We are anonymous, we are legion

Will the WTO Finally Tackle the ‘Trump’ Card of National Security?

basu — 2019-05-08T14:22:14Z

The election of Donald Trump has marked a foundational challenge to the rules-based international order based on “free and fair trade”.

The article by Arindrajit Basu was published in the Wire on May 8, 2019.

From stonewalling appointments at the appellate body of the WTO’s dispute settlement body (DSB) to slapping exorbitant steel and aluminium tariffs on a variety of countries, Trump has attempted to desecrate an institution that he views as being historically unfair to America’s national interests.

Given this potentially cataclysmic state of affairs, a WTO panel report adopted last month regarding a transport restriction dispute between the Russia and Ukraine would ordinarily have attracted limited attention. In reality, this widely celebrated ruling was the first instance of the WTO mechanism mounting a substantive legal resistance to Trump’s blitzkrieg.

The opportunity arose from the Russian Federation’s invocation of the ‘national security exception’ carved into the Article XXI of the General Agreement on Tariffs and Trade (GATT-the primary WTO covered agreement dealing with trade in goods.)

This clause has rarely been invoked by a litigating party at the DSB and never been interpreted by the panel or appellate body due to the belief among WTO member states that the exception is ‘self-judging’ i.e. beyond the purview of WTO jurisdiction sovereign prerogative to use as they see fit.

Over the past couple of years, the provision has taken on a new avatar with trade restrictions being increasingly used as a strategic tool to accomplish national security objectives. In addition to the Russian Federation, in this case, it was used by the UAE to justify sanctions against Qatar in 2017and notably by the US administration in response to the commencement of WTO proceedings by nine countries (including India) against its steel and aluminum tariffs.

India itself has also cited the clause in its diplomatic statements when justifying revocation of the Most Favoured Nation Status to Pakistan, although this has not yet resulted in proceedings at the WTO.

Even though the panel held in favour of Russia, this report lays down the edifice for dismantling the Trump Administration’s present strategy. By explicitly stating that Article XXI is not entirely beyond review of the WTO, the panel report gives a cause de celebre for all countries attempting to legally battle Trump’s arbitrary protectionist cause disguised as genuine national security concerns.

At the same time, it might act as a source of comfort for Huawei and China as it allows them to challenge the legality of banning Huawei (as some countries have chosen to do) at the WTO.

History of Article XXI

Article XXI had an uncertain presence in the legal architecture of the WTO from its very inception. It had its origins in the US proposal to establish the International Trade Organisation. The members of the delegation themselves were divided between those who wanted to preserve the sovereign right of the United States to interpret the extent of the exception as it saw fit and others who felt that this provision would be abused to further arbitrary protectionism. The delegate of Australia was also skeptical about the possible exclusion of dispute resolution through a mere invocation of the security exception.

Given this divergence, the drafters of the provision thus sought to create a specific set of exceptions in order to arrive at a compromise that “would take care of real security interests” while limiting “the exception so as to prevent the adoption of protection for maintaining industries under every conceivable circumstances”.

To attain that objective, the provision in the ITO Charter, which was reflected in Article XXI of GATT 1947 was worded thus:

Nothing in this Agreement shall be construed

to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests;

or to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests (i) relating to fissionable materials or the materials from which they are derived; (ii) relating to the traffic in arms, ammunition and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment; (iii) taken in time of war or other emergency in international relations; or

to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security

Article XXI has been historically invoked in cases where national security is devised as a smokescreen for protectionism. For example, in 1975, Sweden cited Article XXI to justify global import restrictions it had had slapped on certain types of footwear. It argued that a decrease in domestic production of said kinds of footwear represented ” a critical threat to the emergency planning of its economic defense.” There was sustained criticism from some states, who questioned Sweden’s juxtaposition of a national security threat with economic strife, claiming that they too were suffering from severe unemployment at the time and the Swedish restrictions would be devastating for their economic position.

The Swedish problem dissipated when Sweden withdrew the restrictions but the uncertain peril of Article XXI remained.

In another instance, the US themselves had previously relied on the security exception to justify measures prohibiting all imports of goods and services of Nicaraguan origin to the US in addition to all U.S. exports to Nicaragua.It argued that Article XXI was self-judging and each party could enact measures it considered necessary for the protection of its essential security interests. In fact, it was successful in keeping its Article XXI invocation outside the terms of reference (which establishes the scope of the Panel’s report), which precluded the Panel from asserting its jurisdiction and examining the provision. It is worth noting, though, that the Panel was critical of the US for utilising the provision in this case and emphasised the need for balancing this exception against the need to preserve the stability of global trade.

The recent spate of national security driven justifications to subvert the adjudicatory powers of the WTO provided a necessary opportunity for the panel to clarify its stance on this issue.

The findings of the panel

The findings of the panel can be divided into three broad clusters:

1) The WTO tribunals’ jurisdiction over the security exception: Right from the outset, the panel clearly stated that it had jurisdiction to adjudicate the matter at hand. It rebutted Russia’s claim that any country invoking the exception had unfettered discretion in the matter

2) The ambit of the self-judging nature of the security clause: Both the Russian Federation and the United States, which had filed a third party submission, re-emphasised the supposed self-judging nature of the security clause due to the incorporation of the words “ which it[the WTO member] considers necessary for the protection of its essential security interests” in clause (2) of the provision.

However, the panel argued that the sub-paragraphs (i)-(iii) require an objective review by the Panel to determine whether the state of affairs indicated in the sub-paragraphs do, in fact, exist. In this way, the Panel added,the three sub-clauses act as “limiting qualifying clauses.” The determination of the measures that may be ‘necessary’ for protecting their ‘essential security interests’ are then left to each WTO member. By interpreting the clause in this manner,the Panel deftly preserved the sovereign autonomy of member states while preventing the bestowing of carte blanche’ ability to take shelter behind the provision.

3) Determination of emergency in international relations: The use of the term “other emergency in international relations” as used in the provision is an amorphous one because the term ‘emergency’ is not clearly defined in international law. Therefore, the Panel relied on UN General Assembly Resolutions and the fact that multiple states had imposed sanctions on Russia to conclude that there was, in fact, an ‘emergency’ in international relations in this case. In doing so, the Panel upheld the transport restrictions imposed by Russia. However, the implications extend far beyond the immediate impact on the two parties.

Implications of the ruling

Before considering the implications of this report, we must consider that, like in other avenues of international law, the municipal legal principle of stare decisis does not apply to Panel or Appellate Body decisions. This means that future panels are not bound by law to follow the finding in this report.

However, WTO tribunals have often used the reasoning put forward in previous panel or Appellate Body reports to support their findings.

Steel and aluminium tariffs

The US, whose third party submission failed to sway the panel has recognised the potential implications of the report and disparaged it as being “seriously flawed”. They have also discouraged the WTO tribunals deciding the steel and aluminium tariff disputes from using it as precedent.

However, Australia, Brazil, Canada, China, European Union, Japan, Moldova, Singapore and Turkey had all filed third party submissions which encouraged the panel to assert its jurisdiction in the matter and have openly supported the panel’s approach – which would be a boost for the panels set up to adjudicate the Trump sanctions.

Given the groundwork laid out by the panel in this dispute, it would be difficult for the US to satisfy the panel’s understanding of ‘emergency in international relations’ as the Panel clearly stated that “political or economic differences between Members are not sufficient, of themselves, to constitute an emergency in international relations for purposes of subparagraph (iii)”.

Huawei and cybersecurity

In addition to steel and aluminium tariffs, the panel’s decision also has an impact on the rapidly unfolding Huawei saga. Huawei, which is the world’s largest telecom equipment company and is now taken the lead in the race to develop one of the world’s most critical emerging technologies: fifth generation mobile telephony.

However, Huawei has recently fallen out of favour with the US and other western countries amidst suspicions of them enabling the Chinese government to spy on other countries by incorporating backdoors into their infrastructure.

Various countries, including Australia, Japan, New Zealand have effectively banned Huawei from public participation while the US has prevented government agencies from buying Huawei infrastructure-triggering litigation by Huawei seeking to prevent the move.India has adopted an independent approach by allowing Huawei to participate in field trials of 5G equipment despite Indian agencies flagging concerns over the use of Chinese made telecom equipment.

On April 11, China complained about the Australian decision at the formal meeting of the WTO’s Council for Trade in Goods by highlighting its discriminatory impact on China. To defend itself, Australia may need to invoke Article XXI and argue that the ban fits in under one of the sub-paragraphs (i)-(iii) of clause (2) The report by this panel, may, therefore propel the WTO’s first big foray into cybersecurity and enable it to act as a multi-lateral adjudicator of the critical geo-political issues discussed in this piece.

The history of international law has been a history of powerful nations manipulating its tenets for strategic gain. At the same time, it has been a history of institutional resilience, evolution and change. The World Trade Organisation is no exception. Despite several aspects of the WTO ecosystem being severely flawed with a disparate impact on vulnerable groups in weaker nations, it has been the bulwark of the modern geo-economic order.

By taking the ‘national security’ exception head on, the panel has undertaken a brave act of self-preservation and foiled the utilisation of a dangerous trump card.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-arindrajit-basu-may-8-2019-will-the-wto-finally-tackle-the-trump-card-of-national-security

An Analysis of the RBI’s Draft Framework on Regulatory Sandbox for Fintech

vipul — 2019-05-08T13:57:49Z

The term Fintech is generally used to describe innovative technology and technological processes being used in the financial services sector.

Click here to download the file.

It originated as a term referring to the back-end technology used by large financial institutions, but has expanded to include technological innovation in the financial sector, including innovations in financial literacy and education, retail banking, investments, etc. Entities engaged in FinTech offer an array of services ranging from peer-to-peer lending platforms and mobile payment solutions to online portfolio management tools and international money transfers.

Regulation and supervision of the Fintech industry raises some unique challenges for regulatory authorities as they have to strike a balance between financial inclusion, stability, integrity, consumer protection, and competition. One of the methods that have been adopted by regulators in certain jurisdictions to tackle the complexities of this sector is to establish a “regulatory sandbox” which could nurture innovative fintech enterprises while at the same time ensuring that the risk associated with any regulatory relaxations is contained within specified boundaries. It was precisely for this reason that establishment of a regulatory sandbox was one of the options put forward by the Working Group on Fintech and Digital Banking established by the Reserve Bank of India in its report of November, 2017 which was released for public comments on February 8, 2018. Acting on this recommendation the Reserve Bank has proposed a Draft Enabling Framework for Regulatory Sandbox, dated April 18, 2019, (“RBI Framework”) which is analysed and discussed below.

Regulatory Sandbox and its benefits

While the basic concept of a regulatory sandbox is to ensure that there is regulatory encouragement and incentive for fledgling Fintech enterprises in a contained environment to mitigate risks, different regulatory authorities have adopted varied methods of achieving this objective. While the Australian Securities and Exchange Commission (ASIC) uses a method where the eligible enterprises notify the ASIC and commence testing without an individual application process, the Financial Conduct Authority, UK (FCA) uses a cohort approach wherein eligible enterprises have to apply to the FCA which then selects the best options based on criteria laid down in the policy. The RBI has, not surprisingly, adopted an approach similar to the FCA wherein applicants will be selected by the RBI based on pre-defined eligibility criterion and start the regulatory sandbox in cohorts containing a few entities at a time.

A regulatory sandbox offers the users the opportunity to test the product’s viability without a larger and more expensive roll out involving heavy investment and regulatory authorizations. If the product appears to have the potential to be successful, it might then be authorized and brought to the broader market more quickly. If there are any problems with the product the limited nature of the sandbox ensures that the consequences of the problems are contained and do not affect the broader market. It also allows regulators to obtain first-hand empirical evidence on the benefits and risks of emerging technologies and business models, and their implications, which allows them to take a considered (and perhaps more nuanced) view on the regulatory requirements that may be needed to support useful innovation, while mitigating the attendant risks. A regulatory sandbox initiative also sends a clear signal to the market that innovation is on the agenda of the regulator.

RBI Draft Framework

Since the RBI has adopted a cohort approach for its regulatory sandbox process (“RS”), it implies that fintech entities will have to apply to the RBI to be selected in the RS. The eligibility criterion provides that the applicants will have to meet the eligibility conditions prescribed by the government for start-ups as per the Government of India, Department of Industrial Policy and Promotion, Notification GSR 364(E) April 11, 2018. The RS will focus on areas where (i) there is an absence of regulations, (ii) regulations need to be eased to encourage innovation, and (iii) the innovation/product shows promise of easing/effecting delivery of financial services in a significant way. The Framework also provides an indicative list of innovative products and technologies which could be considered for RS testing, and at the same time prohibits certain products and technologies from being considered for this programme such as credit registry, crypto currencies, ICOs, etc.

The RBI Framework also lays down specific conditions that the entity has to satisfy in order to be considered for the RS such as satisfaction of the conditions to be considered a start-up, minimum net worth requirements, fit and proper criteria for Directors and Promoters, satisfactory conduct of bank accounts of promoters/directors, satisfactory credit score, technological readiness of the product for deployment in the broader market, ensuring compliance with existing laws and regulations on consumer data and privacy, adequate safeguards in its IT systems for protection against unauthorised access etc. and a robust IT infrastructure and managerial resources. The fit and proper criteria for Directors and Promoters which requires elements of credit history along with the minimum net worth requirements in the RBI Framework are conditions which may be too difficult for some of the smaller and newer start-ups to satisfy even though the technology and products they offer might be sound. The applicants are also required to: (i) highlight an existing gap in the financial ecosystem and how they intend to address that, (ii) show a regulatory barrier or gap that prevents the implementation of the solution on a large scale, (iii) clearly define the test scenarios, expected outcomes, boundary conditions, exit or transition strategy, assessment and mitigation of risks, etc.

The RBI Framework specifies that the focus of the RS should be narrow in terms of areas of innovation and limited in terms of intake. While limits on the number of entities per cohort may be justified based on paucity of resources, limiting the focus of the RS by narrow areas of innovation is a lost opportunity in terms of sharing of ideas and learning from the mistakes of their colleagues who may be employing technologies and principles which could be useful in fields other than those where they are currently being applied.

The RBI Framework specifies that the boundaries of the RS have to be well defined so that any consequences of failure can be contained. These boundary conditions include a specific start and end date, target customer type and limits on number of customers, cash holdings, transaction amounts and customer losses. The Framework does not put in place any hard numbers on the boundary conditions which ensures that the RS process can be customised to the needs of specific entities since the sample sizes and data needed to determine the viability of fintech entities and products may vary from product to product. However a major dampener is the hard limit of 12 weeks imposed on the testing phase of the RS, which is the most important phase since all the data from the operations is generated during this phase and 12 weeks may not be enough time to generate enough reliable data so as to reach a determination of the viability of the product.

Although the RBI has shown a willingness to relax regulatory requirements for RS participants on a case to case basis, it has specified that there shall be no relaxation on issues of customer privacy and data protection, security of payment data, transaction security, KYC requirements and statutory restrictions. Since this is only an initiative by the RBI the RS participants dealing with the insurance or securities sector would not be entitled to any relaxations from the IRDA or the SEBI even if they are found eligible for relaxations from RBI regulations. This would severely limit the efficacy of the RS process and is an issue that could have been addressed if all three regulators had collaborated thereby encouraging innovative start-ups offering a broader spectrum of services.

Once the RS is finished, the regulatory relaxations provided by the RBI will expire and the fintech entity will have to either stop operations or comply with the relevant regulations. In case the entity requires an extension of the RS period, it would apply to the RBI atleast one month prior to the expiry of the RS period with reasons for the extension. The RBI also has the option of prematurely terminating the sandbox process in case the entity does not achieve its intended purpose or if it cannot comply with the regulatory requirements and other conditions specified at the relevant stage of the sandbox process. The fintech entity is also entitled to quit the RS process prematurely by giving one week’s notice to the RBI, provided it ensures that all its existing obligations to its customers are fully addressed before such discontinuance. Infact customer obligations have to be met by the fintech entities irrespective of whether the operations are prematurely ended by the entity or it continues through the entire RS process; no waiver of the legal liability towards consumers is provided by the RS process. In addition, customers are required to be notified upfront about the potential risks and their explicit consent is to be taken in this regard.

The RBI Framework itself lists out some of the risks associated with the regulatory sandbox model such as (i) loss of flexibility in going through the RS process, (ii) case by case determinations involve time and discretional judgements, (iii) no legal waivers, (iv) requirement of regulatory approvals after the RS process is over, (iv) legal issues such as consumer complaints, challenges from rejected candidates, etc. While acknowledging the above risks the Framework also mentions that atleast some of them may be mitigated by following a time bound and transparent process thus reducing risks of arbitrary discretion and loss of flexibility.

Conclusions

While there are some who are sceptical of the entire concept of a regulatory sandbox for the reason that it loosens regulation too much while at the same time putting customers at risk, the cohort model adopted by the RBI would reduce that risk to an extent since it ensures comprehensive screening and supervision by the RBI with clear exit strategies and an emphasis on consumer interests. On the other hand the eligibility criterion for applicants prescribes minimum net worth requirements as well as credit history, etc. which may impose conditions too onerous for some start ups which may be their infancy. Further the clear emphasis on protection of customer privacy and consumer interests also ensures that the RBI will not put the interests of ordinary citizens at risk in order to promote new and untested technologies. That said, the regulatory sandbox process is a welcome initiative by the RBI which may send a signal to the financial community that it is aware of the potential advantages as well as risks of Fintech and is willing to play a proactive role in encouraging new technologies to improve the financial sector in India.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

Jenik, Ivo, and Kate Lauer. 2017. “Regulatory Sandboxes and Financial Inclusion.” Working Paper. Washington, D.C.: CGAP, available at https://www.cgap.org/sites/default/files/Working-Paper-Regulatory-Sandboxes-Oct-2017.pdf

Other countries which have regulatory sandboxes are Netherlands, Bahrain, Abu Dhabi, Saudi Arabia, etc.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

These conditions are fairly liberal in that they require that the entity should be less than 7 years old; should not have a turnover of more than 25 crores, and should be working for innovation, development or improvement of products or processes or services, or if it is a scalable business model with a high potential of employment generation or wealth creation.

Clause 5 of the RBI Framework.

Clause 6.1 of the RBI Framework.

Clause 6.3 of the RBI Framework.

Clause 6.5 of the RBI Framework.

Clause 6.4 of the RBI Framework.

Clause 6.7 of the RBI Framework.

Clauses 6.2 and 8 of the RBI Framework.

Clause 6.6 of the RBI Framework.

Clause 6.9 of the RBI Framework.

Jemima Kelly, A “fintech sandbox” might sound like a harmless idea. It's not, Financial Times, Aplphaville, https://ftalphaville.ft.com/2018/12/05/1543986004000/A--fintech-sandbox--might-sound-like-a-harmless-idea--It-s-not/

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-may-8-2019-an-analysis-of-rbi-draft-framework-on-regulatory-sandbox-for-fintech

Why the TikTok ban is worrying

gurshabad — 2019-05-05T10:11:28Z

Rather than critically examining the infringement of liberties by the political executive, the Indian courts are becoming an additional threat to the right to freedom of expression, which we must be increasingly wary of.

The article by Gurshabad Grover was published in Hindustan Times on May 2, 2019.

In a span of less than two weeks, the Madras High Court has imposed and lifted a ban on the TikTok mobile application, an increasingly popular video and social platform. While rescinding the ban is welcome, the events tell a worrying tale of how the courts can arbitrarily censor online expression with little accountability.

On April 3, the Madras High Court heard a public interest litigation petitioning for the TikTok mobile app to be banned in India because it was “encouraging pornography”, “degrading culture”, “causing paedophiles”, spreading “explicit disturbing content” and causing health problems for teenagers. It is difficult to establish the truth of these extreme claims about content on the platform that has user generated content, but the court was confident enough to pass wide ranging interim orders on the same day without hearing ByteDance, the company that operates the Tik Tok app.

The interim order had three directives. First, the Madras High Court ordered the government to prohibit the downloading of the app. Second, it restricted the media from broadcasting videos made using the app. Third, it asked the government to respond about whether it plans to enact legislation that would protect children’s online privacy. While the third directive poses an important question to the government that merits a larger discussion, the first two completely lacked a legal rationale. The court order also implied that the availability of pornography on the platform was problematic, even though it is not illegal to access pornography in India.

Appallingly, the order makes no mention at all of the most pertinent legal provision: Section 79 of the Information Technology (IT) Act and the rules issued under it, which form the liability regime applicable to intermediaries (online services). The intermediary liability rules in India generally shield online platforms from liability for the content uploaded to their platform as long as the company operating is primarily involved in transmitting the content, complies with government and court orders, and is not abetting illegal activity. It is this regime that has ensured that online platforms are not hyperactively censoring expression to avoid liability, and has directly supported the proliferation of speech online.

The courts do have some powers of online censorship under the provision, which they have used many times in the past. They have the authority to decide on questions of whether certain content violates law and then direct intermediaries to disable access to that specific content. Such a legal scenario was certainly not the case before the Madras High Court. We can also be sure that the app stores run by Apple and Google, on which TikTok is available, were not the intermediaries under consideration here (which would also be problematic in its own ways) since the interim order makes no mention of them. So, despite the fact that the court’s order had no clear jurisdiction and legal basis, Apple and Google were ordered by the government to remove TikTok from their respective mobile app stores for India.

ByteDance Technology appealed to the Supreme Court of India to rescind the ban, arguing that they qualify as intermediaries under the IT Act and should not face a blanket ban as a repercussion of allegedly problematic content on their platform. The Supreme Court refrained from staying the problematic Madras High Court interim order, but decided that the ban on the app will be lifted by April 24 if the case wasn’t decided by then. On April 24, sense finally prevailed when the High Court decided to take the interim directive back.

Admittedly, popular online platforms can create certain social problems. TikTok has faced bans elsewhere and was fined by the Federal Trade Commission in the United Sates for collecting information on its users who were below the age of 13. There is no debate that the company is legally bound to follow the rules issued under the IT Act, be responsive to legally valid government and court orders, and should strictly enforce their community guidelines that aim to create a safe environment for the young demographic that forms a part of its user base. However, a ban is a disproportionate move that sends signals of regulatory uncertainty, especially for technology companies trying to break into an increasingly consolidated market. The failure of the government to enact a law that protects children’s privacy also cannot be considered a legitimate ground for a ban on a mobile app.

Perhaps most importantly, the interim court order adds yet another example to the increasing number of times the judiciary has responded to petitions by passing censorship orders that have no basis in law. As constitutional scholar Gautam Bhatia has pointed out, we are faced with the trend of “judicial censorship” wherein the judiciary is exercising power without accountability in ways not envisioned by the Constitution. Rather than critically examining the infringement of liberties by the political executive, the Indian courts are becoming an additional threat to the right to freedom of expression, which we must be increasingly wary of.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-may-2-2019-gurshabad-grover-why-the-tik-tok-ban-is-worrying

Cyber criminals hide in the ‘dark web’ to remain anonymous

Tushar Kaushik — 2019-05-02T13:55:39Z

An increasing number of cyber criminals are using the dark web — the encrypted part of the internet that cannot be tracked — to shop for software that helps them remain anonymous while carrying out their crimes.

The article by Tushar Kaushik was published in Economic Times on May 2, 2019. Karan Saini was quoted.

The dark web is a part of the deep web, the non-indexed part of the world wide web that cannot be accessed by standard search engines such as Google and requires encrypted networks such as Tor browser.

The most significant feature of this world is that the identity of its users is hidden and cannot be tracked, which is why several illicit products such as weapons and drugs are available here. Cyber criminals, too, appear to be shopping here.

According to app developer and cofounder of TBG Labs Harsha Halvi, the deep web makes up as much as about 65- 75% of the world wide web. “Many tools that can be used to commit cyber frauds are available on the dark web,” said cyber crime police station inspector M Chandrappa. Deputy superintendent at the cyber crime police station of CID MD Sharath said it was difficult to ascertain the frequency of usage of such applications by criminals.

Those fighting cyber crime in Bengaluru say that as most cases are not detected, chances are that more and more criminals are using the dark web. While investigating a case recently, a suspect admitted to having downloaded a software from the dark web that enabled him to disguise his number and also prevent it from being traced, the police said. “If a person has used tools from the dark web to hide his number, the investigation ends right there, as we do not have the necessary tools and software to trace the person,” a senior police officer said.

Experts say that while there are ways to trace activity on the dark web, police officials would require special training and specific information about the activity. Security researcher and policy officer at the Centre for Internet and Society Karan Saini said, “Attempting to track unconventional online behaviour would call for development of new methods, along with formal training for those involved, especially if malicious actors are using the Tor network to carry out illicit activities instead of the clear web.”

Halvi said some agencies like the FBI deploy ethical hackers to track specific websites on the dark web. “But they, too, have to rely on getting specific information from people to investigate the dark web. It is a time-consuming process.”

Bitcoin transactions are the preferred mode of payment for purchases on the dark web as they cannot be traced. However, Saini said some US-based researchers have written academic papers on how bitcoin exchanges can be tracked.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-2-2019-tushar-kaushik-cyber-criminals-hide-in-the-dark-web-to-remain-anonymous

How privacy fares in the 2019 election manifestos | Opinion

Aayush Rathi and Ambika Tandon — 2019-05-02T01:49:39Z

We now have a rights-based language around privacy in the mainstream political discourse but that’s where it ends.

The article by Aayush Rathi and Ambika Tandon was published in the Hindustan Times on May 1, 2019.

In August 2017, the Supreme Court, in Puttaswamy vs Union of India, unanimously recognised privacy as a fundamental right guaranteed by the Constitution. Before the historic judgment, the right to privacy had remained contested and was determined on a case-by-case basis. By understanding privacy as the preservation of individual dignity and autonomy, the judgment laid the groundwork to accommodate subsequent landmark legislative moves — varying from decriminalising homosexuality to limiting the use of the Aadhaar by private actors.

Reflecting the importance gained by privacy within public imagination, the 2019 elections are the first time it finds mention across major party manifestos. In 2014, the Communist Party of India (Marxist) was the only political party to have made commitments to safeguarding privacy, albeit in a limited fashion. For the 2019 election, both the Congress and the CPI(M) promise to protect the right to privacy if elected to power. The Congress promises to “pass a law to protect the personal data of all persons and uphold the right to privacy”. However, it primarily focuses on informational privacy and its application to data protection, limited to the right of citizens to control access and use of information about themselves.

The CPI(M) focuses on privacy more broadly while promising to protect against “intrusion into the fundamental right to privacy of every Indian”. In a similar vein, both the Congress and the CPI(M) also commit to bringing about surveillance reform by incorporating layers of oversight. The CPI(M) manifesto further promises to support the curtailment of mass surveillance globally. It promises to enact a data privacy law to protect against “appropriation/misuse of private data for commercial use”, albeit without any reference to misuse by government agencies.

On the other hand, the Samajwadi Party manifesto proposes the reintroduction of the controversial NATGRID, an overarching surveillance tool proposed by the Congress in the aftermath of the 26/11 Mumbai attacks. In this backdrop, digital rights for individuals are conspicuous by their absence from the Bharatiya Janata Party’s manifesto. Data protection is only seen in a limited sense as being required in conjunction with increasing digital financialisation.

The favourable articulation of privacy in some of the manifestos should be read along with other commitments across parties around achieving development goals through the digital economy. Central to the operation of this is aggregating citizen data. Utilising this aggregated data for predictive abilities is key to initiatives being proposed in the manifestos —digitising health records, a focus on sunrise technologies, such as machine learning and big data, and readiness for “Industry 5.0” are some examples.

The right is then operationalised in a manner that leads data subjects to pick between their privacy and accessing services being provided by the data collector. Relinquishing privacy becomes the only option especially when access to welfare services is at stake.

The discourse around privacy in India has historically been used to restrict individual freedoms. In the Puttaswamy case, Justice DY Chandrachud, in his plurality opinion, acknowledges feminist scholarship to broaden the understanding of the right to privacy to one that protects bodily integrity and decisional privacy for marginalised communities. This implies protection against any manner of State interference with decisions regarding the self, and, more broadly, the right to create a private space to allow the personality to develop without interference. This includes protection from undue violations of bodily integrity such as protecting the freedom to use public spaces without fear of harassment, and criminalising marital rape.

While the articulation of privacy in the manifestos is a good start, it should be much more. Governance must implement the right to look beyond the individualised conception of privacy so as to allow it to support a whole range of freedoms, rather than limiting it to data protection. This could take the shape of modifying traditional legal codes. Family law, for instance, could be reshaped to allow for greater exercise of agency by women in marriage, guardianship, succession etc. Criminal law, too, could render inadmissible evidence obtained through unjustified privacy violations. The manifestos do mark the entry of a rights-based language around privacy and bodily integrity into mainstream political discourse. However, there appears to be a lack of imagination of the extent to which these protections can be used to further individual liberty collectively.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-may-1-2019-aayush-rathi-and-ambika-tandon-how-privacy-fares-in-the-2019-election-manifestos

FinTech in India: A Study of Privacy and Security Commitments

Aayush Rathi and Shweta Mohandas — 2019-05-02T11:20:30Z

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. This report studies the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.

Access the full report: Download (PDF)

The report by Aayush Rathi and Shweta Mohandas was edited by Elonnai Hickok. Privacy policy testing was done by Anupriya Nair and visualisations were done by Saumyaa Naidu. The project is supported by the William and Flora Hewlett Foundation.

In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.In India, the Information Technology (Reasonable Security Practices andProcedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.

The objective of this study is to understand privacy commitments undertaken by fintech companies operating in India as documented in their public facing privacy policies. This exercise will be useful to understand what standards of privacy and security protection fintech companies are committing to via their organisational privacy policies. The research will do so by aiming to understand the alignment of the privacy policies with the requirements mandated under the SPD/I Rules. Contingent on the learnings from this exercise, trends observed in fintech companies’ privacy and security commitments will be culled out.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-shweta-mohandas-april-30-2019-fintech-in-india-a-study-of-privacy-and-security-commitments

April 2019 Newsletter

praskrishna — 2019-09-04T14:36:41Z

The Centre for Internet & Society (CIS) newsletter for April 2019.

Highlights for March 2019

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. Aayush Rathi and Shweta Mohandas have co-authored a report which has analysed the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.
In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Vipul Kharbanda has provided a deeper analysis on this in his research paper.
CIS has responded to ICANN's proposed renewal of .org Registry. CIS has found severe issues with the proposed agreement. These centre around the removal of price caps and imposing obligations being currently deliberated in an ongoing Policy Development Process. Akriti Bopanna drafted the response.
The Department of Industrial Policy and Promotion released a draft e-commerce policy in February for which stakeholder comments were sought. CIS responded to the request for comments.
CIS Access to Knowledge team (CIS-A2K) has submitted its proposal form for the year 2019 - 2020 to the Wikimedia Foundation. CIS thanks all community members who gave valuable suggestions and inputs for drafting this proposal.
In 2017–2018, the Wikimedia Foundation (WMF) and Google collaborated to start a pilot project in India, working closely with the Centre for Internet and Society (CIS) and the Wikimedia Indiachapter (WMIN). This project, titled Project Tiger was aimed at encouraging Wikipedia communities to create locally relevant and high-quality content in Indian languages. CIS-A2K team submitted Project Tiger final report.
The r@w blog features works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media and society, and highlights and materials from ongoing research and events at the researchers@work programme at CIS. On the r@w blog we featured an essay titled 'The Internet in the Indian Judicial Imagination' by Divij Joshi, as part of a series on Studying Internet in India (2015); and audio recording of a session titled #ObjectsofDigitalGovernance by Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian which was part of the Internet Researchers Conference, 2017.

Jobs

CIS is hiring:

CIS-A2K Finance Officer: Call for application (Only women candidates).
Internship - applications accepted throughout the year.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019).
To preserve freedoms online, amend the IT Act (Gurshabad Grover; April 16, 2019).
Digital Native: Getting through an election made for the social media gaze (Nishant Shah; Indian Express; April 21, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Reddit, Telegram among websites blocked in India, say internet groups (Sai Sachin Ravikumar; Business Standard; April 3, 2019).
Data leaks could wreak havoc in India, so why aren’t they an issue this election? (Aria Thaker; Quartz India; April 4, 2019).
Cookies, not the monster you may think (Sweta Akundi; Hindu; April 8, 2019).
TikTok craze a ticking time bomb for city (Gulam Jeelani with inputs from Priyanka Sharma and Ajay Kumar; India Today; April 17, 2019).
Almost every social network has a porn problem—so why is India banning only TikTok? (Ananya Bhattacharya; Quartz India; April 19, 2019).
Child protection and cyber-grooming: Indian court rescinds its own Tiktok ban (Leon Kaiser; Netzpolitik.org; April 24, 2019).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipdedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Project Proposal / Reports

Supporting Indian Language Wikipedias Program/Report (Gopala Krishna A; April 5, 2019).

CIS-A2K proposal to Wikimedia Foundation for 2019-2020 (Ananth Subray; April 15, 2019).

Blog Entries

Wikimedia projects orientation session at Tata Trust's Vikas Anvesh Foundation (Subodh Kulkarni; April 9, 2019).
Indic Wikisource Speak: Sushant Savla (Jayanta Nath; April 10, 2019).
SVG Translation Workshop at KBC North Maharashtra University (Subodh Kulkarni; April 10, 2019).
Content Donation Sessions with Authors (Subodh Kulkarni; April 10, 2019).
Indic Wikisource speak : Ajit Kumar Tiwari (Jayanta Nath; April 11, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Research Paper

International Cooperation in Cybercrime: The Budapest Convention (Vipul Kharbanda; April 29, 2019).

Privacy

Research Paper

FinTech in India: A Study of Privacy and Security Commitments (Aayush Rathi and Shweta Mohandas; April 30, 2019).

Submission

CIS Response to Call for Stakeholder Comments: Draft E-Commerce Policy (Arindrajit Basu, Vipul Kharbanda, Elonnai Hickok and Amber Sinha; April 10, 2019).

Participation in Events

IETF 104 Prague (Organized by IETF; Prague; March 23 - 29, 2019). Karan Saini and Gurshabad Grover participated in the event.
The Phantom Public: The Role of Social Media in Democracy (Organized by Ambedkar University; New Delhi; April 3, 2019).
(re) conference (Organized by CREA; New Delhi; April 10 - 12, 2019).
Data for Development: Mapping key considerations for policy and practice in India (Organized by Azim Premchand University; April 24, 2019). Arindrajit Basu delivered a talk.

Artificial Intelligence

Participation in Event

Policy Lab on Artificial Intelligence & Democracy (Organized by Tandem Research, in partnership with Microsoft Research and Friedrich-Ebert-Stiftung; Bangalore; April 2-3, 2019). Shweta Mohandas participated in the event.

Free Speech and Expression

Submission

CIS Response to ICANN's proposed renewal of .org Registry (Akriti Bopanna; April 28, 2019).

Event Organized

Internet Speech: Perspectives on Regulation and Policy ( Organized by CIS; India Habitat Centre, New Delhi; April 5, 2019).

Blog Entry

DIDP #33 On ICANN's 2012 gTLD round auction fund (Akriti Bopanna; April 4, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Call for Essays: Studying Internet in India (Sumandro Chattapadhyay; April 6, 2019).

Blog Entries

The Internet in the Indian Judicial Imagination (Divij Joshi; April 21, 2019).
#ObjectsOfDigitalGovernance (Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian; April 21, 2019).

Telecom

Article

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019 and Organizing India Blogspot; April 4, 2019).

Participation in Event

BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services (Organized by Broadband India Forum; Taj Mahal Hotel, Mansingh Road, New Delhi; April 5, 2019). Anubha Sinha was a panellist at a BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services”.

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2019-newsletter

International Cooperation in Cybercrime: The Budapest Convention

vipul — 2019-04-29T22:35:37Z

In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.

Click to download the file here

However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.^{^[1]}

Extradition

Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.^{^[2]} In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.^{^[3]} Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.^{^[4]} The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.^{^[5]}

The Convention also recognises the principle of "aut dedere aut judicare" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,^{^[6]} then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.^{^[7]} The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.^{^[8]}

Mutual Assistance Requests

The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.^{^[9]} Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.^{^[10]} However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.

The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.^{^[11]} Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.^{^[12]}

Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;^{^[13]} (ii) the request concerns an offence considered as a political offence by the requested Party;^{^[14]} or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, ordre public or other essential interests.^{^[15]} The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.^{^[16]} In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.^{^[17]}

In practice it has been found that though States refuse requests on a number of grounds,^{^[18]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.^{^[19]} A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:

“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.

British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.

Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.

A.T. was extradited to Norway and prosecuted.”^{^[20]}

It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.

In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.^{^[21]} On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.^{^[22]} If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.^{^[23]}

In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.^{^[24]} Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.^{^[25]}

The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,^{^[26]} (ii) provide real time collection of traffic data with specified communications in its territory;^{^[27]} and (iii) provide real time collection or recording of content data of specified communications.^{^[28]} The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.

The procedure for sending mutual assistance requests under the Convention is usually the following:

Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.
Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).
The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.

The following procedure is then followed in the corresponding receiving Party:

Receipt of the request by the Central Authority.
Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).
Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).
Issuance of a court order (if needed).
Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.
Data obtained is examined against the MLA request, which may entail translation or

using a specialist in the language.

The information is then transmitted to requesting State via MLA channels.^{^[29]}

In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.^{^[30]} Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.^{^[31]}

Preservation Requests

The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.

The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.^{^[32]} However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.^{^[33]} In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, ordre public or other essential interests of the requested Party.^{^[34]}

In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.^{^[35]} Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.^{^[36]} If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.^{^[37]}

Jurisdiction and Access to Stored Data

The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.^{^[38]} The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.^{^[39]} These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.^{^[40]}

Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.^{^[41]} It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.

The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.^{^[42]} The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.^{^[43]} The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.^{^[44]}

The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.^{^[45]} The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.^{^[46]}

Production Order

A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.^{^[47]} It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.^{^[48]} Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.^{^[49]} However subscriber information^{^[50]} can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.^{^[51]}

Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.^{^[52]} Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.

Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.^{^[53]}

The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.^{^[54]} A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.^{^[55]} The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:^{^[56]}

PRODUCTION ORDER CAN BE SERVED
IF The criminal justice authority has jurisdiction over the offence
AND The service provider is in possession or control of the subscriber information
AND
The service provider is in the territory of the Party (Article 18(1)(a))	Or	A Party considers that a service provider is “offering its services in the territory of the Party” when, for example: - the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and - the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party. (Article 18(1)(b))
AND
		the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.

The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[57]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[58]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,^{^[59]} and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.^{^[60]}

Language of Requests

It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.^{^[61]} Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.^{^[62]}

24/7 Network

Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.^{^[63]} The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.^{^[64]} In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[65]}

Drawbacks and Improvements

The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:

Weakness and Delays in Mutual Assistance: In practice it has been found that though States refuse requests on a number of grounds,^{^[66]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.^{^[67]} The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.

Access to data stored outside the territory: Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.^{^[68]} It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[69]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[70]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.

Language of requests: Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.^{^[71]}

Bypassing of 24/7 points of contact: Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[72]}

India and the Budapest Convention

Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:

India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.^{^[73]}
Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.^{^[74]}
The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.^{^[75]}
It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.^{^[76]}
Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.^{^[77]}

Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.^{^[78]}

Conclusion

The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.^{^[79]} This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.

^{^[1]} Council of Europe, Explanatory Report to the Convention on Cybercrime, https://rm.coe.int/16800cce5b, para 304.

^{^[2]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.

^{^[3]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(5).

^{^[4]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(3).

^{^[5]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(2).

^{^[6]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 251.

^{^[7]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(6).

^{^[8]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(7).

^{^[9]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(1).

^{^[10]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[11]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(2).

^{^[12]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.

^{^[13]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[14]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(a).

^{^[15]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(b).

^{^[16]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(5).

^{^[17]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(6).

^{^[18]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[19]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[20]} Pedro Verdelho, Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice, 2008, pg. 5, https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF, accessed on March 28, 2019.

^{^[21]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(8).

^{^[22]} However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. See para 278 of the the Explanatory Note to the Budapest Convention.

^{^[23]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 28.

^{^[24]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(a) and (b).

^{^[25]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.

^{^[26]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 31.

^{^[27]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 33.

^{^[28]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 34.

^{^[29]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 37.

^{^[30]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 123.

^{^[31]} Ibid at 124.

^{^[32]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.

^{^[33]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(4).

^{^[34]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(5).

^{^[35]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(6).

^{^[36]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(7).

^{^[37]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 30.

^{^[38]} Anna-Maria Osula, Accessing Extraterritorially Located Data: Options for States, http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf, accessed on March 28, 2019.

^{^[39]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 32.

^{^[40]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 293.

^{^[41]} Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, Transborder access and jurisdiction: What are the options?, December 2012, para 310.

^{^[42]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.

^{^[43]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.

^{^[44]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.

^{^[45]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.

^{^[46]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.

^{^[47]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 18.

^{^[48]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 170.

^{^[49]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[50]} Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a. the type of communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

^{^[51]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[52]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.

^{^[53]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.

^{^[54]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.

^{^[55]} Id.

^{^[56]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.

^{^[57]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[58]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[59]} Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, Criminal justice access to data in the cloud: challenges (Discussion paper), May 2015, pgs 10-14.

^{^[60]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.

^{^[61]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 35.

^{^[62]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[63]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 35.

^{^[64]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 298.

^{^[65]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[66]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[67]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 7.

^{^[68]} Giovanni Buttarelli, Fundamental Legal Principles for a Balanced Approach, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf

^{^[69]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[70]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[71]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[72]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[73]} Dr. Anja Kovaks, India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders, available at https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/

^{^[74]} Alexander Seger, India and the Budapest Convention: Why not?, Digital Debates: The CyFy Journal, Vol III, available at https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

^{^[75]} Id.

^{^[76]} Id.

^{^[77]} Id.

^{^[78]} https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/

^{^[79]} Elonnai Hickok and Vipul Kharbanda, Cross Border Cooperation on Criminal Matters - A perspective from India, available at https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention

Almost every social network has a porn problem—so why is India banning only TikTok?

Ananya Bhattacharya — 2019-04-28T04:46:36Z

TikTok is in some serious trouble in India. Though it isn’t the only one battling a rising tide of porn, violence, and fake news, the country’s courts have singled out the Chinese video-sharing app for a ban.

The article by Ananya Bhattacharya was published in Quartz India. Shweta Mohandas was quoted.

Incumbents such as Twitter, WhatsApp, and Facebook have been fighting the same problems as TikTok has, but they haven’t yet faced such extreme measures. Several experts have called the Madras high court ban on the world’s most popular video app a “kneejerk reaction” that is “outsized.”

“While it is important to place appropriate curbs on porn and trolling, this decision sounds extreme since there are myriad ways to spread the two vices,” Anindya Ghose, the Heinz Riehl professor of business at New York University’s Stern School, told Quartz.

So why is TikTok bearing the brunt?

Singled out?

Unlike TikTok, most other social media and video/photo sharing apps are largely private and controlled in nature, which means a post can only be seen by a limited network of a user. “The issue with TikTok is it encourages interactivity over videos,” said Prasanto Roy, a New Delhi-based tech policy consultant. “Facebook and Instagram start out with smaller circles or friends groups, while TikTok can get to a larger audience quickly—including allowing video interaction with strangers.”

Given that TikTok is much younger to most others in the segment, the app lacks certain safeguards to ensure users’ safety. For instance, there are no checks & balances on the app to moderate user-generated content, experts told Quartz.

“Other social media (platforms) pro-actively filter out content that violate their community guidelines,” Shweta Mohandas, policy officer at the Centre for Internet and Society of India (CIS), told Quartz. “The fact that TikTok’s community guidelines’ reporting mechanism is based on user reports could be a reason why the porn problem has become more prevalent.”

Although some cases slip through the gaps, Facebook and Google are proactively blocking search terms related to child porn. Facebook and Instagram are also using sophisticated artificial intelligence (AI) tools to detect revenge porn. Vernacular-language social network Sharechat also has algorithms that flag illicit content. “YouTube gives you policies and they remove your video or puts a strike against your account, but there’s no such rule or guideline on TikTok,” Indian YouTuber and TikTok-user Kulbushan Kundalwal said in a videoreacting to the ban.

It has been trying to strengthen its systems lately.

The app, which lets users create and post 15-second-long videos, has set up a team of content moderators who speak a number of regional languages. It has also hosted awareness drives featuring celebrities. However, it relies mostly on user reports.

Clearly, these measures are not enough and millions of its Indian users—almost 40% of the app’s 500 million user base—remain exposed to risks.

In the US, too, TikTok was berated based on similar concerns. It recently settled with the Federal Trade Commission, paying $5.7 million (Rs40 crore), the largest civil penalty ever collected in a child privacy violation case in the US.

Will this ban help?

Taking the app down can slam the brakes on its meteoric rise, but won’t kill it. Banning one app won’t change user behaviour, experts said.

For starters, users who have it installed can continue using it. And though it’s not directly available for download from the app store, there are ways to get it. In fact, getting on the app is easy: Any existing user can share the app with others through platforms like ShareIt.

TikTok is not a unique proposition.

There are also several third-party app stores, other than those of Google and Apple—apkpure, androidapkbox, and uptodown, among others—where TikTok is still available.

In any case, it is not the only source of dangerous content online. “TikTok is not a unique proposition,” Gurugram-based market research firm techARC said in a note. The ban has already begun to boost similar apps.

For instance, since April 16, around the time when news of a likely ban on TikTok in India began floating, video-sharing app Like has been trending as the third most popular in India on analytics site App Annie’s charts, techARC found.

“There is a need to have a holistic approach to getting rid of such digital menace that cannot be absolved by technology or legal recourse alone,” techARC founder and chief analyst Faisal Kawoosa said.

For more details visit https://cis-india.org/internet-governance/news/ananya-bhattacharya-quartz-india-april-19-2019-india-bans-tiktok-over-porn-but-not-facebook-twitter-instagram

Jugendschutz und Cyber-Grooming: Indisches Gericht hebt eigenen Tiktok-Bann wieder auf

Leon Kaiser — 2019-04-28T04:42:18Z

Der Streit um Tiktok geht in die nächste Runde: Nachdem Google und Apple die Video-App kürzlich aus ihrem Angebot streichen mussten, nahm ein indisches Gericht seine Anordnung heute wieder zurück. Im Fall geht es um Pornografie, Cyber-Grooming und die weiterhin ungeklärte Frage, wie mit großen Plattformen rechtlich umgegangen werden soll.

The article by Leon Kaiser was published in Netzpolitik.org on April 24, 2019.

In Indien schwelt seit Anfang April eine Auseinandersetzung zwischen Gerichten um die Video-App Tiktok. Ein Obergericht in Chennai hat heute entschieden, die selbst angeordnete Verbannung der App aus den Stores von Google und Apple wieder aufzuheben.

Zuvor hatte das höchste Gericht in Delhi den Fall zurück nach Chennai verwiesen und auf dem Einsatz eines dritten Gutachters gedrängt. Der argumentierte heute, dass ein Gericht die Einschränkung von App-Downloads nicht fordern könne, da es damit geltendem Recht widerspricht. Das Gericht nahm daraufhin die Anordnung unter einer Einschränkungen zurück.

Seinen Anfang nahm der Streit mit einer einstweiligen Anordnung, die das Madras High Court in Chennai Anfang April erlassen hatten. Die Richter warnten darin vor der App; sie degradiere die Kultur und befördere Pornografie. Sie berichteten auch von Suizidfällen und Mobbing auf der Plattform. Außerdem schütze die App ihre jungen Nutzer:innen nicht ausreichend vor Cyber-Grooming. Als Konsequenz sollte der Download der App beschränkt werden. Medien wurde die Nutzung von Tiktok-Videos in der Berichterstattung untersagt und die Regierung dazu aufgefordert, ein Gesetz zum Schutz von Kindern im Internet zu verabschieden.

Google und Apple setzen Wünsche der Regierung um

Tiktok ist ein soziales Netzwerk, in dem vor allem kurze Videoschnipsel geteilt werden. Nutzer:innen können beliebige Videos verfremden, remixen oder mit Musik unterlegen. Außerdem kann man Aufnahmen mit einem eigenen Video kommentieren und so visuell und ohne viel Text aufeinander Bezug nehmen. Indien ist mit über 120 Millionen Nutzer:innen nach China – dort heißt die App Douyin– der zweitgrößte Markt. Die App ist auch unter Jugendlichen in Deutschland beliebt und hat hierzulande gut vier Millionen Nutzer:innen

Am 16. April bat die indische Regierung dann Apple und Google, die App aus ihrem Angebot in Indien zu streichen. Bürgerrechtler:innen kritisierten den Schritt, die Auswahl von Tiktok sei willkürlich und andere Plattformen mit ähnlichen Problemen konfrontiert. Zudem sei Pornografie nicht illegal, was bei Cyber-Grooming sehr wohl der Fall ist. Die US-Konzerne setzten die Forderung ohne großes Aufsehen um, woraufhin neue Nutzer:innen die App dort vorübergehend nicht mehr herunterladen konnten.

Die Kritik an Tiktok ist auch aus anderen Ländern bekannt. Es gibt Recherchen und Berichte zu Fällen von Cyber-Grooming und sexueller Belästigung Minderjähriger. Die Federal Trade Commission in den USA belegte den chinesischen Konzern ByteDance, dem Tiktok gehört, mit einer Strafe von 5,7 Millionen Euro, weil er achtlos mit den Daten von Kindern umging.

Uploadfilter auch in Indien?

In Indien ist der Fall in zwei politische Entwicklungen eingebettet. Zum einen wird in Indien derzeit gewählt. Die Stimmabgabe läuft noch bis zum 19. Mai, womit sich der Wahlkampf in der heißen Phase befindet. Zumindest vereinzelt werden politische Botschaften und Parodien auch auf Tiktokverbreitet. Es gibt aber keine Untersuchungen darüber, wie wichtig die relativ junge App für den politischen Disksurs ist.

Zum anderen legte die Regierung Ende letzten Jahres einen Entwurf für eine Überarbeitung des indischen IT Acts vor. Die neuen „Intermediary Guidelines“ würden der Rechtswissenschaftlerin Chinmayi Arun zufolge der indischen Regierung weitreichende Befugnisse gegenüber Online-Plattformen im Land geben. Das Gesetz enthält auch eine Verpflichtung für die „proaktive“ Entfernung von „illegalen Informationen und Inhalten“ vor. Damit würden Plattformen zum Einsatz von Uploadfiltern verpflichtet, die Schwelle dafür wäre der schwammige Begriff „illegal“. Access Now kritisierte, dass das Gesetz Menschenrechte einschränke.

Das Gesetz ist noch nicht verabschiedet und so argumentierte der Gutachter heute mit der bestehenden Gesetzeslage. Er sagte, dass App-Anbieter gesetzlich als Intermediäre gelten und keine Haftungspflicht für alle Inhalte auf ihren Plattformen haben. Doch auch die aktuelle Rechtslage ist kritisch zu sehen. Sie entlässt profitorientierte Unternehmen vorschnell aus ihrer Verantwortung, wie Sunil Abraham vom Center for Internet and Society in Bangalore schreibt. Das Gericht schränkte die Aufhebung der Anordnung allerdings ein: Fänden sich weiterhin pornografische Inhalte in der App, könnte der Bann möglicherweise wieder eingesetzt werden. Die Rechtsanwälte von Tiktok beriefen sich im Gericht darauf, dass bereits viele Inhalte automatisiert ausgefiltert würden.

For more details visit https://cis-india.org/internet-governance/news/leon-kaiser-netzpolitik-april-24-2019-jugendschutz-und-cyber-grooming-indisches-gericht-hebt-eigenen-tiktok-bann-wieder-auf

CIS Response to ICANN's proposed renewal of .org Registry

akriti — 2019-04-28T02:16:40Z

We thank ICANN for the opportunity to comment on this issue of its proposed renewal of the .org Registry Agreement with the operator, Public Interest Registry (PIR). Supporting much of the community , we too find severe issues with the proposed agreement. These centre around the removal of price caps and imposing obligations being currently deliberated in an ongoing Policy Development Process (PDP).

Presumption of Renewal

CIS has, in the past, questioned the need for a presumption of renewal in registry contracts and it is important to emphasize this within the context of this comment as well. We had, also, asked ICANN for their rationale on having such a practice with reference to their contract with Verisign to which they responded saying:

“Absent countervailing reasons, there is little public benefit, and some significant potential for disruption, in regular changes of a registry operator. In addition, a significant chance of losing the right to operate the registry after a short period creates adverse incentives to favor short term gain over long term investment.”

This logic can presumably be applied to the .org registry, as well, yet a re-auction of ,even, legacy top-level domains can only serve to further a fair market, promote competition and ensure that existing registries do not become complacent.

These views were supported in the course of the PDP on Contractual Conditions - Existing Registries in 2006 wherein competition was seen useful for better pricing, operational performance and contributions to registry infrastructure. It was also noted that most service industries incorporate a presumption of competition as opposed to one of renewal.

Download the file to access our full response.

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-april-28-2019-cis-response-to-icanns-proposed-renewal-of-org-registry

Data for Development: Mapping key considerations for policy and practice in India

Admin — 2019-04-25T15:17:55Z

On 24 April 2019 Arindrajit Basu delivered a talk at an event titled at Data for Development:Mapping key considerations for policy and practice in India at Azim Premchand University.

Arindrajit presented some of CIS's work on artificial intelligence and its work on privacy and the SriKrishna Bill, some of the constitutional contours of India's data governance policies and some of the larger implications on India's foreign policy vision as an emerging economy.

For more details visit https://cis-india.org/internet-governance/news/data-for-development-mapping-key-considerations-for-policy-and-practice-in-india

TikTok craze a ticking time bomb for city

Gulam Jeelani — 2019-04-17T08:46:05Z

Unlike YouTube, where videos take a long time to upload, on TikTok it happens in a matter of seconds. Not just the youth, the trend has captured the imagination of criminals too.

The article by Gulam Jeelani with inputs from Priyanka Sharma and Ajay Kumar was published in India Today on April 17, 2019. Shweta Mohandas was quoted.

Last Saturday, 19-year-old Salman Zakir was accidentally shot dead when his friend and he were shooting a video at central Delhi's Ranjit Singh flyover - to be uploaded on the Chinese mobile application TikTok. The latest craze of filming short duration videos for this app, which uploads these within seconds, is giving headaches to the police, as well as parents.

In the last two weeks, the police have arrested at least six youth (including two of Salman's friends), who were caught posing with guns, making clips and uploading those on the app. Responding to this frenzy, the Union Ministry for Electronics and Information Technology on Tuesday asked Google and Apple to take down TikTok from their app stores.

The order came a day after the Supreme Court refused to stay a Madras High Court order asking the Centre to ban the viral app for the potential harm it could cause owing to inappropriate content being posted - pornography and violence. The ministry's order may lead to pulling down the app from the Google Play Store and Apple App Store, preventing any further downloads. The order will not, however, prevent people who have already downloaded the app from using it.

OF GUNS AND GRANDSTANDING

Salman, along with his friends Sohail and Amir, had gone out for a drive to India Gate. While returning, Sohail sitting next to Salman, who was driving the car, pulled out a country-made pistol. He aimed it at Salman while trying to make the TikTok video, but the pistol went off shooting him on his left cheek. In February this year, a daily wage worker was allegedly killed by his friend in Tiruvallur district of Tamil Nadu for uploading an abusive video targeting another community, on Tik-Tok. The video even led to tension and unrest in the village.

Unlike YouTube, where videos take a long time to upload, on TikTok it happens in a matter of seconds. Not just the youth, the trend has captured the imagination of criminals too. Two weeks before Salman's death, apparently carried away by TikTok's online popularity, two criminals landed in the police net after a video featuring them flaunting pistols surfaced on the app. Shahzada Parvez (24) and Monu (23), had been on the police's radar for long.

"They were fans of singer Honey Singh. Earlier, too, they shot a video brandishing pistols at a community function and put it on social media," deputy commissioner of Delhi Police Anto Alphonse said.

"The young and the restless have a tendency to try out new applications in order to gain quick popularity on the web," added Madhur Verma, deputy commissioner of police, New Delhi.

TikTok, known as Douyin in China, where the parent company is based, is a mobile app for filming and sharing videos set to music or a voice-over. With a reported 500 million subscribers worldwide, India is the biggest market for the app, comprising almost 40% of global downloads. According to market analysis firm Sensor Tower, India accounted for 88.6 million new users out of 188 new users in the March quarter.

QUITE A FAD

The app is the latest fad to give parents and teachers cause for concern after the popularity of dangerous online dares such as the Blue Whale Challenge and Kiki Car. "I had seen my son shooting videos at home and at times he would ask me to pose as well. But I came to know about TikTok when his teacher called me," said Vaishali Dhar, a resident of East Nizamuddin, whose son studies in class 8. "I have decided not to encourage him."

Apart from homes and schools, teenagers have been spotted shooting videos in public places such as the recently opened Signature Bridge which connects Wazirabad to East Delhi. Police have had to resort to chasing people shooting videos atop their cars on the bridge. The app is also a rage among Bollywood-crazed Indians who post videos lip-syncing to songs or reciting movie dialogues. It allows the creation of a 15-second video with the user miming to songs. The videos range from harmless to the explicit, depending upon the users one follows.

Last week, ByteDance, the company that owns TikTok, said it had removed more than six million videos that violated its guidelines. The company has appealed against the stay against the ban, claiming it would harm free speech. "We are committed to continuously enhancing our existing measures and introducing additional technical and moderation processes as part of our ongoing commitment to our users in India," it said in an emailed statement.

OVERUSE & ABUSE

But can the app itself be blamed for its misuse? Experts advocate taking the awareness and sensitisation approach than imposing a blanket ban. Faisal Kawoosa, Chief Analyst at Gurugram-based market research firm techARC, says the easy and inexpensive availability of the Internet and increased smartphone penetration has contributed to the growth of TikTok, and other apps in the country. "Banning is no solution. If you can't download it from the app store (which is authentic), you will encourage illegal downloads which are even more dangerous," adds Kawoosa.

"Even in a Google sign-up, one needs to be above 18 years of age. So it is more about ethics that we practise than an app having a problem," he said. Some experts also raised data privacy concerns which come with the application. "The issue with these apps as with other apps is that it is not clear in which way the data is being processed, stored, or shared with third parties," said Shweta Mohandas, policy officer at the Centre for Internet and Society, a Bengaluru-based research and advocacy non-profit.

"I do not think that a ban on Tik-Tok is a solution. People forget that the existing videos can still be shared on other social media platforms. A young person with TikTok on his or her phone will in all probability be active on other social media and messaging apps. A better approach is to sensitise people about the way the app functions, and the information that is public on the app," she said.

In the US, the app has been accused of collecting personal data from users under the age of 13 without parental consent. "Every other person has a mobile phone today. In the recent past, the Blue Whale challenge, Kiki car challenge and now TikTok have become an entertainment tool for the youth and schoolchildren. In order to attain instant fame and validation from peers with likes and shares, they end up making viral videos on social media," said Dr Rajeev Mehta, Vice Chairman of psychiatry department at Sir Ganga Ram Hospital.

For more details visit https://cis-india.org/internet-governance/news/india-today-april-17-2019-gulam-jeelani-tik-tok-craze-a-ticking-time-bomb-for-city

To preserve freedoms online, amend the IT Act

gurshabad — 2019-04-16T10:09:41Z

Look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.

The article by Gurshabad Grover was published in the Hindustan Times on April 16, 2019.

The issue of blocking of websites and online services in India has gained much deserved traction after internet users reported that popular services like Reddit and Telegram were inaccessible on certain Internet Service Providers (ISPs). The befuddlement of users calls for a look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.

Among other things, Section 69A of the Information Technology (IT) Act, which regulates takedown and blocking of online content, allows both government departments and courts to issue directions to ISPs to block websites. Since court orders are in the public domain, it is possible to know this set of blocked websites and URLs. However, the process is much more opaque when it comes to government orders.

The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, issued under the Act, detail a process entirely driven through decisions made by executive-appointed officers. Although some scrutiny of such orders is required normally, it can be waived in cases of emergencies. The process does not require judicial sanction, and does not present an opportunity of a fair hearing to the website owner. Notably, the rules also mandate ISPs to maintain all such government requests as confidential, thus making the process and complete list of blocked websites unavailable to the general public.

In the absence of transparency, we have to rely on a mix of user reports and media reports that carry leaked government documents to get a glimpse into what websites the government is blocking. Civil society efforts to get the entire list of blocked websites have repeatedly failed. In response to the Right to Information (RTI) request filed by the Software Freedom Law Centre India in August 2017, the Ministry of Electronics and IT refused to provide the entire of list of blocked websites citing national security and public order, but only revealed the number of blocked websites: 11,422.

Unsurprisingly, ISPs do not share this information because of the confidentiality provision in the rules. A 2017 study by the Centre for Internet and Society (CIS) found all five ISPs surveyed refused to share information about website blocking requests. In July 2018, the Bharat Sanchar Nagam Limited rejected the RTI request by CIS which asked for the list of blocked websites.

The lack of transparency, clear guidelines, and a monitoring mechanism means that there are various forms of arbitrary behaviour by ISPs. First and most importantly, there is no way to ascertain whether a website block has legal backing through a government order because of the aforementioned confidentiality clause. Second, the rules define no technical method for the ISPs to follow to block the website. This results in some ISPs suppressing Domain Name System queries (which translate human-parseable addresses like ‘example.com’ to their network address, ‘93.184.216.34’), or using the Hypertext Transfer Protocol (HTTP) headers to block requests. Third, as has been made clear with recent user reports, users in different regions and telecom circles, but serviced by the same ISP, may be facing a different list of blocked websites. Fourth, when blocking orders are rescinded, there is no way to make sure that ISPs have unblocked the websites. These factors mean that two Indians can have wildly different experiences with online censorship.

Organisations like the Internet Freedom Foundation have also been pointing out how, if ISPs block websites in a non-transparent way (for example, when there is no information page mentioning a government order presented to users when they attempt to access a blocked website), it constitutes a violation of the net neutrality rules that ISPs are bound to since July 2018.

While the Supreme Court upheld the legality of the rules in 2015 in Shreya Singhal vs. Union of India, recent events highlight how the opaque processes can have arbitrary and unfair outcomes for users and website owners. The right to access to information and freedom of expression are essential to a liberal democratic order. To preserve these freedoms online, there is a need to amend the rules under the IT Act to replace the current regime with a transparent and fair process that makes the government accountable for its decisions that aim to censor speech on the internet.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act

Reddit, Telegram among websites blocked in India, say internet groups

Sai Sachin Ravikumar — 2019-04-15T10:32:54Z

Discussion board Reddit, messaging service Telegram and comedy site College Humor have been blocked for intermittent periods, say internet groups.

The article by Sai Sachin Ravikumar was published in Business Standard on April 3, 2019. Gurshabad Grover was quoted.

Websites like Reddit and Telegram are being blocked in India by internet service providers, throwing into question the enforcement of net neutrality rules, advocacy groups said on Wednesday.

Restrictions on "torrent sites" that offer free movie and music downloads are routine in India to prevent copyright infringement. Pornography websites are also blocked by court orders seeking to protect children.

But in recent months, websites such as the discussion board Reddit, messaging service Telegram and comedy site College Humor have been blocked for intermittent periods, often for days and only in some regions, baffling internet users.

"It's not making any sense, what's happening," said Apar Gupta, executive director at the non-profit Internet Freedom Foundation (IFF). "A lot of these blocks are also happening in such a way that no notices are displayed." Since January, there have been at least 250 reports of websites blocked on networks operated by Jio, a unit of Reliance Industries, Bharti Airtel and Hathway, the IFF said in a letter to the telecoms department.

Jio and Airtel are among India's top telecom providers.

Some internet users have posted on social media screenshots of pages displaying messages saying a website was blocked to comply with government orders.

When Reuters tried to access CollegeHumor.com on Wednesday a message read: "Your requested URL has been blocked as per the directions received from Department of Telecommunications, Government of India."

An official at the telecoms department, which last year approved rules on net neutrality--the concept that all websites and data on the Internet be treated equally--declined to comment when contacted by Reuters.

Complaints by Indian internet users have covered "most forms of net neutrality violations," IFF's Gupta said.

Nearly 60 per cent of the user reports compiled by the foundation since January involved Jio networks, the IFF's data showed.

A Jio representative did not respond to an emailed request for comment. Hathway did not reply to phone and email requests for comment.

Bharti Airtel said in a statement it "supports an open internet" and does not block content unless directed by authorities. It did not say if it was currently blocking any websites.

Reddit did not respond to an emailed request for comment outside regular U.S. business hours.

Telegram, which has been blocked previously in Russia and Iran, did not immediately respond to a phone message seeking comment.

If websites are blocked based on government or court orders, or internet firms have legal grounds to restrict web pages, they might not violate net neutrality rules, said Gurshabad Grover, a researcher at the non-profit Centre for Internet and Society.

"But in this case we're not entirely sure," he said.

Other sites blocked this year include tax portal Taxscan and legal database Indian Kanoon.

After complaints from Jio's internet users, Indian Kanoon founder Sushant Sharma said he had been told by Jio the portal was blocked for one day last week due to a government order.

"By evening, apparently, that order was taken back," said Sharma, whose website has some 150,000 daily visitors.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sai-sachin-ravikumar-april-3-2019-reddit-telegram-among-websites-blocked-in-india