We are anonymous, we are legion

FinTech in India: A Study of Privacy and Security Commitments

Aayush Rathi and Shweta Mohandas — 2019-05-02T11:20:30Z

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. This report studies the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.

Access the full report: Download (PDF)

The report by Aayush Rathi and Shweta Mohandas was edited by Elonnai Hickok. Privacy policy testing was done by Anupriya Nair and visualisations were done by Saumyaa Naidu. The project is supported by the William and Flora Hewlett Foundation.

In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.In India, the Information Technology (Reasonable Security Practices andProcedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.

The objective of this study is to understand privacy commitments undertaken by fintech companies operating in India as documented in their public facing privacy policies. This exercise will be useful to understand what standards of privacy and security protection fintech companies are committing to via their organisational privacy policies. The research will do so by aiming to understand the alignment of the privacy policies with the requirements mandated under the SPD/I Rules. Contingent on the learnings from this exercise, trends observed in fintech companies’ privacy and security commitments will be culled out.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-shweta-mohandas-april-30-2019-fintech-in-india-a-study-of-privacy-and-security-commitments

April 2019 Newsletter

praskrishna — 2019-09-04T14:36:41Z

The Centre for Internet & Society (CIS) newsletter for April 2019.

Highlights for March 2019

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. Aayush Rathi and Shweta Mohandas have co-authored a report which has analysed the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.
In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Vipul Kharbanda has provided a deeper analysis on this in his research paper.
CIS has responded to ICANN's proposed renewal of .org Registry. CIS has found severe issues with the proposed agreement. These centre around the removal of price caps and imposing obligations being currently deliberated in an ongoing Policy Development Process. Akriti Bopanna drafted the response.
The Department of Industrial Policy and Promotion released a draft e-commerce policy in February for which stakeholder comments were sought. CIS responded to the request for comments.
CIS Access to Knowledge team (CIS-A2K) has submitted its proposal form for the year 2019 - 2020 to the Wikimedia Foundation. CIS thanks all community members who gave valuable suggestions and inputs for drafting this proposal.
In 2017–2018, the Wikimedia Foundation (WMF) and Google collaborated to start a pilot project in India, working closely with the Centre for Internet and Society (CIS) and the Wikimedia Indiachapter (WMIN). This project, titled Project Tiger was aimed at encouraging Wikipedia communities to create locally relevant and high-quality content in Indian languages. CIS-A2K team submitted Project Tiger final report.
The r@w blog features works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media and society, and highlights and materials from ongoing research and events at the researchers@work programme at CIS. On the r@w blog we featured an essay titled 'The Internet in the Indian Judicial Imagination' by Divij Joshi, as part of a series on Studying Internet in India (2015); and audio recording of a session titled #ObjectsofDigitalGovernance by Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian which was part of the Internet Researchers Conference, 2017.

Jobs

CIS is hiring:

CIS-A2K Finance Officer: Call for application (Only women candidates).
Internship - applications accepted throughout the year.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019).
To preserve freedoms online, amend the IT Act (Gurshabad Grover; April 16, 2019).
Digital Native: Getting through an election made for the social media gaze (Nishant Shah; Indian Express; April 21, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Reddit, Telegram among websites blocked in India, say internet groups (Sai Sachin Ravikumar; Business Standard; April 3, 2019).
Data leaks could wreak havoc in India, so why aren’t they an issue this election? (Aria Thaker; Quartz India; April 4, 2019).
Cookies, not the monster you may think (Sweta Akundi; Hindu; April 8, 2019).
TikTok craze a ticking time bomb for city (Gulam Jeelani with inputs from Priyanka Sharma and Ajay Kumar; India Today; April 17, 2019).
Almost every social network has a porn problem—so why is India banning only TikTok? (Ananya Bhattacharya; Quartz India; April 19, 2019).
Child protection and cyber-grooming: Indian court rescinds its own Tiktok ban (Leon Kaiser; Netzpolitik.org; April 24, 2019).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipdedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Project Proposal / Reports

Supporting Indian Language Wikipedias Program/Report (Gopala Krishna A; April 5, 2019).

CIS-A2K proposal to Wikimedia Foundation for 2019-2020 (Ananth Subray; April 15, 2019).

Blog Entries

Wikimedia projects orientation session at Tata Trust's Vikas Anvesh Foundation (Subodh Kulkarni; April 9, 2019).
Indic Wikisource Speak: Sushant Savla (Jayanta Nath; April 10, 2019).
SVG Translation Workshop at KBC North Maharashtra University (Subodh Kulkarni; April 10, 2019).
Content Donation Sessions with Authors (Subodh Kulkarni; April 10, 2019).
Indic Wikisource speak : Ajit Kumar Tiwari (Jayanta Nath; April 11, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Research Paper

International Cooperation in Cybercrime: The Budapest Convention (Vipul Kharbanda; April 29, 2019).

Privacy

Research Paper

FinTech in India: A Study of Privacy and Security Commitments (Aayush Rathi and Shweta Mohandas; April 30, 2019).

Submission

CIS Response to Call for Stakeholder Comments: Draft E-Commerce Policy (Arindrajit Basu, Vipul Kharbanda, Elonnai Hickok and Amber Sinha; April 10, 2019).

Participation in Events

IETF 104 Prague (Organized by IETF; Prague; March 23 - 29, 2019). Karan Saini and Gurshabad Grover participated in the event.
The Phantom Public: The Role of Social Media in Democracy (Organized by Ambedkar University; New Delhi; April 3, 2019).
(re) conference (Organized by CREA; New Delhi; April 10 - 12, 2019).
Data for Development: Mapping key considerations for policy and practice in India (Organized by Azim Premchand University; April 24, 2019). Arindrajit Basu delivered a talk.

Artificial Intelligence

Participation in Event

Policy Lab on Artificial Intelligence & Democracy (Organized by Tandem Research, in partnership with Microsoft Research and Friedrich-Ebert-Stiftung; Bangalore; April 2-3, 2019). Shweta Mohandas participated in the event.

Free Speech and Expression

Submission

CIS Response to ICANN's proposed renewal of .org Registry (Akriti Bopanna; April 28, 2019).

Event Organized

Internet Speech: Perspectives on Regulation and Policy ( Organized by CIS; India Habitat Centre, New Delhi; April 5, 2019).

Blog Entry

DIDP #33 On ICANN's 2012 gTLD round auction fund (Akriti Bopanna; April 4, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Call for Essays: Studying Internet in India (Sumandro Chattapadhyay; April 6, 2019).

Blog Entries

The Internet in the Indian Judicial Imagination (Divij Joshi; April 21, 2019).
#ObjectsOfDigitalGovernance (Khetrimayum Monish Singh, Rajiv K. Mishra, and Vidya Subramanian; April 21, 2019).

Telecom

Article

Delayed Cash Flows and NPAs (Shyam Ponappa; Business Standard; April 3, 2019 and Organizing India Blogspot; April 4, 2019).

Participation in Event

BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services (Organized by Broadband India Forum; Taj Mahal Hotel, Mansingh Road, New Delhi; April 5, 2019). Anubha Sinha was a panellist at a BIF conference on “Substitutability of OTT Services with Telecom Services & Regulation of OTT Services”.

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2019-newsletter

International Cooperation in Cybercrime: The Budapest Convention

vipul — 2019-04-29T22:35:37Z

In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.

Click to download the file here

However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.^{^[1]}

Extradition

Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.^{^[2]} In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.^{^[3]} Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.^{^[4]} The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.^{^[5]}

The Convention also recognises the principle of "aut dedere aut judicare" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,^{^[6]} then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.^{^[7]} The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.^{^[8]}

Mutual Assistance Requests

The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.^{^[9]} Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.^{^[10]} However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.

The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.^{^[11]} Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.^{^[12]}

Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;^{^[13]} (ii) the request concerns an offence considered as a political offence by the requested Party;^{^[14]} or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, ordre public or other essential interests.^{^[15]} The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.^{^[16]} In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.^{^[17]}

In practice it has been found that though States refuse requests on a number of grounds,^{^[18]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.^{^[19]} A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:

“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.

British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.

Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.

A.T. was extradited to Norway and prosecuted.”^{^[20]}

It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.

In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.^{^[21]} On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.^{^[22]} If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.^{^[23]}

In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.^{^[24]} Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.^{^[25]}

The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,^{^[26]} (ii) provide real time collection of traffic data with specified communications in its territory;^{^[27]} and (iii) provide real time collection or recording of content data of specified communications.^{^[28]} The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.

The procedure for sending mutual assistance requests under the Convention is usually the following:

Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.
Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).
The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.

The following procedure is then followed in the corresponding receiving Party:

Receipt of the request by the Central Authority.
Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).
Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).
Issuance of a court order (if needed).
Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.
Data obtained is examined against the MLA request, which may entail translation or

using a specialist in the language.

The information is then transmitted to requesting State via MLA channels.^{^[29]}

In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.^{^[30]} Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.^{^[31]}

Preservation Requests

The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.

The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.^{^[32]} However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.^{^[33]} In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, ordre public or other essential interests of the requested Party.^{^[34]}

In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.^{^[35]} Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.^{^[36]} If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.^{^[37]}

Jurisdiction and Access to Stored Data

The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.^{^[38]} The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.^{^[39]} These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.^{^[40]}

Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.^{^[41]} It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.

The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.^{^[42]} The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.^{^[43]} The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.^{^[44]}

The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.^{^[45]} The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.^{^[46]}

Production Order

A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.^{^[47]} It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.^{^[48]} Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.^{^[49]} However subscriber information^{^[50]} can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.^{^[51]}

Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.^{^[52]} Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.

Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.^{^[53]}

The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.^{^[54]} A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.^{^[55]} The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:^{^[56]}

PRODUCTION ORDER CAN BE SERVED
IF The criminal justice authority has jurisdiction over the offence
AND The service provider is in possession or control of the subscriber information
AND
The service provider is in the territory of the Party (Article 18(1)(a))	Or	A Party considers that a service provider is “offering its services in the territory of the Party” when, for example: - the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and - the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party. (Article 18(1)(b))
AND
		the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.

The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[57]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[58]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,^{^[59]} and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.^{^[60]}

Language of Requests

It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.^{^[61]} Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.^{^[62]}

24/7 Network

Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.^{^[63]} The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.^{^[64]} In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[65]}

Drawbacks and Improvements

The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:

Weakness and Delays in Mutual Assistance: In practice it has been found that though States refuse requests on a number of grounds,^{^[66]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.^{^[67]} The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.

Access to data stored outside the territory: Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.^{^[68]} It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[69]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[70]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.

Language of requests: Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.^{^[71]}

Bypassing of 24/7 points of contact: Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[72]}

India and the Budapest Convention

Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:

India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.^{^[73]}
Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.^{^[74]}
The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.^{^[75]}
It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.^{^[76]}
Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.^{^[77]}

Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.^{^[78]}

Conclusion

The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.^{^[79]} This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.

^{^[1]} Council of Europe, Explanatory Report to the Convention on Cybercrime, https://rm.coe.int/16800cce5b, para 304.

^{^[2]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.

^{^[3]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(5).

^{^[4]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(3).

^{^[5]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(2).

^{^[6]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 251.

^{^[7]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(6).

^{^[8]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(7).

^{^[9]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(1).

^{^[10]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[11]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(2).

^{^[12]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.

^{^[13]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[14]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(a).

^{^[15]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(b).

^{^[16]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(5).

^{^[17]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(6).

^{^[18]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[19]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[20]} Pedro Verdelho, Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice, 2008, pg. 5, https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF, accessed on March 28, 2019.

^{^[21]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(8).

^{^[22]} However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. See para 278 of the the Explanatory Note to the Budapest Convention.

^{^[23]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 28.

^{^[24]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(a) and (b).

^{^[25]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.

^{^[26]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 31.

^{^[27]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 33.

^{^[28]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 34.

^{^[29]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 37.

^{^[30]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 123.

^{^[31]} Ibid at 124.

^{^[32]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.

^{^[33]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(4).

^{^[34]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(5).

^{^[35]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(6).

^{^[36]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(7).

^{^[37]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 30.

^{^[38]} Anna-Maria Osula, Accessing Extraterritorially Located Data: Options for States, http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf, accessed on March 28, 2019.

^{^[39]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 32.

^{^[40]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 293.

^{^[41]} Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, Transborder access and jurisdiction: What are the options?, December 2012, para 310.

^{^[42]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.

^{^[43]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.

^{^[44]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.

^{^[45]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.

^{^[46]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.

^{^[47]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 18.

^{^[48]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 170.

^{^[49]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[50]} Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a. the type of communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

^{^[51]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[52]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.

^{^[53]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.

^{^[54]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.

^{^[55]} Id.

^{^[56]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.

^{^[57]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[58]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[59]} Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, Criminal justice access to data in the cloud: challenges (Discussion paper), May 2015, pgs 10-14.

^{^[60]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.

^{^[61]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 35.

^{^[62]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[63]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 35.

^{^[64]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 298.

^{^[65]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[66]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[67]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 7.

^{^[68]} Giovanni Buttarelli, Fundamental Legal Principles for a Balanced Approach, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf

^{^[69]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[70]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[71]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[72]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[73]} Dr. Anja Kovaks, India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders, available at https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/

^{^[74]} Alexander Seger, India and the Budapest Convention: Why not?, Digital Debates: The CyFy Journal, Vol III, available at https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

^{^[75]} Id.

^{^[76]} Id.

^{^[77]} Id.

^{^[78]} https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/

^{^[79]} Elonnai Hickok and Vipul Kharbanda, Cross Border Cooperation on Criminal Matters - A perspective from India, available at https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention

Almost every social network has a porn problem—so why is India banning only TikTok?

Ananya Bhattacharya — 2019-04-28T04:46:36Z

TikTok is in some serious trouble in India. Though it isn’t the only one battling a rising tide of porn, violence, and fake news, the country’s courts have singled out the Chinese video-sharing app for a ban.

The article by Ananya Bhattacharya was published in Quartz India. Shweta Mohandas was quoted.

Incumbents such as Twitter, WhatsApp, and Facebook have been fighting the same problems as TikTok has, but they haven’t yet faced such extreme measures. Several experts have called the Madras high court ban on the world’s most popular video app a “kneejerk reaction” that is “outsized.”

“While it is important to place appropriate curbs on porn and trolling, this decision sounds extreme since there are myriad ways to spread the two vices,” Anindya Ghose, the Heinz Riehl professor of business at New York University’s Stern School, told Quartz.

So why is TikTok bearing the brunt?

Singled out?

Unlike TikTok, most other social media and video/photo sharing apps are largely private and controlled in nature, which means a post can only be seen by a limited network of a user. “The issue with TikTok is it encourages interactivity over videos,” said Prasanto Roy, a New Delhi-based tech policy consultant. “Facebook and Instagram start out with smaller circles or friends groups, while TikTok can get to a larger audience quickly—including allowing video interaction with strangers.”

Given that TikTok is much younger to most others in the segment, the app lacks certain safeguards to ensure users’ safety. For instance, there are no checks & balances on the app to moderate user-generated content, experts told Quartz.

“Other social media (platforms) pro-actively filter out content that violate their community guidelines,” Shweta Mohandas, policy officer at the Centre for Internet and Society of India (CIS), told Quartz. “The fact that TikTok’s community guidelines’ reporting mechanism is based on user reports could be a reason why the porn problem has become more prevalent.”

Although some cases slip through the gaps, Facebook and Google are proactively blocking search terms related to child porn. Facebook and Instagram are also using sophisticated artificial intelligence (AI) tools to detect revenge porn. Vernacular-language social network Sharechat also has algorithms that flag illicit content. “YouTube gives you policies and they remove your video or puts a strike against your account, but there’s no such rule or guideline on TikTok,” Indian YouTuber and TikTok-user Kulbushan Kundalwal said in a videoreacting to the ban.

It has been trying to strengthen its systems lately.

The app, which lets users create and post 15-second-long videos, has set up a team of content moderators who speak a number of regional languages. It has also hosted awareness drives featuring celebrities. However, it relies mostly on user reports.

Clearly, these measures are not enough and millions of its Indian users—almost 40% of the app’s 500 million user base—remain exposed to risks.

In the US, too, TikTok was berated based on similar concerns. It recently settled with the Federal Trade Commission, paying $5.7 million (Rs40 crore), the largest civil penalty ever collected in a child privacy violation case in the US.

Will this ban help?

Taking the app down can slam the brakes on its meteoric rise, but won’t kill it. Banning one app won’t change user behaviour, experts said.

For starters, users who have it installed can continue using it. And though it’s not directly available for download from the app store, there are ways to get it. In fact, getting on the app is easy: Any existing user can share the app with others through platforms like ShareIt.

TikTok is not a unique proposition.

There are also several third-party app stores, other than those of Google and Apple—apkpure, androidapkbox, and uptodown, among others—where TikTok is still available.

In any case, it is not the only source of dangerous content online. “TikTok is not a unique proposition,” Gurugram-based market research firm techARC said in a note. The ban has already begun to boost similar apps.

For instance, since April 16, around the time when news of a likely ban on TikTok in India began floating, video-sharing app Like has been trending as the third most popular in India on analytics site App Annie’s charts, techARC found.

“There is a need to have a holistic approach to getting rid of such digital menace that cannot be absolved by technology or legal recourse alone,” techARC founder and chief analyst Faisal Kawoosa said.

For more details visit https://cis-india.org/internet-governance/news/ananya-bhattacharya-quartz-india-april-19-2019-india-bans-tiktok-over-porn-but-not-facebook-twitter-instagram

Jugendschutz und Cyber-Grooming: Indisches Gericht hebt eigenen Tiktok-Bann wieder auf

Leon Kaiser — 2019-04-28T04:42:18Z

Der Streit um Tiktok geht in die nächste Runde: Nachdem Google und Apple die Video-App kürzlich aus ihrem Angebot streichen mussten, nahm ein indisches Gericht seine Anordnung heute wieder zurück. Im Fall geht es um Pornografie, Cyber-Grooming und die weiterhin ungeklärte Frage, wie mit großen Plattformen rechtlich umgegangen werden soll.

The article by Leon Kaiser was published in Netzpolitik.org on April 24, 2019.

In Indien schwelt seit Anfang April eine Auseinandersetzung zwischen Gerichten um die Video-App Tiktok. Ein Obergericht in Chennai hat heute entschieden, die selbst angeordnete Verbannung der App aus den Stores von Google und Apple wieder aufzuheben.

Zuvor hatte das höchste Gericht in Delhi den Fall zurück nach Chennai verwiesen und auf dem Einsatz eines dritten Gutachters gedrängt. Der argumentierte heute, dass ein Gericht die Einschränkung von App-Downloads nicht fordern könne, da es damit geltendem Recht widerspricht. Das Gericht nahm daraufhin die Anordnung unter einer Einschränkungen zurück.

Seinen Anfang nahm der Streit mit einer einstweiligen Anordnung, die das Madras High Court in Chennai Anfang April erlassen hatten. Die Richter warnten darin vor der App; sie degradiere die Kultur und befördere Pornografie. Sie berichteten auch von Suizidfällen und Mobbing auf der Plattform. Außerdem schütze die App ihre jungen Nutzer:innen nicht ausreichend vor Cyber-Grooming. Als Konsequenz sollte der Download der App beschränkt werden. Medien wurde die Nutzung von Tiktok-Videos in der Berichterstattung untersagt und die Regierung dazu aufgefordert, ein Gesetz zum Schutz von Kindern im Internet zu verabschieden.

Google und Apple setzen Wünsche der Regierung um

Tiktok ist ein soziales Netzwerk, in dem vor allem kurze Videoschnipsel geteilt werden. Nutzer:innen können beliebige Videos verfremden, remixen oder mit Musik unterlegen. Außerdem kann man Aufnahmen mit einem eigenen Video kommentieren und so visuell und ohne viel Text aufeinander Bezug nehmen. Indien ist mit über 120 Millionen Nutzer:innen nach China – dort heißt die App Douyin– der zweitgrößte Markt. Die App ist auch unter Jugendlichen in Deutschland beliebt und hat hierzulande gut vier Millionen Nutzer:innen

Am 16. April bat die indische Regierung dann Apple und Google, die App aus ihrem Angebot in Indien zu streichen. Bürgerrechtler:innen kritisierten den Schritt, die Auswahl von Tiktok sei willkürlich und andere Plattformen mit ähnlichen Problemen konfrontiert. Zudem sei Pornografie nicht illegal, was bei Cyber-Grooming sehr wohl der Fall ist. Die US-Konzerne setzten die Forderung ohne großes Aufsehen um, woraufhin neue Nutzer:innen die App dort vorübergehend nicht mehr herunterladen konnten.

Die Kritik an Tiktok ist auch aus anderen Ländern bekannt. Es gibt Recherchen und Berichte zu Fällen von Cyber-Grooming und sexueller Belästigung Minderjähriger. Die Federal Trade Commission in den USA belegte den chinesischen Konzern ByteDance, dem Tiktok gehört, mit einer Strafe von 5,7 Millionen Euro, weil er achtlos mit den Daten von Kindern umging.

Uploadfilter auch in Indien?

In Indien ist der Fall in zwei politische Entwicklungen eingebettet. Zum einen wird in Indien derzeit gewählt. Die Stimmabgabe läuft noch bis zum 19. Mai, womit sich der Wahlkampf in der heißen Phase befindet. Zumindest vereinzelt werden politische Botschaften und Parodien auch auf Tiktokverbreitet. Es gibt aber keine Untersuchungen darüber, wie wichtig die relativ junge App für den politischen Disksurs ist.

Zum anderen legte die Regierung Ende letzten Jahres einen Entwurf für eine Überarbeitung des indischen IT Acts vor. Die neuen „Intermediary Guidelines“ würden der Rechtswissenschaftlerin Chinmayi Arun zufolge der indischen Regierung weitreichende Befugnisse gegenüber Online-Plattformen im Land geben. Das Gesetz enthält auch eine Verpflichtung für die „proaktive“ Entfernung von „illegalen Informationen und Inhalten“ vor. Damit würden Plattformen zum Einsatz von Uploadfiltern verpflichtet, die Schwelle dafür wäre der schwammige Begriff „illegal“. Access Now kritisierte, dass das Gesetz Menschenrechte einschränke.

Das Gesetz ist noch nicht verabschiedet und so argumentierte der Gutachter heute mit der bestehenden Gesetzeslage. Er sagte, dass App-Anbieter gesetzlich als Intermediäre gelten und keine Haftungspflicht für alle Inhalte auf ihren Plattformen haben. Doch auch die aktuelle Rechtslage ist kritisch zu sehen. Sie entlässt profitorientierte Unternehmen vorschnell aus ihrer Verantwortung, wie Sunil Abraham vom Center for Internet and Society in Bangalore schreibt. Das Gericht schränkte die Aufhebung der Anordnung allerdings ein: Fänden sich weiterhin pornografische Inhalte in der App, könnte der Bann möglicherweise wieder eingesetzt werden. Die Rechtsanwälte von Tiktok beriefen sich im Gericht darauf, dass bereits viele Inhalte automatisiert ausgefiltert würden.

For more details visit https://cis-india.org/internet-governance/news/leon-kaiser-netzpolitik-april-24-2019-jugendschutz-und-cyber-grooming-indisches-gericht-hebt-eigenen-tiktok-bann-wieder-auf

CIS Response to ICANN's proposed renewal of .org Registry

akriti — 2019-04-28T02:16:40Z

We thank ICANN for the opportunity to comment on this issue of its proposed renewal of the .org Registry Agreement with the operator, Public Interest Registry (PIR). Supporting much of the community , we too find severe issues with the proposed agreement. These centre around the removal of price caps and imposing obligations being currently deliberated in an ongoing Policy Development Process (PDP).

Presumption of Renewal

CIS has, in the past, questioned the need for a presumption of renewal in registry contracts and it is important to emphasize this within the context of this comment as well. We had, also, asked ICANN for their rationale on having such a practice with reference to their contract with Verisign to which they responded saying:

“Absent countervailing reasons, there is little public benefit, and some significant potential for disruption, in regular changes of a registry operator. In addition, a significant chance of losing the right to operate the registry after a short period creates adverse incentives to favor short term gain over long term investment.”

This logic can presumably be applied to the .org registry, as well, yet a re-auction of ,even, legacy top-level domains can only serve to further a fair market, promote competition and ensure that existing registries do not become complacent.

These views were supported in the course of the PDP on Contractual Conditions - Existing Registries in 2006 wherein competition was seen useful for better pricing, operational performance and contributions to registry infrastructure. It was also noted that most service industries incorporate a presumption of competition as opposed to one of renewal.

Download the file to access our full response.

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-april-28-2019-cis-response-to-icanns-proposed-renewal-of-org-registry

Data for Development: Mapping key considerations for policy and practice in India

Admin — 2019-04-25T15:17:55Z

On 24 April 2019 Arindrajit Basu delivered a talk at an event titled at Data for Development:Mapping key considerations for policy and practice in India at Azim Premchand University.

Arindrajit presented some of CIS's work on artificial intelligence and its work on privacy and the SriKrishna Bill, some of the constitutional contours of India's data governance policies and some of the larger implications on India's foreign policy vision as an emerging economy.

For more details visit https://cis-india.org/internet-governance/news/data-for-development-mapping-key-considerations-for-policy-and-practice-in-india

TikTok craze a ticking time bomb for city

Gulam Jeelani — 2019-04-17T08:46:05Z

Unlike YouTube, where videos take a long time to upload, on TikTok it happens in a matter of seconds. Not just the youth, the trend has captured the imagination of criminals too.

The article by Gulam Jeelani with inputs from Priyanka Sharma and Ajay Kumar was published in India Today on April 17, 2019. Shweta Mohandas was quoted.

Last Saturday, 19-year-old Salman Zakir was accidentally shot dead when his friend and he were shooting a video at central Delhi's Ranjit Singh flyover - to be uploaded on the Chinese mobile application TikTok. The latest craze of filming short duration videos for this app, which uploads these within seconds, is giving headaches to the police, as well as parents.

In the last two weeks, the police have arrested at least six youth (including two of Salman's friends), who were caught posing with guns, making clips and uploading those on the app. Responding to this frenzy, the Union Ministry for Electronics and Information Technology on Tuesday asked Google and Apple to take down TikTok from their app stores.

The order came a day after the Supreme Court refused to stay a Madras High Court order asking the Centre to ban the viral app for the potential harm it could cause owing to inappropriate content being posted - pornography and violence. The ministry's order may lead to pulling down the app from the Google Play Store and Apple App Store, preventing any further downloads. The order will not, however, prevent people who have already downloaded the app from using it.

OF GUNS AND GRANDSTANDING

Salman, along with his friends Sohail and Amir, had gone out for a drive to India Gate. While returning, Sohail sitting next to Salman, who was driving the car, pulled out a country-made pistol. He aimed it at Salman while trying to make the TikTok video, but the pistol went off shooting him on his left cheek. In February this year, a daily wage worker was allegedly killed by his friend in Tiruvallur district of Tamil Nadu for uploading an abusive video targeting another community, on Tik-Tok. The video even led to tension and unrest in the village.

Unlike YouTube, where videos take a long time to upload, on TikTok it happens in a matter of seconds. Not just the youth, the trend has captured the imagination of criminals too. Two weeks before Salman's death, apparently carried away by TikTok's online popularity, two criminals landed in the police net after a video featuring them flaunting pistols surfaced on the app. Shahzada Parvez (24) and Monu (23), had been on the police's radar for long.

"They were fans of singer Honey Singh. Earlier, too, they shot a video brandishing pistols at a community function and put it on social media," deputy commissioner of Delhi Police Anto Alphonse said.

"The young and the restless have a tendency to try out new applications in order to gain quick popularity on the web," added Madhur Verma, deputy commissioner of police, New Delhi.

TikTok, known as Douyin in China, where the parent company is based, is a mobile app for filming and sharing videos set to music or a voice-over. With a reported 500 million subscribers worldwide, India is the biggest market for the app, comprising almost 40% of global downloads. According to market analysis firm Sensor Tower, India accounted for 88.6 million new users out of 188 new users in the March quarter.

QUITE A FAD

The app is the latest fad to give parents and teachers cause for concern after the popularity of dangerous online dares such as the Blue Whale Challenge and Kiki Car. "I had seen my son shooting videos at home and at times he would ask me to pose as well. But I came to know about TikTok when his teacher called me," said Vaishali Dhar, a resident of East Nizamuddin, whose son studies in class 8. "I have decided not to encourage him."

Apart from homes and schools, teenagers have been spotted shooting videos in public places such as the recently opened Signature Bridge which connects Wazirabad to East Delhi. Police have had to resort to chasing people shooting videos atop their cars on the bridge. The app is also a rage among Bollywood-crazed Indians who post videos lip-syncing to songs or reciting movie dialogues. It allows the creation of a 15-second video with the user miming to songs. The videos range from harmless to the explicit, depending upon the users one follows.

Last week, ByteDance, the company that owns TikTok, said it had removed more than six million videos that violated its guidelines. The company has appealed against the stay against the ban, claiming it would harm free speech. "We are committed to continuously enhancing our existing measures and introducing additional technical and moderation processes as part of our ongoing commitment to our users in India," it said in an emailed statement.

OVERUSE & ABUSE

But can the app itself be blamed for its misuse? Experts advocate taking the awareness and sensitisation approach than imposing a blanket ban. Faisal Kawoosa, Chief Analyst at Gurugram-based market research firm techARC, says the easy and inexpensive availability of the Internet and increased smartphone penetration has contributed to the growth of TikTok, and other apps in the country. "Banning is no solution. If you can't download it from the app store (which is authentic), you will encourage illegal downloads which are even more dangerous," adds Kawoosa.

"Even in a Google sign-up, one needs to be above 18 years of age. So it is more about ethics that we practise than an app having a problem," he said. Some experts also raised data privacy concerns which come with the application. "The issue with these apps as with other apps is that it is not clear in which way the data is being processed, stored, or shared with third parties," said Shweta Mohandas, policy officer at the Centre for Internet and Society, a Bengaluru-based research and advocacy non-profit.

"I do not think that a ban on Tik-Tok is a solution. People forget that the existing videos can still be shared on other social media platforms. A young person with TikTok on his or her phone will in all probability be active on other social media and messaging apps. A better approach is to sensitise people about the way the app functions, and the information that is public on the app," she said.

In the US, the app has been accused of collecting personal data from users under the age of 13 without parental consent. "Every other person has a mobile phone today. In the recent past, the Blue Whale challenge, Kiki car challenge and now TikTok have become an entertainment tool for the youth and schoolchildren. In order to attain instant fame and validation from peers with likes and shares, they end up making viral videos on social media," said Dr Rajeev Mehta, Vice Chairman of psychiatry department at Sir Ganga Ram Hospital.

For more details visit https://cis-india.org/internet-governance/news/india-today-april-17-2019-gulam-jeelani-tik-tok-craze-a-ticking-time-bomb-for-city

To preserve freedoms online, amend the IT Act

gurshabad — 2019-04-16T10:09:41Z

Look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.

The article by Gurshabad Grover was published in the Hindustan Times on April 16, 2019.

The issue of blocking of websites and online services in India has gained much deserved traction after internet users reported that popular services like Reddit and Telegram were inaccessible on certain Internet Service Providers (ISPs). The befuddlement of users calls for a look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.

Among other things, Section 69A of the Information Technology (IT) Act, which regulates takedown and blocking of online content, allows both government departments and courts to issue directions to ISPs to block websites. Since court orders are in the public domain, it is possible to know this set of blocked websites and URLs. However, the process is much more opaque when it comes to government orders.

The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, issued under the Act, detail a process entirely driven through decisions made by executive-appointed officers. Although some scrutiny of such orders is required normally, it can be waived in cases of emergencies. The process does not require judicial sanction, and does not present an opportunity of a fair hearing to the website owner. Notably, the rules also mandate ISPs to maintain all such government requests as confidential, thus making the process and complete list of blocked websites unavailable to the general public.

In the absence of transparency, we have to rely on a mix of user reports and media reports that carry leaked government documents to get a glimpse into what websites the government is blocking. Civil society efforts to get the entire list of blocked websites have repeatedly failed. In response to the Right to Information (RTI) request filed by the Software Freedom Law Centre India in August 2017, the Ministry of Electronics and IT refused to provide the entire of list of blocked websites citing national security and public order, but only revealed the number of blocked websites: 11,422.

Unsurprisingly, ISPs do not share this information because of the confidentiality provision in the rules. A 2017 study by the Centre for Internet and Society (CIS) found all five ISPs surveyed refused to share information about website blocking requests. In July 2018, the Bharat Sanchar Nagam Limited rejected the RTI request by CIS which asked for the list of blocked websites.

The lack of transparency, clear guidelines, and a monitoring mechanism means that there are various forms of arbitrary behaviour by ISPs. First and most importantly, there is no way to ascertain whether a website block has legal backing through a government order because of the aforementioned confidentiality clause. Second, the rules define no technical method for the ISPs to follow to block the website. This results in some ISPs suppressing Domain Name System queries (which translate human-parseable addresses like ‘example.com’ to their network address, ‘93.184.216.34’), or using the Hypertext Transfer Protocol (HTTP) headers to block requests. Third, as has been made clear with recent user reports, users in different regions and telecom circles, but serviced by the same ISP, may be facing a different list of blocked websites. Fourth, when blocking orders are rescinded, there is no way to make sure that ISPs have unblocked the websites. These factors mean that two Indians can have wildly different experiences with online censorship.

Organisations like the Internet Freedom Foundation have also been pointing out how, if ISPs block websites in a non-transparent way (for example, when there is no information page mentioning a government order presented to users when they attempt to access a blocked website), it constitutes a violation of the net neutrality rules that ISPs are bound to since July 2018.

While the Supreme Court upheld the legality of the rules in 2015 in Shreya Singhal vs. Union of India, recent events highlight how the opaque processes can have arbitrary and unfair outcomes for users and website owners. The right to access to information and freedom of expression are essential to a liberal democratic order. To preserve these freedoms online, there is a need to amend the rules under the IT Act to replace the current regime with a transparent and fair process that makes the government accountable for its decisions that aim to censor speech on the internet.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act

Reddit, Telegram among websites blocked in India, say internet groups

Sai Sachin Ravikumar — 2019-04-15T10:32:54Z

Discussion board Reddit, messaging service Telegram and comedy site College Humor have been blocked for intermittent periods, say internet groups.

The article by Sai Sachin Ravikumar was published in Business Standard on April 3, 2019. Gurshabad Grover was quoted.

Websites like Reddit and Telegram are being blocked in India by internet service providers, throwing into question the enforcement of net neutrality rules, advocacy groups said on Wednesday.

Restrictions on "torrent sites" that offer free movie and music downloads are routine in India to prevent copyright infringement. Pornography websites are also blocked by court orders seeking to protect children.

But in recent months, websites such as the discussion board Reddit, messaging service Telegram and comedy site College Humor have been blocked for intermittent periods, often for days and only in some regions, baffling internet users.

"It's not making any sense, what's happening," said Apar Gupta, executive director at the non-profit Internet Freedom Foundation (IFF). "A lot of these blocks are also happening in such a way that no notices are displayed." Since January, there have been at least 250 reports of websites blocked on networks operated by Jio, a unit of Reliance Industries, Bharti Airtel and Hathway, the IFF said in a letter to the telecoms department.

Jio and Airtel are among India's top telecom providers.

Some internet users have posted on social media screenshots of pages displaying messages saying a website was blocked to comply with government orders.

When Reuters tried to access CollegeHumor.com on Wednesday a message read: "Your requested URL has been blocked as per the directions received from Department of Telecommunications, Government of India."

An official at the telecoms department, which last year approved rules on net neutrality--the concept that all websites and data on the Internet be treated equally--declined to comment when contacted by Reuters.

Complaints by Indian internet users have covered "most forms of net neutrality violations," IFF's Gupta said.

Nearly 60 per cent of the user reports compiled by the foundation since January involved Jio networks, the IFF's data showed.

A Jio representative did not respond to an emailed request for comment. Hathway did not reply to phone and email requests for comment.

Bharti Airtel said in a statement it "supports an open internet" and does not block content unless directed by authorities. It did not say if it was currently blocking any websites.

Reddit did not respond to an emailed request for comment outside regular U.S. business hours.

Telegram, which has been blocked previously in Russia and Iran, did not immediately respond to a phone message seeking comment.

If websites are blocked based on government or court orders, or internet firms have legal grounds to restrict web pages, they might not violate net neutrality rules, said Gurshabad Grover, a researcher at the non-profit Centre for Internet and Society.

"But in this case we're not entirely sure," he said.

Other sites blocked this year include tax portal Taxscan and legal database Indian Kanoon.

After complaints from Jio's internet users, Indian Kanoon founder Sushant Sharma said he had been told by Jio the portal was blocked for one day last week due to a government order.

"By evening, apparently, that order was taken back," said Sharma, whose website has some 150,000 daily visitors.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sai-sachin-ravikumar-april-3-2019-reddit-telegram-among-websites-blocked-in-india

Programme Officer - Privacy

amber — 2019-04-15T06:53:44Z

The Centre for Internet and Society (CIS) is seeking applications for the position of Programme Officer, to undertake public policy research on privacy and related themes. For this position, we will hire one full time researcher, to be based in the Delhi office of CIS, for the duration of one year.

To apply for this position please write to amber@cis-india.org along with a CV, two writing samples and contact details of two references, Interested candidates are invited to send their applications at the earliest — latest by April 30th.

Organisation Profile

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around internet, technology and society in India, and elsewhere.

Privacy Research at CIS

While privacy has been a key subject of study for digital rights and development organisations in India for the last decade, recent and ongoing legal and policy developments have placed this issue at the forefront of human rights and regulatory research. CIS has conducted extensive research into the areas of privacy, data protection, data security, and was also a member of the Committee of Experts constituted under Justice A P Shah. CIS has also been cited multiple times in the Report of the Committee of Experts led by Justice Srikrishna. CIS values the fundamental principles of justice, equality, freedom and economic development and strongly advocates the right to privacy.

Over the next year, CIS intends to look at several research questions on data protection which may include the global experience with privacy enforcement, need for effective redressal mechanisms, documenting the design of business models and data flows, regulation of social media big data, how data of disadvantaged groups including children may be protected. Additionally, while we now have the Supreme Court’s unanimous and emphatic recognition of the fundamental right to privacy, there is a need for research enquiry into several issues such as a clarification of the scope of the Puttaswamy judgment, unpacking the different dimensions of privacy, how state actions interact with privacy.

The Role

Research and analysis: Literature review, policy design, detailed analysis of research topics
Knowledge management: Staying up-to-date on developments of interest to the project, and sharing/debating these with the team. Contributing to documentary and knowledge management processes
Policy outreach and stakeholder engagement: Supporting the project manager in the dissemination of research findings in innovative formats. Attending, planning and executing events
Writing op-eds, short notes, policy briefs and longer form academic writing for a range of audiences
Presentations and formal discussions: Preparing and delivering presentations to various audiences
Helping manage communications with stakeholders including international experts, regulators and policy makers
Managing interns and team: Managing work outputs with our interns; coordinating research with team members and the project manager

Qualifications and Skills

We are looking for professionals from law, regulatory theory and public policy backgrounds.

We are looking for candidates who are interested in studying the regulatory challenges of notice and consent, state capacity, how business models thwart privacy and the future of privacy post Puttaswamy.

This is a full-time position based out of Delhi. The position is for a duration of one year. Salary will be commensurate with qualifications and experience.

For more details visit https://cis-india.org/jobs/programme-officer-privacy-2019

(re) conference

Admin — 2019-05-02T02:01:48Z

From 10 to 12 April 2019, Aayush Rathi participated in a "reconference" a global conference designed to provoke conversations around the new possibilities and opportunities for feminist movements. It was held in Kathmandu, and was organised by CREA, a feminist human rights organisation based in New Delhi.

At the (re)conference, Aayush Rathi spoke on a panel as a part of the technology track curated by Point of View. The research Ambika Tandon and Aayush have undertaken on reproductive health and its datafication in India, as a part of the BD4D project, was selected to be presented on the panel. The presentation can be found here. The agenda and theme of the (re) conference can be found here.

For more details visit https://cis-india.org/internet-governance/news/crea-reconference

Data leaks could wreak havoc in India, so why aren’t they an issue this election?

Aria Thaker — 2019-04-12T01:40:58Z

India’s government leaks data like a sieve, and it’s putting people at risk.

The article by Aria Thaker was published in Quartz India on April 4, 2019. Karan Saini was quoted.

The latest instance was reported on April 01, when technology website ZDNet reported that an Indian government agency had left sensitive medical records of 12.5 million pregnant women online, in a database that wasn’t even password protected.

This is only the latest in a slew of dozens of data leaks and cybersecurity lapses that have plagued the Indian government over the past few years. These have occurred despite—or in part, because of—prime minister Narendra Modi’s aggressive push towards “Digital India.”

Sloppy digitisation efforts and a lack of capacity in cybersecurity issues have caused so many leaks that they seem almost routine by now. Even the one reported by ZDNet, large and grievous as it is, has received little coverage in the mainstream media so far.

“This issue has to be an election priority—the focus on privacy and protection of citizen data,” Raman Chima, policy director at digital-rights organisation Access Now, told Quartz. But as India’s general election approaches, the near silence from politicians on these issues is deafening.

Endangering pregnant women and children

ZDNet reported that a database of medical records from 12.5 million pregnant women was left available online by the department of medical, health and family welfare of a northern Indian state. It does not name the state since the server is still available online, though the medical records have finally been removed, almost a month after security researcher Bob Diachenko contacted the department.

The information in this database was extremely sensitive, including patients’ names, contact details, disease information, pregnancy status and complications, and procedures, such as abortions, that they have undergone.

This wasn’t the first such data leak incident involving the government—nor even the first involving pregnant women.

“This could lead to significant bodily harms to a woman in a context where abortions, especially for unmarried women, are heavily stigmatised,” said Ambika Tandon, a policy officer who researches gender and tech issues for the think tank Centre for Internet and Society (CIS). Women who seek abortions or sensitive procedures “may resort to unsafe abortions at facilities that are not registered for fear of their personal information or physical and informational privacy being compromised,” Tandon said.

Yet this wasn’t the first such incident involving the government—nor even the first involving pregnant women.

Aadhaar and beyond

Aadhaar, the 12-digit personal identification number from India’s controversial, biometrics-backed database, has often been at the centre of previous such leaks in India. Much like a the social security number in the US, it is a sensitive piece of information as it helps identify individuals and is often linked to other government and financial services one uses.

Here’s a look at just a handful of the most prominent leaks, breaches, and vulnerabilities involving Aadhaar:

May 2017: Around 130 million individuals have their Aadhaar numbers, banking details, and more leaked on four government websites
January 2018: A reporter of The Tribune newspaper pays Rs500 ($7) to access a portal with demographic data from every Aadhaar holder in the country
March 2018: State-owned gas company Indane leaks private dataof its customers and all Aadhaar holders
April 2018: Andhra Pradesh leaks medical records of over 2 million pregnant women, as well as their Aadhaar numbers and contact details
June 2018: An unsecured Aadhaar API on over 70 subdomains of a government website allows anyone to access demographic-authentication services
July 2018: Data of 250,000 students taking a government medical entrance exam is leaked and sold online
January 2019: The State Bank of India, the country’s largest bank, leaks financial data of millions customers
February 2019: Indane strikes again. Aadhaar data of nearly 6.7 million dealers and distributors of the state-owned gas company is exposed on its dealers portal

This list is far from comprehensive. Aadhaar-related leaks alone comprise at least 37 such cases, which can be found listed on Indian tech site Medianama. These include instances of many state and central departments publishing Aadhaar numbers next to banking details, or even instances of colour photocopies of Aadhaar cards being published online.

Government entities, especially the Unique Identification Authority of India (UIDAI), which administers Aadhaar, have been known to take a long time—sometimes even months—to respond to leaks. Worse, they have often hounded journalists and whistleblowers raising awareness about these incidents. For instance, the UIDAI filed a police case against The Tribune’s reporter and, weeks later, the newspaper’s editor stepped down. CIS, which published the report about 130 million Aadhaar records being exposed, received a legal notice from the UIDAI.

Why do leaks happen?

India’s government agencies are undergoing rapid digitisation.

“There’s been a particular focus over the past few years to aggregate (data) from different databases that might normally exist in one area, or one scheme, and bring them together to one master spreadsheet,” said Chima of Access Now. “As a result of this, a lot of data is being collected in a few places and (the government) is not doing enough thinking…as to how to control and think about cybersecurity.”

Besides, government departments face major personnel and training issues in matters of cybersecurity.

“Most of the officials who collect information do not know about security practices, and they don’t really understand the challenges involved,” said Srinivas Kodali, a cybersecurity researcher who has uncovered many government leaks. “They think it’s normal data—they don’t understand the privacy implications of it.”

Beyond this, a lack of resources holds government bodies back from protecting user data. “Indian government departments require an increase in skill and resources to deal with information security,” said Karan Saini, a security researcher and policy officer at CIS, who has also reported leaks and vulnerabilities.

A lack of comprehensive privacy regulation exacerbates the problem. India does not currently have a data-protection law. A draft bill was put forth by the electronics and IT ministry last year, but it has been criticised by many for being too lenient on government institutions who handle citizen data.

How leaks and lapses endanger democracy

The issue of data leaks is deeply tied to one of the core threats to democracy today—voter microtargeting, which often takes the form of parties conveying conflicting messages to different social groups, in their attempts to get elected. Such targeting has been under the global spotlight since 2016, after secretive firm Cambridge Analytica reportedly used it in Donald Trump’s presidential campaign.

In India, “there’s a lot of these datasets of sensitive data about citizens available, which may have electoral implications in terms of how it affects people’s desire to vote, and the ability of parties to influence or micro-target them,” Chima said.

Parties have already demonstrated an appetite for citizen data. Modi’s Bharatiya Janata Party has already been known to target voters based on data such as electricity bills, which are thought to reveal a voter’s socioeconomic standing.

State-held data could be abused by politicians, especially those currently in power, to target or profile voters.

Now Aadhaar has come into the picture as well, with the government attempting, in a failed project, to link the biometrics-backed ID number with citizens’ voter ID numbers. The project was discontinued in 2015, but concerns remain about the way the data was collected, with ground reports suggesting that reams of documents are still floating in government offices and private homes. It has also been suggested that the lapsed linking project resulted in the disenfranchisement of millions, due to an opaque algorithm it used.

Worries abound that existing state-held data could be abused by politicians, especially those currently in power, to target or profile voters. State resident data hubs (SRDH), which use Aadhaar to log full profiles of individuals, including the government schemes they avail, have come under the scanner for being particularly dangerous for profiling.

Reports have already suggested the occurrence of such data being used for political gain. An app used by a leading party in Andhra Pradesh has been accused of using stolen state data to profile voters based on caste, though the party denied this.

A government or political actor’s access to state repositories of data, which might be aided by data leaks, could be a truly sinister political tool that sways an election.

For more details visit https://cis-india.org/internet-governance/news/quartz-india-aria-thaker-april-4-2019-data-leaks-and-cybersecurity-should-be-an-election-issue-in-india

Policy Lab on Artificial Intelligence & Democracy

Admin — 2019-04-12T01:32:32Z

Shweta Mohandas participated in a policy lab on Artificial Intelligence & Democracy in India organised by Tandem Research, in partnership with Microsoft Research and Friedrich-Ebert-Stiftung on 2 & 3 April, 2019, in Bangalore.

For more details visit https://cis-india.org/telecom/news/policy-lab-on-artificial-intelligence-democracy

Cookies, not the monster you may think

Sweta Akundi — 2019-04-12T01:10:07Z

Follow the crumbs to a better understanding of data protection and privacy.

The article by Sweta Akundi was published in the Hindu on April 8, 2019. Pranav Manjesh Bidare was quoted.

You’re window-shopping at an electronics store, looking at headphones. The sales assistant offers some help, but you politely decline. “I’m just looking,” you respond. A month later, you come back, and the sales assistant not only remembers you, but also directs you to the latest headphones they have. Creepy? Perhaps, but it’s a regular occurrence on e-commerce websites such as Amazon.

Enter cookies: small text files placed either temporarily or permanently by websites on your hard drive, which are used to monitor your activities online. Those annoying banners that pop up while you are opening a new website, telling you that this site uses cookies? You click okay in a huff because, let’s face it, you’re a busy wo/man? Essentially, you’ve given the websites permission to place cookies on your computer.

“HTTP cookies track user activities, save passwords, and authenticate sensitive information. For example, let’s say you make a purchase with your debit card. When you enter the OTP, you are notified to not refresh the page. That happens because when you enter sensitive information, an authentication cookie is created and stored. It helps the server verifying your transaction make sure that it is just you who is logged in, and not any other person who could try to access your data,” explains Pranav Manjesh Bidare, policy officer at Bengaluru-based The Centre for Internet & Society.

These cookies can be placed by either first-party (the website you are primarily accessing) or third parties (any website that places content onto the primary website). YouTube embeds, sponsored ads, social media links all fall under the latter category. They send you independent cookies which, too, can track your activities.

How safe is it?

“Cookies are vulnerable to interception by a malicious actor. When the cookie is being transmitted to and from your computer, there is a possibility of information like your browsing history, shopping trends, and authentication data being stolen from it,” says Pranav. “However, most of it is taken care of by the HTTPS protocol, which ensures a secure connection between servers and your computer.” Once the cookies are on your device, they can be safeguarded using proper anti-virus. “However there could also be cases where someone impersonates a website and accesses your cookies. That’s something the HTTPS protocol can’t solve alone.” You could manually delete cookies, or pay more attention to what you’re agreeing to share, when you enter a website. Moreover, the constant cookie consent pop-ups do get on the nerves.

That said, the European Union is amending its privacy laws; under the new regulations, if such a draft is passed, users will be given the option of a blanket refusal of cookies, or of just third-party ones, presented in an easy-to-understand layout. However, cookies deemed to be ‘non-intrusive’ will not be subject to restrictions under the regulation.

If there’s anything we have learnt from the Facebook and Cambridge Analytica fiasco, it’s that we need to have a better understanding of what privacy and data on the Internet means.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-sweta-akundi-april-8-2019-microchips-cookies-and-the-internet-privacy-authentication