and the Indian Constitution.

Let us take, for the purposes of this post, the following definition:

“The idea that all Internet traffic should be treated equally is known as network neutrality. In other words, no matter who uploads or downloads data, or what kind of data is involved, networks should treat all of those packets in the same manner.”

In other words, put simply, net neutrality in its broadest form requires the extant gatekeepers of the internet – such as, for instance, broadband companies – to accord a form of equal and non-discriminatory treatment to all those who want to access the internet. Examples of possible discrimination – as the quote above illustrates – include, for instance, blocking content or providing differential internet speed (perhaps on the basis of a tiered system of payment for access).

Net neutrality has its proponents and opponents, and I do not have space here to address that dispute. In its broadest and absolutist form, net neutrality is highly controversial (including arguments that existing status quo is not neutral in any genuine sense). I take as given, however, that some form of net neutrality is both an important and a desirable goal. In particular, intentional manipulation of information that is available to internet users – especially for political purposes – is, I assume, an undesirable outcome, as are anti-competitive practices, as well as price-discrimination for the most basic access to the internet (this brief article in the Times of India provides a decent, basic primer on the stakes involved).

An example of net neutrality in practice is the American Federal Communications Commission’s Open Internet Order of 2010, which was the subject of litigation in the recently concluded Verizon v. FCC. The Open Internet order imposed obligations of transparency, no blocking, and no unreasonable discrimination, upon internet service providers. The second and third requirements were vacated by a United States Court of Appeals. The rationale for the Court’s decision was that ISPs could not be equated, in law, to “common carriers”. A common carrier is an entity that offers to transport persons and/or goods in exchange for a fee (for example, shipping companies, or bus companies). A common carrier is licensed to be one, and often, one of the conditions for license is an obligation not to discriminate. That is, the common carrier cannot refuse to carry an individual who is willing and able to pay the requisite fees, in the absence of a compelling reason (for example, if the individual wishes the carrier to transport contraband). Proponents of net neutrality have long called for treating ISPs as common carriers, a proposition – as observed above – was rejected by the Court.

With this background, let us turn to India. In India, internet service providers are both state-owned (BSNL and MTNL), and privately-owned (Airtel, Spectranet, Reliance, Sify etc). Unlike many other countries, however, India has no network-neutrality laws. As this informative article observes:

“The Telecom Regulatory Authority of India (TRAI), in its guidelines for issuing licences for providing Unified Access Service, promotes the principle of non-discrimination but does not enforce it… the Information Technology Act does not provide regulatory provisions relating to Internet access, and does not expressly prohibit an ISP from controlling the Internet to suit their business interests.”

In the absence of either legislation or regulation, there are two options. One, of course, is to invoke the rule of common carriers as a common law rule in court, should an ISP violate the principles of net neutrality. In this post (and the next), however, I would like to analyze net neutrality within a constitutional framework – in particular, within the framework of the constitutional guarantee of freedom of speech and expression.

In order to do so, two questions become important, and I shall address them in turn. First, given that most of the ISPs are privately owned, how does the Constitution even come into the picture? Our fundamental rights are enforceable vertically, that is, between individuals and the State, and not horizontally – that is, between two individuals, or two private parties. Where the Constitution intends to depart from this principle (for instance, Article 15(2)), it specifically and expressly states so. As far as Article 19 and the fundamental freedoms are concerned, however, it is clear that they do not admit of horizontal application.

Yet what, precisely, are we to understand by the term “State”? Consider Article 12:

“In this part, unless the context otherwise requires, the State includes the Government and Parliament of India and the Government and the Legislature of each of the States and all local or other authorities within the territory of India or under the control of the Government of India.”

The key question is what, precisely, falls within the meaning of “other authorities”. The paradigmatic example – and this is something Ambedkar had in mind, as is evidenced by the Constituent Assembly Debates – is the statutory corporation – i.e., a company established under a statute. There are, however, more difficult cases, for instance, public-private partnerships of varying types. For the last fifty years, the Supreme Court has struggled with the issue of defining “other authorities” for the purposes of Part III of the Constitution, with the pendulum swinging wildly at times. In the case of Pradeep Kumar Biswas v. Indian Institute of Chemical Biology, a 2002 judgment by a Constitution bench, the Court settled upon the following definition:

“The question in each case would be whether in the light of the cumulative facts as established, the body is financially, functionally and administratively dominated by or under the control of the Government. Such control must be particular to the body in question and must be pervasive. If this is found then the body is a State within Article 12. On the other hand, when the control is merely regulatory whether under statute or otherwise, it would not serve to make the body a State.”

Very obviously, this dooms the ISP argument. There is no way to argue that ISPs are under the pervasive financial, functional and administrative domination or control of the State. If we step back for a moment, though, the Pradeep Kumar Biswas test seems to be radically under-inclusive. Consider the following hypothetical: tomorrow, the government decides to privatize the nation’s water supply to private company X. Company X is the sole distributor of water in the country. On gaining control, it decides to cut off the water supply to all households populated by members of a certain religion. There seems something deeply wrong in the argument that there is no remedy under discrimination law against the conduct of the company.

The argument could take two forms. One could argue that there is a certain minimum baseline of State functions (ensuring reasonable access to public utilities, overall maintenance of communications, defence and so on). The baseline may vary depending on your personal political philosophy (education? Health? Infrastructure?), but within the baseline, as established, if a private entity performs a State function, it is assimilated to the State. One could also argue, however, that even if Part III isn’t directly applicable, certain functions are of a public nature, and attract public law obligations that are identical in content to fundamental rights obligations under Part III, although their source is not Part III.

To unpack this idea, consider Justice Mohan’s concurring opinion in Unnikrishnan v. State of Andhra Pradesh, a case that involved the constitutionality of high capitation fees charged by private educational institutions. One of the arguments raised against the educational institutions turned upon the applicability of Article 14’s guarantee of equality. The bench avoided the issue of whether Article 14 directly applied to private educational institutions by framing the issue as a question of the constitutionality of the legislation that regulated capitation fees. Justice Mohan, however, observed:

“What is the nature of functions discharged by these institutions? They discharge a public duty. If a student desires to acquire a degree, for example, in medicine, he will have to route through a medical college. These medical colleges are the instruments to attain the qualification. If, therefore, what is discharged by the educational institution, is a public duty that requires… [it to] act fairly. In such a case, it will be subject to Article 14.”

In light of Pradeep Kumar Biswas, it is obviously difficult to hold the direct application of the Constitution to private entities. We can take Justice Mohan, however, to be making a slightly different point: performing what are quintessentially public duties attract certain obligations that circumscribe the otherwise free action of private entities. The nature of the obligation itself depends upon the nature of the public act. Education, it would seem, is an activity that is characterized by open and non-discriminatory access. Consequently, even private educational institutions are required to abide by the norms of fairness articulated by Article 14, even though they may not, as a matter of constitutional law, be held in violation of the Article 14 that is found in the constitutional text. Again, the content of the obligation is the same, but its source (the constitutional text, as opposed to norms of public law) is different.

We have therefore established that in certain cases, it is possible to subject private entities performing public functions to constitutional norms without bringing them under Article 12’s definition of the State, and without the need for an enacted statute, or a set of regulations. In the next post, we shall explore in greater detail what this means, and how it might be relevant to ISPs and net neutrality.

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and presently an LLM student at the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he will be blogging on issues of online freedom of speech and expression.

For more details visit https://cis-india.org/internet-governance/blog/net-neutrality-free-speech-and-the-indian-constitution-part-1

No party's got a clear stand, Aadhaar's fate hangs in balance

praskrishna — 2014-05-05T06:01:08Z

A non-UPA government for sure will review the multi-crore UID programme, but none of the parties have yet talked about scrapping it.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 13, 2014. Sunil Abraham is quoted.

Since inception, Aadhaar’s foundation has been shaky. The Unique Identification Authority of India (UIDAI) has been functioning on an executive fiat, without parliamentary ratification. When the government first came up with a bill on the UID programme, it was rejected by the parliamentary standing committee, which questioned the purpose of the programme.

Aadhaar’s acceptability as proof of residence and its issuance to the illegal immigrants too has courted controversy. The opposition and the ministry of home affairs have repeatedly flagged the issue. Recently, the supreme court (SC) instructed the government to withdraw all orders mandating Aadhaar number for service delivery. In September last year too the apex court had ruled that no one should be denied a service for want of Aadhaar.

While the Congress hasn’t changed its position on Aadhaar and wishes to continue with Aadhaar-linked benefits transfer, the BJP hasn’t mentioned it even once in its 52-page manifesto. On April 8, Narendra Modi, BJP’s prime ministerial candidate, in an election rally near Bangalore was quoted as saying, “I asked several questions on the Aadhaar project. I asked them questions relating to illegal migrants and national security. They (the government) did not have any answer.”

Rajendra Pratap Gupta, member of BJP’s core committee on manifesto, told Governance Now: “If we come to power we will review this in totality. There is scepticism around the whole project and even the SC has ruled against mandating it.” He called Aadhaar one of the ‘biggest scams’ of the UPA. “We have found people owning multiple Aadhaar cards. It (Aadhaar) is not a very secure system,” he added.

On the other hand, Aam Aadmi Party doesn’t oppose the idea of Aadhaar, though it is critical of its linkage to delivering food and other subsidies. Atishi Marlena, the party’s manifesto committee chief, said, “In principle, we don’t oppose the Aadhaar programme. If it’s about providing an identification proof to the poor who don’t have other documents, we certainly welcome it. But Aadhaar’s linkage with benefits-transfer needs to be questioned. Who gets what and who doesn’t should be determined by gram sabhas and mohalla sabhas. It should be done via people participation.”

The CPI(M), in its manifesto, called for halting the project unless it gets parliamentary approval. It also underlined the need for a privacy and data protection law prior to the rollout of the UID programme. “The moment Aadhaar is linked with service delivery, the scope for exclusion widens. You need to have universal coverage of Aadhaar and banking before you roll out the benefits transfer programme,” CPI(M) Rajya Sabha member Tapan Sen said.

In its manifesto, the party has talked about ‘constituting an independent high-level expert panel for an appraisal of the technology of biometrics used in the project’.

Sunil Abraham of the Centre for Internet and Society said, “The centralised online authentication automatically raises issues of privacy infringement. The authentication, in a decentralised fashion, with help of smart cards, is less intrusive, as the logs are stored in a local fashion and not centralised as in the case of Aadhaar. It will be a welcome move if the next government selects resident ID (smart) card, issued by the home ministry, as proof for identification and service delivery.”

For more details visit https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance

Parties give short shrift to privacy

praskrishna — 2014-05-05T05:54:11Z

Both the Congress and BJP vision documents disappoint, but the real surprise is the CPI-M document that deals with cyber issues in a substantial manner.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 12, 2014. Sunil Abraham is quoted.

For civil rights activists in the internet and cyber space, the election manifestoes of major political parties including the Congress and the BJP have come as a disappointment. Both the parties are mute on privacy. In the recent past there has been a vociferous demand for a strong legislation on privacy. A draft bill on privacy has been making rounds of the bureaucratic circle for three years. Manifestoes are also silent on the need for correction in the information technology act, which activists say is characterised by 'arbitrariness and lack of processes'.

“A healthy democracy gives equal weightage to transparency and privacy. It’s disappointing that the two parties have overlooked these two,” says Sunil Abraham, director of the Bangalore based Centre for Internet and Society (CIS). Both Congress and BJP don’t mention about the lack of implementation of the open data policy. The policy, aka NDSAP 2012, requires all departments and ministries to put high value data sets in public domain within a few months of the policy enforcement. The parties are also silent on need for a balancing act on surveillance and civil liberty.

Nikhil Pahwa, founder of Medianama.com, a portal posting news and analysis on digital media, says “The parties could have talked about reforming the IT legislation, especially the Section 79 and IT Rules 2011 which gives the intermediaries—the ISPs, websites, and cyber cafes—the power to strike down content without even hearing the author.” The law, currently, doesn’t provide a redressal mechanism to the author.

Similarly both parties are mute on internet governance, which has become a major global issue after the US showed willingness to cede its monopolistic oversight over the body governing the internet ICANN.

The Congress manifesto is also blank on making websites and systems accessible for specially-abled population, also called as e-accessibility. While the BJP too doesn’t talk about making government portals e-accessible, it speaks about the use of technology to deliver low cost quality education to specially-abled students. Issuance of universal identity cards for all applicable government benefits and disabled friendly access to public facilities are two other things which the party promises to implement if voted in power.

Both election manifestoes don’t mention concerns related to telecommunication sector. Broadband is the only term that appears in the two manifestoes. The Congress promises to bring high speed Internet to every village panchayat. This is not a new initiative; a project under DoT called national optical fibre network, NOFN, proposes to do the same. The BJP’s manifesto says, “Deployment of broadband in every village would be a thrust area.”

Both parties also talk about putting public services online. There is also nothing concrete about promotion of indigenous manufacturing in electronics and IT hardware. While there are serious omissions in the two manifestoes, the manifesto of the CPI-M surprises many, highlighting key issues concerning civil rights and liberty.

The manifesto talks about ‘demilitarisation of cyber space’ and ‘protecting Internet and telecommunications networks from cyber attacks and surveillance by building indigenous capability’. Edward Snowden’s revelation of the PRISM programme seems to be the context. It also talks about promoting ‘free software and other such new technologies which are free from monopoly ownership through copyrights or patents; knowledge commons should be promoted across disciplines, like biotechnology and drug discovery’.

For more details visit https://cis-india.org/news/governance-now-april-12-2014-pratap-vikram-singh-parties-give-short-shrift-to-privacy

The Critical Life of Information

praskrishna — 2014-05-05T04:41:08Z

Nishant Shah and Malavika Jayaram will be speaking at the event organized by Yale University on April 11, 2014.

The immensity of the proliferation of bits of raw information that is fundamental to current digital environments is at a scale that in earlier eras would have been characterized as sublime. Big Data also corresponds to scales of globalization with its heretofore unthinkable geographical expanses and inequalities, suddenly crystallized in local crises. Scholars have argued that the geographical scale of accumulation has been changing and that hierarchies of scale are appearing that reveal the specificity of capital at the present time. This, in turn, requires a re-scaling and re-conceptualization of life. The workshop will address how new notions of information as property, and its harvesting from people in contexts ranging from shopping to health care to social media, condition humanistic inquiry and its concepts of the individual and the collective.

Nishant Shah spoke in the panel on Big Data and Governance. Malavika Jayaram spoke in the panel on Big Data and the Arts. Click to read the original published on Yale University site.

For more details visit https://cis-india.org/news/critical-life-of-information

The Take Down of Free Speech Online

praskrishna — 2014-04-06T05:19:50Z

As part of a study to access rate of compliance, in 2011, the Centre for Internet and Society Bangalore sent frivolous “take down” requests to seven prominent intermediaries. The study showed exactly how easy it is to take down online content.

This was published in Newslaundry on April 1, 2014. CIS research on Intermediary Liabilities is quoted.

CIS found that six out of the seven intermediaries “over complied” with the notices. Facts such as these about intermediary liability were discussed in a panel discussion “Intermediary Liability & Freedom of Expression in India” in Delhi on March 27, 2014 organised by Centre for Communication Governance at National Law University in collaboration with the Global Network Initiative.

The panel also included Professor Ranbir Singh, Vice Chancellor of NLU, Jermyn Brooks (Independent Chair – Global Network Initiative, Washington DC), Shyam Divan (Senior Advocate, Supreme Court of India) and SiddharthVaradarajan (Journalist). They discussed proxy censorship by government through private players and how e-business’ lose out on opportunities because of the current legal framework in the country within which intermediaries have to function.

According to Section 2(1)(w) of The Information Technology Act, 2000, “intermediary”- with respect to any particular electronic message -signifies any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message.According to Rishab Dara, recipient of the Google policy Fellowship 2011, in an article titled, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet, “intermediaries are widely recognised as essential cogs in the wheel of exercising the right to freedom of expression on the Internet. Most major jurisdictions around the world have introduced legislations for limiting intermediary liability in order to ensure that this wheel does not stop spinning”.

The “safe harbor”or what is also known asIntermediary Liability Laws according to Section 79 of the Information Technology Act are given below:

Intermediaries not to be Liable in Certain Cases

(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

(3) The provisions of sub-section (1) shall not apply if—

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or othorise in the commission of the unlawful act;

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.

Under the Act, the intermediary needs to act on a complaint within 36 hours of a take down notice -failing which they will be liable to legal action if the case is taken to the court.

Shyam Divan spoke about the absurdity of the 36-hour turnaround time that an intermediary has between receiving a complaint and taking down the content. According to him, without any kind of legal option to fall back on, intermediaries decide to comply with such take down notices fearing “serious penalties and possibility of prosecution” which results in “indirect censorship”. He also said, “Domestic constitution in itself is not going to be sufficient”. “Meta-constitutions” which are transnational and have uniform laws across countries could be a possible solution to the current confusion as the internet is a global phenomenon and it would ensure that “the extent of our online rights would not be limited to the constitution of the country”.

Giving the example of hate speech, Siddharth Varadarajan, mentioned the Indian executive’s different approaches towards different mediums. Referring to hate speeches made during the 1993 Bombay riots by Shiv Sena leaders and those made during the 2002 Gujarat riots, he said, “Hate speech never gets prosecuted when made amid a physical crowd in a volatile situation.I can understand why politicians won’t be prosecuted but why so much sensitivity on online content. This paradox is worth reflecting on.Despite its limited reach, the executive reacts in such a hyper-sensitive manner”.He adds that as the editor of a news website one faces daily problems in taking decisions on online content especially on comment moderation and whether the website would be responsible for a certain comment made by a reader. Echoing Shyam Divan’s views,he said that in India more than the punishment, when a case is filed, the legal process itself becomes a punishment, which forces Internet Service Providers to comply with requests of blocking online content.

The Global Network Initiative is a Washington-based organisation that provides a framework for companies to deal with governments requesting censorship or surveillance of online content, “rooted in international standards legal framework also interesting people”. According to a report released by it, “provided that the existing safe harbour regime is improved, intermediaries can become a significant part of the economy and their GDP contribution may increase to more than 1.3 per cent by 2015. The potential corresponds to $41 billion by 2015”.Jermyn Brooks,Independent Chair of GNI,argued that instead of focusing all efforts on ensuring that the Information Technology (Intermediaries Guidelines) Rules, 2011 gets struck down by Courts for its unconstitutionality, there should also be a movement to effect policy changes through the amendment of the law. According to him, such a proposition would be more lucrative for a government looking for “re-invigoration of economic growth in India”.

The discussion was significant in the light that a number of cases related to the IT Act and freedom of online speech will be heard in the Supreme Court in the coming months. A petition by Mouthshut.com challenges the Information Technology (Intermediaries Guidelines) Rules 2011 “which effectively creates a notice and takedown regime for content hosted by intermediaries”. Another important case up for hearing is a petition by Member of Parliament Rajeev Chandrashekhar,“which also challenges these rules on grounds that they are ambiguous, require private parties to subjectively assess objectionable content, and that they undermine the safe harbour exemptions from liability granted to intermediaries by section 79 of the IT Act”. The People’s Union for Civil Liberties (PUCL) has challenged the Intermediaries Guidelines rules as well as the Procedure and Safeguards for Blocking for Access of Information by the Public Rules 2009. “This petition has pointed to the lack of transparency in the blocking procedure, which does not currently offer the public any notice or reasons for the blocking.”

“The cases pending before the Supreme Court will have a significant impact on the freedom of expression. We should never take our rights for granted – the interpretation of these rights needs to be consistent with their spirit”, said Professor Ranbir Singh.

Citing the recent example of the Wendy Doniger episode, Varadarajan says, “If Penguin chooses to pack up at the District court level, you know how Internet Service Providers would react to take down notices…Specific targeting of online speech would ultimately have a negative impact on the traditional media”. And that is the crux of the matter. In the absence of intermediate liability not being limited, online censorship and the curtailment of the freedom of speech will become far easier and will only worsen.

For more details visit https://cis-india.org/news/newslaundry-april-1-2014-somi-das-the-take-down-of-free-speech-online

Who Governs the Internet? Implications for Freedom and National Security

sunil — 2014-04-05T16:23:36Z

The second half of last year has been quite momentous for Internet governance thanks to Edward Snowden. German Chancellor Angela Merkel and Brazilian President Dilma Rousseff became aware that they were targets of US surveillance for economic not security reasons. They protested loudly.

The article was published in Yojana (April 2014 Issue). Click to download the original here. (PDF, 177 Kb)

The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African, American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement [1] on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable. Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." [2] The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.

It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda [3] clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.

The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” – and to this day, efforts are on to define it more clearly.

Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.

But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.

This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.

Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.

The Opportunity for India

Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.

Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.

Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.

What is the scope of Internet Governance?

Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions[4] and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers [5] within national borders and it would be near impossible for the US to shut down the Internet in India.

For a more expansive definition – The Working Group on Internet Governance report[6] has four categories for public policy issues that are relevant to Internet governance:

“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;

(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;

(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;

(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”

Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.[7] Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.

So who really governs the Internet?

So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.

[1]. Montevideo Statement on the Future of Internet Cooperation https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm

[2]. Brazil to host global internet summit in ongoing fight against NSA surveillance http://rt.com/news/brazil-internet-summit-fight-nsa-006/

[3]. Tunis Agenda For The Information Society http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

[4]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014 See: http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf

[5]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers

[6]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated: 14 July 2005 See: http://www.wgig.org/WGIG-Report.html

[7].Messaging, Malware and Mobile Anti-Abuse Working Group website See: http://www.maawg.org/

The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

For more details visit https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security

Between the Local and the Global: Notes Towards Thinking the Nature of Internet Policy

nishant — 2014-04-04T03:49:14Z

This post by Nishant Shah is part of a series related to the 2014 Milton Wolf Seminar on Media and Diplomacy: The Third Man Theme Revisited: Foreign Policies of the Internet in a Time Of Surveillance and Disclosure, which takes place in Vienna, Austria from March 30 – April 1, 2014.

The 2014 seminar is jointly organized by the Center for Global Communication Studies (CGCS) at the University of Pennsylvania’s Annenberg School for Communication, the American Austrian Foundation (AAF), and the Diplomatic Academy of Vienna (DA). For more information visit the seminar webpage and Facebook Page. Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India.

Nishant Shah's post was published on April 1st, 2014 | by cgcsblog

An imagined and perceived gap between the global and the local informs transnational politics and internet policy. The global views the local as both the site upon which the global can manifest itself as well as the microcosm that supports and strengthens global visions by providing mutations, adaptations and reengineering of the governance practices. The local is encouraged to connect with the global through a series of outward facing practices and policies, thus producing two separate domains of preservation and change. On the one hand, the local, the organic and the traditional, needs to be preserved and make the transnational and the global the exotic other. On the other hand, the local also needs to be in a state of aspiration, transforming itself to belong to global networks of polity and policy that are deemed as desirable, especially for a development and rights based vision of societies.

While these negotiations and transactions are often fruitful and local, national, and transnational structures and mechanics have been developed to facilitate this flow, this relationship is precarious. There is an implicit recognition that the local and the transnational, dialectically produced, are often opaque categories and empty signifiers. They sustain themselves through unquestioned presumptions of particular attributes that are taken for granted in these interactions. There have been many different metaphors that have been used to understand and explain these complex transfers of knowledge and information, resources and capital, bodies and ideologies. Vectors, Flows, Disjunctures, Intersections are some of the examples. However, with the rise of the digital technologies and vocabularies, especially the internet, the metaphor of the Network with its distributed nodes has become one of the most potent explanations of contemporary politics. This idea of living in networked worlds is so seductive and ‘common-sense,’ that it has become an everyday practice to think of the global as a robust, never-ending, all-inclusive network where the local becomes an important node because it enables both connectivity within but also an expansion of the edges, in order to connect to that which is outside the traffic capacities of the network.

The ‘Network Society’ paradigm is distinct from earlier rubrics of information and open society that have informed existing information and communication policies. In this paradigm we have the opportunity to revisit and remap the ways in which local governments and populations function and how they produce locals who can feed into the transnational and global discourse. The network facilitates some knowledge that is valuable and allows us to map inequity and mal-distribution of resources by offering comparisons between the different nodes. Networks force our attention to the edges, the no-person’s-zone which is porous but still serves as an osmotic filter that often keeps the underprivileged and the unintelligible outside its fold. Networks as metaphors are valuable because they produce a cartographic vision of the world with multiple boundaries and layers, dealing with big data sets to create patterns that might otherwise be invisible. They enable the replication of models that can be further localised and adapted to fit the needs of the context. Networks make the world legible – we write it through the lens of the network, intelligible – we understand it through the language and vocabulary of the network, and accessible – it allows for knowledge and practices to transfer across geographies and times.

At the same time, networks are a vicious form of organisation because they work through the logic of resource maximisation, efficiency and optimisation, often disallowing voices of dissent that threaten the consensus making mechanisms of the network. Networks have a self-referential relationship with reality because they produce accounts of reality which can easily stand in for the material and the real. They are the new narratives that can operate with existing data sets and produce such rich insights for analysis that we forget to account for that which cannot be captured in the database structures of these data streams. Networks work through a principle of homogeneity and records, thus precluding forms of operation which cannot be easily quantified.

Given this complex nature of networks and the fact that they are emerging as the de facto explanations of not only social and cultural relationships but also economic and political transactions, it might be fruitful to approach the world of policy and politics, the local and the transnational, through the lens of the network. Building a critique of the network while also deploying the network as a way to account for the governmental practices might produce key insights into how the world operates. What does it mean to imagine the world in the image of the internet as a gigantic network? What are the ways in which a networked visualisation of policy and governmental processes can help us analyse and understand contemporary politics? What tools can we develop to expose the limitations of a network paradigm and look at more inclusive and sensitive models for public discourse and participation? How do we document events, people, and drivers of political change that often get overlooked in the networked imagination of transnational politics? These are the kind of questions that the Center for Global Communication Study’s Internet Policy Observatory (IPO) could initiate, building empirical, qualitative and historical research to understand the complex state of policy making and its relationship with enforcement, operationalization and localisation.

Given the scope and scale of these questions, there are a few specific directions that can be followed to ensure that research is focused and concentrated rather than too vague and generalised:

Bird’s eye views: The big picture understanding of transnational political and policy networks is still missing from our accounts of contemporary discourse. While global representative networks of multi-stakeholder dialogues have been established, there is not enough understanding of how they generate traffic (information, knowledge, data, people, policies) within the network through the different nodes. Producing an annotated and visual network map that looks at the different structural and organisational endeavours and presences, based on available open public data, bolstered by qualitative interviews would be very useful both as a research resource but also an analytic prototype to understand the complex relationships between the various stakeholders involved in processes of political change.
Crisis Mapping: One of the most important things within Network studies is how the network identifies and resolves crises. Crises are the moment when the internal flaws, the structural weaknesses, and the fragile infrastructure become visible. The digital network, like the internet, has specific mechanisms of protecting itself against crises. However, the appearance of a crisis becomes an exciting time to look at the discrepancy between the ambition of the network and its usage. A crisis is generally a symptom that shows the potentials for radical subversion, overthrowing, questioning and the abuse of network designs and visions. Locating ICT related crises with historical and geographical focuses could similarly reveal the discrepancies of the processes of making policy and orchestrating politics.
Longitudinal Studies: The network remains strong because it works through a prototype principle. Consequently, no matter how large the network is, it is possible to splice, slice, and separate a small component of the network for deep dive studies. This microcosm offers rich data sets, which can then be applied across the network to yield different results. Further, working with different actors – from individual to the collective, from the informal the institutional – but giving them all equal valency provides a more equal view of the roles, responsibilities, and aspirations of the different actors involved in the processes. This kind of a longitudinal study, working on very small case-studies and then applying them to analyse the larger social and political conditions help in understanding the transnational and global processes in a new way.

These research based inquiries could result in many different outputs based on the key users that they are working with and for. The methods could be hybrid, using existing local and experimental structures, with predefined criteria for rigour and robustness. The research, given its nature, would necessitate working with existing networks and expanding them, thus building strong and sustainable knowledge networks that can be diverted towards intervention through capacity building and pedagogy directed at the different actors identified within these nodes.

Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India. He is an International Tandem Partner at the Centre for Digital Cultures, Leuphana University, Germany and a Knowledge Partner with the Hivos Knowledge Programme, The Netherlands. In these varied roles, he has been committed to producing infrastructure, frameworks and collaborations in the global south to understand and analyse the ways in which emergence and growth of digital technologies have shaped the contemporary social, political and cultural milieu. He is the editor for a series of monographs on ‘Histories of Internet(s) in India’ that looks at the complicated relationship that technologies have with questions of gender, sexuality, body, city, governance, archiving and gaming in a country like India. He is also the principle researcher for a research programme that produced the four-volume anthology ‘Digital AlterNatives With a Cause?’ that examines the ways in which young people’s relationship with digital technologies produces changes in their immediate environments.

For more details visit https://cis-india.org/internet-governance/blog/cgcs-nishant-shah-april-1-2014-between-the-local-and-the-global

Should Nandan Nilekani's Aadhaar project, for identity proof and welfare delivery, exist at all?

praskrishna — 2014-04-14T10:27:57Z

The foundation of Aadhaar—a Congress flagship project to give every Indian a unique identity number and then use it to deliver services—has been under assault in the past three months.

The article by M. Rajshekhar was published in the Economic Times on April 3, 2014. Sunil Abraham is quoted.

Political, legal, reputational.

The political backlash is coming from leaders of BJP, the Congress' principal rival. Meenakshi Lekhi and Ananth Kumar are not, by any stretch of the imagination, the first or the last word on policy matters in the BJP, but they mince no words when they say that if their party forms a government, it will trash Aadhaar —a project that has delivered a unique ID to half of India and on which Rs 3,800 crore has been spent.

Even as BJP's loose cannons fired, the Supreme Court repeated on March 24 that the government cannot make Aadhaar mandatory to access welfare services like pensions and LPG subsidy. The same day, investigative journalism portal Cobrapost aired videos that allegedly showed agencies agreeing to enrol people from neighbouring countries for a bribe.

The BJP piled on. "It (Aadhaar) has served no purpose. They have issued cards to illegal migrants. We want citizenship cards," says Prakash Javadekar, spokesperson of BJP. His party does not have an official policy line on Aadhaar as yet, but another of its leaders, Yashwant Sinha, headed the Parliamentary panel that, in 2011, severely criticised and rejected the draft bill that provided the legal framework for Aadhaar. "We are for direct benefit transfer but not on the basis of Aadhaar, which is a very badly-designed scheme," Sinha told CNBC-TV18 on January 31. "We will give it to all citizens of India on the basis of NPR."

On the campaign trail in Bangalore, Nandan Nilekani, the chief architect and implementer of Aadhaar, defends his work as the chairman of Unique Identification Authority of India (UIDAI). "Aadhaar is a pro-development and an anti-corruption platform," says Nilekani, who was brought in by the Congress high command in 2009 and is contesting these elections on a party ticket against BJP's Kumar in Bangalore South. "It is a pity that some vested interests with narrow political and other motives are trying to stall the project."

Lost in those binaries are the objectives of Aadhaar, to universalise identity proof and to use it to plug leakages in delivery of welfare services. UIDAI, led by a hands-on Nilekani, pursued this agenda with a certain authority, great speed and an overriding emphasis on technology, all of which delivered outcomes.

But they also contributed to shortcomings that saw the project stumble on its way and for which it is now being critiqued. "This is the only way transformation takes place," says K Koshy, who was part of the team that conceptualised Aadhaar and is now with Ernst & Young. "When you know the ultimate system is workable, you sort out the problems as you go along."

Except, given the political winds blowing, it's anyone's guess what the new dispensation will feel about Aadhaar and UIDAI, from where Nilekani resigned on March 13 and which is seeing many officers who came from other parts of the government, on deputation, returning. Will the new dispensation see Aadhaar as an idea that is sound but with parts that need strengthening? Or, will they see it as an idea that is, by itself, fallacious? "I don't know where this is going," says Abhijit Sen, member, Planning Commission, under which UIDAI is housed.

At one level, it's a political question. "The next Parliament will have to decide what UIDAI can and cannot do," says Sen. At another level, even that political answer will stem from the answers to three questions that go to the core of what Aadhaar was meant to be and where it fell short.

1. Does Aadhaar Provide a Unique and Definitive Identity?

Yes and no. UIDAI collects two sets of information from an individual. The first is biometrics: prints of all 10 fingers and a scan of the iris in both eyes. Biometric data, which is supposed to be unique to every individual, is used to assign a unique number to the individual. The second set is basic personal information: name, address, father's name, date of birth and address. Individuals can show existing documents—like voter's I-card or passport —as verification. For those who did not have identification documents, UIDAI allowed certain people to attest for them.

Aadhaar is better at identifying individuals through their biometrics than ensuring the accuracy of their add-on data. This is partly due to its design. When Aadhaar was being conceptualised, says Shrikant Nadhamuni, who headed technology for UIDAI: "We wanted to move the ID game—from a state where some people had no ID and others had paper ID to something beyond even what Singapore had, in the form of smart cards, to online. Like biometric. Which is the future.

Here, your presence is enough to vet your ID." This is also partly due to how UIDAI did its enrolments. Shortly after taking charge, Nilekani announced UIDAI would issue 600 million Aadhaar numbers by March 2014. The initial plan was that the National Population Register (NPR), which conducts the decadal Census and which is housed under the ministry of home, would do the enrolments— capturing biometrics and information— and UIDAI would only issue the numbers.

Soon after, Nilekani decided he could not meet his 600 million target if he waited for NPR to give him biometric packets, and offered to do enrolments too. To meet the target, UIDAI wanted to outsource enrolment to multiple vendors. And compared to NPR, UIDAI collected very little demographic data. UIDAI appointed public and private companies as enrolment agencies. Quality issues arose. "90% of the larger enrolment agencies offloaded the work to local, small-time guys," says the head of a Gurgaon-based enrolment agency, not wanting to be named.

Instances of incomplete addresses, spelling mistakes, people bribing enrolment staff to obtain numbers, emerged. "There is always a trade off between inclusion and accuracy," says Nilekani. "And the fact that these errors happened only shows that the gates were kept wide enough to ensure there would be no exclusion." "The Aadhaar database is based on very weak data," says Sunil Abraham, the head of Bangalore-based Centre for Internet and Society, an Internet and governance think-tank. "It is basically linking biometrics to a person and the name/address he claims as his." This weakness started showing up as the government began to deliver welfare services by transferring money directly into bank accounts of beneficiaries, using Aadhaar. The first step was to add the Aadhaar number to the department and bank databases.

Reddy Subramanyam, joint secretary of NREGA, tried to seed Aadhaar numbers into his database of NREGA workers. "The current matching is just 25-30%." The mismatch arises because, say, the name will be S Kumar in one and Sunil Kumar in another. Aadhaar is "less ID project and more identification project," says legal researcher Usha Ramanathan. "The onus for ensuring the demographic information is correct falls on the number-holder."

2. Are Aadhaar-enabled Cash Transfers Delivering?

If giving every Indian a unique ID was Aadhaar's main mandate, revamping welfare delivery became its second. In 2011, Nilekani headed a committee to create a roadmap to move to a system of welfare delivery where money was transferred directly into bank accounts of beneficiaries—or direct benefit transfers (DBTs). The architectures it proposed pivoted around Aadhaar and online, realtime biometric authentication. This was to replace the existing smart-card architecture, which can work even in areas even without connectivity.

UIDAI saw the cloud as the future. "We were not very taken with the smart-card solution," says Nadhamuni. "Farmers have to carry multiple smart cards around. And then, there is the cost of the card." Smart-card companies, staring at the prospect of their investments going waste, protested. "Customers and service providers deserve the right to make a convenient choice. Can someone building a public highway insist that only a certain sort of a vehicle can ply on it?" Abhishek Sinha, CEO of Eko India, a mobile-banking start-up told ET in November 2011.

"The question is whether the model is working better now than what existed before," defends Koshy. It's a question that has not been answered conclusively and credibly: there have been no independent evaluations by the government of Aadhaarbased DBTs till now. "Aadhaar should not have been rolled out on a mission mode till it was tested on some scale," says MS Sriram, visiting faculty at IIM Bangalore's Centre for Public Policy. When asked about this, Sen says: "There was no independent evaluation. Everyone was rushing." From the field came reports about manual labourers and the aged struggling to authenticate using biometrics.

Nor were comparative studies conducted to check alternative ways to improve welfare delivery. Economist Reetika Khera argues that Chhattisgarh has removed corruption from its PDS programme through a mix of computerisation and community supervision. This echoes an observation made by the Parliamentary panel while rejecting the UIDAI bill: the government had not considered comparative costs of Aadhaar and other existing ID documents.

Yet, in November 2012, the Congress decided to make DBTs its calling card for the 2014 elections. At a rally in Dudu, Rajasthan, attended by Congress leaders and Nilekani, it announced DBT rollout in the state. A year later, after a patchy rollout, the Congress lost power in the state. And on January 30, the UPA pressed pause on DBTs for cooking gas.

3. Are there Strong Safeguards to Protect a Person's Privacy?

On February 26, the Mumbai High Court directed UIDAI to share its Goa biometrics with the CBI to help it solve a rape case in the state the agency was struggling to solve. UIDAI refused, saying this would violate the privacy of its number holders. The High Court agreed with the CBI. UIDAI went to the Supreme Court, which ruled that its biometric information cannot be shared with any government agency without the consent of number holders.

But the CBI request had shown what could go wrong. "Once you create an ID system, other things happen," says Sen. "The most inevitable one is that government departments—like the police—want to access it. A database exists and I want to use it." Says a Supreme Court lawyer, not wanting to be named: "You innocently give your fingerprints to UIDAI because you want your scholarship or gas subsidy or something. You volunteer this information and then you realise this can be used as evidence against you in a criminal trial?" In time, more agencies will use Aadhaar. "The moment you start putting the Aadhaar number into multiple databases, you make them comparable," says Abraham. "Land registry, tax records, etc, all become comparable." Adds Sen: "We need to think about who can use the authentication service."

He cites the example of banks using Aadhaar to judge a borrower's credit record as a good thing. Conversely, he adds, an insurer using a customer's Aadhaar to access hospital records, and take a call on premiums or policy issuance, is a bad outcome. "Insurance is supposed to work by pooling risk. Should they (insurers) even have the right to ask for authentication?" asks Sen. UIDAI officials say three things in their defence. One, they collect innocuous information, which they don't share. Two, for authentication queries, they only give 'yes/no' answers. Three, they have safeguards.

What is missing is a legal framework that governs collection, use and retention of biometrics. "India has not passed a data privacy law," says Nadhamuni. "This is a very important legislation we need to draft and enact for projects that use large-scale IT systems, be it Aadhaar, NREGA, voter card, income tax, etc. In the absence of such laws, UIDAI came up with rigorous data privacy and security policies to secure resident data." However, the Parliamentary panel, while rejecting the bill, noted that UIDAI began collecting biometric data even as the government worked on a privacy bill and a data protection bill. "The idea that databases can be used by anyone makes people vulnerable, especially in a state where there is neither law nor much respect for law," says Ramanathan.

Aadhaar stands at an uncomfortable junction. A new government, eager to ensure only citizens have unique numbers, could ask all Aadhaar holders to provide address proof and delete the others. Events of the past three months have framed the issues concerning Aadhaar, sometimes with a touch of rhetoric. "This is a good time to open the regulation issue," says Sen.

For more details visit https://cis-india.org/news/economic-times-april-3-2014-m-rajshekhar-should-nandan-nilekani-aadhar-project-for-identity-proof-and-welfare-delivery-exist

The politics of Facebook

praskrishna — 2014-04-03T11:30:51Z

With the social media becoming an important political battleground, is Facebook affecting friendships and trying to influence our political leanings?

The article by Shweta Tiwari was published in Livemint on April 1, 2014. Dr. Nishant Shah is quoted.

When social activist Uthara Narayanan, 32, posted an innocuous article link on the Gujarat riots on Facebook in January, she was in for a surprise. An old friend from college fiercely defended Gujarat chief minister and Bharatiya Janata Party (BJP) prime ministerial candidate Narendra Modi, getting abrasive and personal in the post. “I had known her for more than 14 years and yet hadn’t seen this side to her,” says Narayanan. “I didn’t realize when she had gone off and gotten such strong views on the debate.”

From then on Narayanan decided to stay away from her friend though they live in the same city. “It left a bad taste in my mouth and marred our friendship for me, though I am still Facebook friends with her.” Almost as if agreeing with her, Facebook’s wall automatically started keeping her friend’s posts away from her wall—thanks to the EdgeRank algorithm.

Like-like stick together

EdgeRank, the Facebook algorithm that decides which posts to show in your newsfeed, bases its decision on three factors: an affinity score between the user and the one who’s created the post, the type of post (comment, like, create or tag), and time lapsed since it was created. The first basically means that you will see posts from friends you have interacted with and like to interact with on the social network.

In January, Catherine Grevet, a PhD student at the Georgia Institute of Technology in the US, studied this algorithm in the light of politics and concluded that people tend to get attracted to circles of friends who affirm to their own political leanings, all because of Facebook’s algorithms. “People are mainly friends with those who share similar values and interests,” Grevet wrote in the study. “As a result, they aren’t exposed to opposing viewpoints.” Grevet presented the study at the 17th ACM Conference on Computer-Supported Cooperative Work and Social Computing in the US in February.

Alok Sharma, a Mumbai-based creative writer who used to be a political cartoonist, says social media has led to Indians opening up. “We are taught to be a little politically correct, especially in face-to-face conversations. But when it comes to social networking sites, Indians express their views like fanatics,” he says. He blocked a couple of Facebook friends after a spate of personal comments on one of his posts. “My friends know me and get the crux of what I might be trying to say in a thread but there are others who are on my Friends list but don’t understand the context and take it all wrong.”

The misunderstanding arises because many of us post on the network as we would speak among friends and not as we would say things in public. “Facebook is not a community, a clique or a group of friends,” says Nishant Shah, director of research at Bangalore-based non-profit The Centre for Internet and Society. “It is just a network,” he says. That means that not all people on your Facebook list are friends—you are just connected to them on the network. You might have a professional relationship with them, be teammates or acquaintances or colleagues, but you don’t know them personally. Given that the average Facebook user has 229 Facebook friends—according to the numbers from US think tank Pew Research Center’s Internet Project which tracks statistics about the social network—that’s just too many people to even know personally.

“The audience on the social network is much larger than the friend list, including Facebook itself, which, if it finds your comment problematic, will censor even before a complaint is produced,” says Shah. A post on Facebook or a comment or a like, can get you in trouble not just with other individuals or communities who take offence but even the law, as happened to a girl in 2012 who put up a post criticizing the shutdown of Mumbai after the death of Shiv Sena patriarch Bal Thackeray.

“Though used like it, Facebook is not a conversation,” says Shah, “Because everything you write is archived and recorded. And can be used against you if need be.”

A medium to shout in

But would you shout at a stranger on the street as you do on Facebook? Basav Biradar, a programme manager based in Bangalore, actively posts on politics and comments on Facebook. He feels most people on Facebook give strong opinions that are not well-informed. “A lot of these opinions are dependent on propaganda and campaigns rather than facts. Why don’t people do some homework before forming an opinion?” With over 100 million Indians active on the social network, however, an uninformed opinion is hardly reason to stop anyone from posting, commenting, liking, offending and getting offended through posts on Facebook.

Shah calls this phenomenon cyber-bullying in politics. “Specific vocal and passionate groups and communities have emerged who silence any voice of dissent or critique by trolling the dissident,” says Shah. “They do not need anonymity. They don’t try to hide who they are. They feel so empowered by the backing of the politicos who are either hiring or supporting them, that they have risen in hordes and are stifling the space for dissent and questioning even more effectively than they have been able to do in real life.”

It’s almost like standing in a rally and hearing a swarm of slogans. Sashi Kumar, chairman of the trust Media Development Foundation that runs the Asian College of Journalism, Chennai, gives a similar analogy. He believes that the language of communication on Facebook is not written but oral. “Writing implies a well thought through opinion, whereas speech is responsive and involved. Within the Internet, there’s a strange morphing of written form which is expressed in a way of oral communication. You speak to someone on Facebook, you respond, you hear, you react, you communicate, you talk.” He says that this morphing is leading society back to more oral forms of communication where written forms like newspapers will be a thing of the past.

Replacing traditional media

	With surprising events like the support for Jan Lokpal law, Pink Chaddi campaign and even the backlash against the December 2012 gang rape case in Delhi, social media seems to have somewhere, somehow made all of us more participative, more aware and more active in political and social spaces. Most politicians have active Twitter and Facebook accounts. Most newspapers and even news channels quote their feed as statements when summing up news. Social networks have become almost mainstream. So much so that when earlier in March Modi attacked Bihar chief minister Nitish Kumar at a political rally in Muzaffarpur, Bihar, Kumar’s response was detailed, and through a Facebook post.

With surprising events like the support for Jan Lokpal law, Pink Chaddi campaign and even the backlash against the December 2012 gang rape case in Delhi, social media seems to have somewhere, somehow made all of us more participative, more aware and more active in political and social spaces.

Most politicians have active Twitter and Facebook accounts. Most newspapers and even news channels quote their feed as statements when summing up news. Social networks have become almost mainstream. So much so that when earlier in March Modi attacked Bihar chief minister Nitish Kumar at a political rally in Muzaffarpur, Bihar, Kumar’s response was detailed, and through a Facebook post.

A joint study by the IRIS Knowledge Foundation, a public service initiative of business and financial information provider IRIS Business Services Pvt. Ltd, and the industry body Internet and Mobile Association of India, suggests that social media use is now sufficiently widespread to influence the outcome of the next general election and consequently government formation. The March research, which studied Facebook’s own data, claims that among the social media spaces, Facebook users have the maximum clout.

Kumar agrees and feels that news now is more user-generated: “It’s the people who want to pursue their own news, know more about their own news, create news. In a way it democratizes journalism. People are talking more about issues, giving opinions and comparing notes. Politics has shifted from the streets to these social medias.”

The future holds more participation, and a sense of being a stakeholder in the political process. An “enlarging of political participation”, as Kumar puts it. “Of course because everyone has a mike, a mouthpiece now, there will be lot of more trivial conversation and hairsplitting which might not add up to anything, but the important thing is that people are engaging themselves politically. We are on the streets. All because of technology.”

For more details visit https://cis-india.org/news/livemint-april-1-2014-shweta-taneja-the-politics-of-facebook

New privacy Bill more refined & has wider ambit, say experts

praskrishna — 2014-04-03T11:06:51Z

But creates wide exceptions for government agencies.

The article by Surabhi Agarwal was published in the Business Standard on April 2, 2014. CIS welcomes changes in the Bill but is cautious of the wide exceptions.

The government’s latest attempt to draft a privacy Bill is being termed by as a refined one by experts as it expands its ambit.

However, the Bill creates some wide exceptions for law enforcement and intelligence agencies to collect personal information of individuals. The government has made several attempts at drafting a privacy Bill since 2010, with the aim of protecting individuals against data misuse by government or private agencies.

The first draft, released in 2011, extended the Right to Privacy to citizens of India. But, the 2014 version has expanded its ambit to cover all residents of the country. The 2014 Bill also recognises the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India. In contrast, the 2011 Bill did not explicitly recognise the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.

Both the drafts include a list of circumstances under which authorisation for the collection and processing of sensitive personal data is not required. The lists are broadly the same. However, the latest version exempts insurance company and government intelligence agencies collecting or processing data “in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.”

A Bangalore-based Internet think-tank Centre for Internet and Society said it welcomed many changes in the Bill, but were cautious on the wide exceptions.

“The Bill carves out another exception for government agencies, allowing disclosure of sensitive personal data without consent to government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation, including cyber incidents, prosecution and punishment of offences,” the Centre for Internet and Society said in a note analysing the provisions of the Bill.

The privacy Bill was originally conceptualised to ensure the data collected by the government under various new projects such as Aadhaar or the National Information Grid (NATGRID) are not misused in any way. But incidents, such as the tapping of phone conversations involving former lobbyist Niira Radia, prompted the government to expand the ambit of the privacy law from just being a data protection one to also cover surveillance and interception.

However, it was unable to reach a consensus due to inter-ministerial conflicts as the law was superseding various provisions under several existing legislations.

The government also set up a committee under retired Delhi high court judge Ajit P Shah under the aegis of the Planning Commission to study international best practices on privacy and surveillance. This committee filed a report in 2012.

Some additions to the Bill include the term personal identifier, defined by any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.

The Bill has also re-defined sensitive personal data to denote personal data relating to physical and mental health, including medical history, biometric, bodily or genetic information, criminal convictions, password, banking credit and financial data, narco analysis or polygraph test data and sexual orientation.

Once the law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary.

It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.

For more details visit https://cis-india.org/news/business-standard-april-3-2014-surabhi-agarwal-new-privacy-bill-more-refined-has-wider-ambit-say-experts

Marco Civil da Internet: Brazil’s ‘Internet Constitution’

geetha — 2014-06-19T10:38:10Z

On March 25, 2014, Brazil's lower house of parliament passed bill no. 2126/2011, popularly known as Marco Civil da Internet. The Marco Civil is a charter of Internet user-rights and service provider responsibilities, committed to freedom of speech and expression, privacy, and accessibility and openness of the Internet. In this post, the author looks at the pros and cons of the bill.

Introduction:

Ten months ago, Edward Snowden’s revelations of the U.S. National Security Agency’s extensive, warrantless spying dawned on us. Citizens and presidents alike expressed their outrage at this sweeping violation of their privacy. While India’s position remained carefully neutral, or indeed, supportive of NSA’s surveillance, Germany, France and Brazil cut the U.S. no slack. Indeed, at the 68th session of the United Nations General Assembly, Brazilian President Dilma Rousseff (whose office the NSA had placed under surveillance) stated, “Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations.” Brazil, she said, would “redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.”

Some may say that Brazil has lived up to its word. Later this month, Brazil will be host to NETmundial, the Global Multi-stakeholder Meeting on the Future of Internet Governance, jointly organized by the Brazilian Internet Steering Committee (CGI.br) and the organization /1Net. The elephantine invisible presence of Snowden vests NETmundial with the hope and responsibility of laying the ground for a truly multi-stakeholder model for governing various aspects of the Internet; a model where governments are an integral part, but not the only decision-makers. The global Internet community, comprising users, corporations, governments, the technical community, and NGOs and think-tanks, is hoping devise a workable method to divest the U.S. Government of its de facto control over the Internet, which it wields through its contracts to manage the domain name system and the root zone.

But as Internet governance expert Dr. Jeremy Malcolm put it, these technical aspects do not make or break the Internet. The real questions in Internet governance underpin the rights of users, corporations and netizens worldwide. Sir Tim Berners-Lee, when he called for an Internet Bill of Rights, meant much the same. For Sir Tim, an open, neutral Internet is imperative if we are to keep our governments open, and foster “good democracy, healthcare, connected communities and diversity of culture”. Some countries agree. The Philippines envisaged a Magna Carta for Internet Freedom, though the Bill is pending in the Philippine parliament.

Marco Civil da Internet:

Last week, on March 25, 2014, the Brazilian Chamber of Deputies (the lower house of parliament) passed the Marco Civil da Internet, bill 2126/2011, a charter of Internet rights. The Marco Civil is considered by the global Internet community as a one-of-a-kind bill, with Sir Tim Berners-Lee hailing the “groundbreaking, inclusive and participatory process has resulted in a policy that balances the rights and responsibilities of the individuals, governments and corporations who use the Internet”.

The Marco Civil’s journey began with a two-stage public consultation process in October 2009, under the aegis of the Brazilian Ministry of Justice’s Department of Legislative Affairs, jointly with the Getulio Vargas Foundation’s Center for Technology and Society of the Law School of Rio de Janeiro (CTS-FGV). The collaborative process involved a 45-day consultation process in which over 800 comments were received, following which a second consultation in May 2010 received over 1200 comments from individuals, civil society organizations and corporations involved in the telecom and technology industries. Based on comments, the initial draft of the bill was revamped to include issues of popular, public importance, such as intermediary liability and online freedom of speech.

An official English translation of the Marco Civil is as yet unavailable. But an unofficial translation (please note that the file is uploaded on Google Drive), triangulated against online commentary on the bill, reveals that the following issues were of primary importance:

The fundamentals:

The fundamental principles of the Marco Civil reveal a commitment to openness, accessibility neutrality and democratic collaboration on the Internet. Art. 2 (see unofficial translation) sets out the fundamental principles that form the basis of the law. It pledges to adhere to freedom of speech and expression, along with an acknowledgement of the global scale of the network, its openness and collaborative nature, its plurality and diversity. It aims to foster free enterprise and competition on the Internet, while ensuring consumer protection and upholding human rights, personality development and citizenship exercise in the digital media in line with the network’s social purposes. Not only this, but Art. 4 of the bill pledges to promote universal access to the Internet, as well as “to information, knowledge and participation in cultural life and public affairs”. It aims to promote innovation and open technology standards, while ensuring interoperability.

The Marco Civil expands on its commitment to human rights and accessibility by laying down a “discipline of Internet use in Brazil”. Art. 3 of the bill guarantees freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution of Brazil, while at the same time guaranteeing privacy and protection of personal data, and preserving network neutrality. It also focuses on preserving network stability and security, by emphasizing accountability and adopting “technical measures consistent with international standards and by encouraging the implementation of best practices”.

These principles, however, are buttressed by rights assured to Internet users and responsibilities of and exceptions provided to service providers.

Rights and responsibilities of users and service providers:

Net neutrality:

Brazil becomes one of the few countries in the world (joining the likes of the Netherlands, Chile and Israel in part) to preserve network neutrality by legislation. Art. 9 of the Marco Civil requires all Internet providers to “to treat any data package with isonomy, regardless of content, origin and destination, service, terminal or application”. Not only this, but Internet providers are enjoined from blocking, monitoring or filtering content during any stage of transmission or routing of data. Deep packet inspection is also forbidden. Exceptions may be made to discriminate among network traffic only on the basis of essential technical requirements for services-provision, and for emergency services prioritization. Even this requires the Internet provider to inform users in advance of such traffic discrimination, and to act proportionately, transparently and with equal protection.

Data retention, privacy and data protection:

The Marco Civil includes provisions for the retention of personal data and communications by service providers, and access to the same by law enforcement authorities. However, record, retention and access to Internet connection records and applications access-logs, as well as any personal data and communication, are required to meet the standards for “the conservation of intimacy, private life, honor and image of the parties directly or indirectly involved” (Art. 10). Specifically, access to identifying information and contents of personal communication may be obtained only upon judicial authorization.

Moreover, where data is collected within Brazilian territory, processes of collection, storage, custody and treatment of the abovementioned data are required to comply with Brazilian laws, especially the right to privacy and confidentiality of personal data and private communications and records (Art. 11). Interestingly, this compliance requirement is applicable also to entities incorporated in foreign jurisdictions, which offer services to Brazilians, or where a subsidiary or associate entity of the corporation in question has establishments in Brazil. While this is undoubtedly a laudable protection for Brazilians or service providers located in Brazil, it is possible that conflicts may arise (with penal consequences) between standards and terms of data retention and access by authorities in other jurisdictions. In the predictable absence of harmonization of such laws, perhaps rules of conflicts of law may prove helpful.

While data retention remained a point of contention (Brazil initially sought to ensure a 5-year data retention period), under the Marco Civil, Internet providers are required to retain connection records for 1 year under rules of strict confidentiality; this responsibility cannot be delegated to third parties (Art. 13). Providers providing the Internet connection (such as Reliance or Airtel in India) are forbidden from retaining records of access to applications on the Internet (Art. 14). While law enforcement authorities may request a longer retention period, a court order (filed for by the authority within 60 days from the date of such request) is required to access the records themselves. In the event the authority fails to file for such court order within the stipulated period, or if court order is denied, the service provider must protect the confidentiality of the connection records.

Though initially excluded from the Marco Civil, the current draft passed by the Chamber of Deputies requires Internet application providers (such as Google or Facebook) to retain access-logs for their applications for 6 months (Art. 15). Logs for other applications may not be retained without previous consent of the owner, and in any case, the provider cannot retain personal data that is in excess of the purpose for which consent was given by the owner. As for connection records, law enforcement authorities may request a greater retention period, but require a court order to access the data itself.

These requirements must be understood in light of the rights that the Marco Civil guarantees to users. Art. 7, which enumerates these user-rights, does not however set forth their content; this is probably left to judicial interpretation of rights enshrined in the Federal Constitution. In any event, Art. 7 guarantees to all Internet users the “inviolability of intimacy and privacy”, including the confidentiality of all Internet communications, along with “compensation for material or moral damages resulting from violation”. In this regard, it assures that users are entitled to a guarantee that no personal data or communication shall be shared with third parties in the absence of express consent, and to “clear and complete information on the collection, use, storage, treatment and protection of their personal data”. Indeed, where contracts violate the requirements of inviolability and secrecy of private communications, or where a dispute resolution clause does not permit the user to approach Brazilian courts as an alternative, Art. 8 renders such contracts null and void.

Most importantly, Art. 7 states that users are entitled to clear and complete information about how connection records and access logs shall be stored and protected, and to publicity of terms/policies of use of service providers. Additionally, Art. 7 emphasizes quality of service and accessibility to the Internet, and forbids suspension of Internet connections except for failure of payments. Read comprehensively, therefore, Arts. 7-15 of the Marco Civil prima facie set down robust protections for private and personal data and communications.

An initial draft of the Marco Civil sought to mandate local storage of all Brazilians’ data within Brazilian territory. This came in response to Snowden’s revelations of NSA surveillance, and President Rousseff, in her statement to the United Nations, declared that Brazil sought to protect itself from “illegal interception of communications and data”. However, the implications of this local storage requirement was the creation of a geographically isolated Brazilian Internet, with repercussions for the Internet’s openness and interoperability that the Marco Civil itself sought to protect. Moreover, there are implications for efficiency and business; for instance, small businesses may be unable to source the money or capacity to comply with local storage requirements. Also, they lead to mandating storage on political grounds, and not on the basis of effective storage. Amid widespread protest from corporations and civil society, this requirement was then withdrawn which, some say, propelled the quick passage of the bill in the Chamber of Deputies.

Intermediary liability:

Laws of many countries make service providers liable for third party content that infringes copyright or that is otherwise against the law (such as pornography or other offensive content). For instance, Section 79 of the Indian Information Technology Act, 2000 (as amended in 2008) is such a provision where intermediaries (i.e., those who host user-generated content, but do not create the content themselves) may be held liable. However, stringent intermediary liability regimes create the possibility of private censorship, where intermediaries resort to blocking or filtering user-generated content that they fear may violate laws, sometimes even without intimating the creator of the infringing content. The Marco Civil addresses this possibility of censorship by creating a restricted intermediary liability provision. Please note, however, that the bill expressly excludes from its ambit copyright violations, which a copyright reforms bill seeks to address.

At first instance, the Marco Civil exempts service providers from civil liability for third party content (Art. 18). Moreover, intermediaries are liable for damages arising out of third party content only where such intermediaries do not comply with court orders (which may require removal of content, etc.) (Art. 19). This leaves questions of infringement and censorship to the judiciary, which the author believes is the right forum to adjudicate such issues. Moreover, wherever identifying information is available, Art. 20 mandates the intermediary to appraise the creator of infringing content of the reasons for removal of his/her content, with information that enables the creator to defend him- or herself in court. This measure of transparency is particularly laudable; for instance, in India, no such intimation is required by law, and you or I as journalists, bloggers or other creators of content may never know why our content is taken down, or be equipped to defend ourselves in court against the plaintiff or petitioner who sought removal of our content. Finally, a due diligence requirement is placed on the intermediary in circumstances where third party content discloses, “without consent of its participants, of photos, videos or other materials containing nudity or sexual acts of private character”. As per Art. 21, where the intermediary does not take down such content upon being intimated by the concerned participant, it may be held secondarily liable for infringement of privacy.

This restricted intermediary liability regime is further strengthened by a requirement of specific identification of infringing content, which both the court order issued under Art. 20 and the take-down request under Art. 21 must fulfill. This requirement is missing, for instance, under Section 79 of the Indian Information Technology Act, which creates a diligence and liability regime without requiring idenfiability of infringing content.

Conclusion:

Brazil’s ‘Internet Constitution’ has done much to add to the ongoing discussion on the rights and responsibilities of users and providers. By expressly adopting protections for net neutrality and online privacy and freedom of expression, the Marco Civil may be considered to set itself up as a model for Internet rights at the municipal level, barring a Utopian bill of rights. Indeed, in an effusive statement of support for the bill, Sir Tim Berners-Lee stated: “If Marco Civil is passed, without further delay or amendment, this would be the best possible birthday gift for Brazilian and global Web users.”

Of course, the Marco Civil is not without its failings. Authors say that the data retention requirements by connection and application providers, with leeway provided for law enforcement authorities to lengthen retention periods, is problematic. Moreover, the discussions surrounding data localization and a ‘walled-off’ Internet that protects against surveillance ignores the interoperability and openness that forms the core of the Internet.

On the whole, though, the Marco Civil may be considered a victory, on many counts. It is possibly the first successful example of a national legislation that is the outcome of a broad, consultative process with civil society and other affected entities. It expressly affirms Brazil’s commitment to the protection of privacy and freedom of expression, as well as to Internet accessibility and the openness of the network. It aims to eliminate the possibility of private censorship online, while upholding privacy rights of users. It seeks to reduce the potential for abuse of personal data and communication by government authorities, by requiring judicial authorization for the same. In a world where warrantless government spying extends across national border, such a provision is novel and desirable. One hopes that, when the global Internet community sits down at its various fora to identify and enumerate principles for Internet governance, it will look to the Marco Civil as an example of standards that governments may adhere to, and not necessarily resort to the lowest common denominator standards of international rights and protections.

For more details visit https://cis-india.org/internet-governance/blog/marco-civil-da-internet