We are anonymous, we are legion

Sales of surveillance cameras are soaring, raising questions about privacy

Admin — 2018-10-16T14:22:55Z

The Telangana government wants more eyes on the streets to upgrade Hyderabad’s safety. It has asked enterprises, public sectors, residential associations and individuals to install closed-circuit television cameras (CCTVs) in and around their premises.

The article by Rahul Sachitanand was published in Economic Times on October 14, 2018. Elonnai Hickok was quoted.

More than a lakh CCTVs are expected to be installed across the city in the next few years. The initiative is part of the Nenu Saitham (Telugu for Me Too) project — being promoted by Hyderabad Police, which will monitor the feed. To ensure that lowquality CCTVs are not installed and the project is sustainable, the police has asked citizens to only buy from selected vendors.

With this move, launched in November 2017, the Telangana govt joins a growing list of governments, corporations, educational institutes, residential buildings and small businesses across the country that are buying such technology.

According to industry estimates, over a million surveillance units were sold every month a couple of years ago. Now it is two million. The Indian market is growing 20-25% annually, say experts. Frost & Sullivan says the security & surveillance market was worth Rs 8,200 crore in FY2017, reached Rs 11,000 crore in FY2018 and is expected to touch Rs 20,000 crore in FY2020.

The rise in CCTV coverage can also be observed anecdotally. There’s a steady uptick in CCTV clips circulating on Whatsapp, capturing crimes or funny events that would otherwise have gone undocumented. Many of the sensational crimes recently, including multiple incidents of murder in Tamil Nadu, were captured on CCTV cameras, distilling the pure horror of those moments on our mobile screens, and also offering valuable proof to nail the culprits.

The surveillance and security boom is fed by several companies, ranging from homegrown firms such as CP Plus to joint ventures such as Prama Hikvision to multinationals such as Bosch, Panasonic, Honeywell and Axis. The Telangana project, for example, helped Sweden-based Axis Communications widen its India market. It has already installed 1,500 cameras, and more will be installed soon. Other state governments have or are in the process of placing orders.

The Swedish company says it recently installed cameras and associated technology across a range of large corporate and government establishments across India. “We are at the beginning of a five-year boom cycle for these devices,” says Sudhindra Holla, sales director (India & Saarc), Axis Communications. “We are catering to a rush of orders ranging from large companies with complex security infrastructure to deals from government agencies in small towns such as Nanded and Kolhapur.”

Multiple factors are driving the growth in the CCTV segment, says Manu Tiwari, programme manager (automation and electronics practice), Frost and Sullivan. A strong government push to enhance security; purchases for initiatives such as the Smart City project, which covers 100 cities, and the Rs 2,219 crore allocated under the Nirbhaya Fund for women’s safety, which covers eight cities, are some of the growth drivers.

According to Sanjay Kaushik, managing director of security consultancy Netrika Consulting, there is a push to better use CCTV feeds to improve security across India. “While the focus hitherto has been on post facto scouting of footage to find perpetrators, organisations are now trying to be more proactive with their monitoring to spot suspicious people and packages before crimes occur.”

This could involve closely looking at footage to spot suspicious movements at places such as malls or airports or using technology to spot suspicious objects left unattended for long periods. Then, there’s also a focus on making sure the cameras are installed correctly. “Recognisability is key. Organisations are being pushed to ensure simple things like camera feeds are free of obstructions, licence plates are visible in feeds and there is adequate lighting,” adds Kaushik. Advances in technology have ensured that CCTV systems are cheaper and more accessible.

While large enterprises had taken to such technology earlier, even smaller commercial establishments and private residents now can afford to install security systems. The prices have practically halved over the last couple of years. An entry-level camera is now available for a little over Rs 2,000. “Even the cost of an integrated solution, which was as much as Rs 40,000 to Rs 50,000 three or four years ago, is today available for as little as Rs 15,000,” says Yogesh Dutta, COO of New Delhi-based CP Plus. “A rapid increase in the number of CCTVs sellers and technicians has also helped widen access.” The devices have become popular as it helps law enforcers to tackle crime, he adds.

CP Plus’s customers include Vedanta Power and Odisha Police, which has also decided to use e-surveillance to enhance security. Frost and Sullivan says small & medium enterprises and large corporations were together the biggest end-user segments in FY18. This segment had a market share of 33%. Residential had a 28% market share; the industrial segment had 18% and the government 13%, it said. Other major end-user segments are hospitality, education and healthcare.

An increase in such surveillance, however, may be double-edged, say privacy advocates. While a blanket coverage using CCTVs may give citizens a feeling of security, India’s rudimentary legislation around who can access these feeds is a problem. Some countries such as the UK and UAE have stricter guidelines on this. Law-enforcement agencies can access such feeds while following up on their investigations, says Supreme Court lawyer Karnika Seth, without procuring a warrant. “As long as it is for this purpose, it is within the purview of the law. However, with the new judgment on privacy, anything more would be a no-go area.”

The use of CCTV can potentially impinge on the rights of an individual, says Elonnai Hickok, who heads privacy research at the Centre for Internet and Society, an advocacy outfit in Bengaluru. “Technically speaking, the feed can reveal personal information about an individual, including identity, location and daily patterns. Because the feed captures individuals in public spaces, it is not possible for people to have an opt-out option. The access and use of the data are often unclear.” Regulations are starting to address the use of CCTV imagery in some places. The European Union’s General Data Protection Regulation, for example, has recognised that imagery that identifies an individual is personal data and thus requires lawful, fair and transparent processing.

The draft data protection bill by the Srikrishna committee also says CCTV imagery would be considered personal data. If CCTV cameras are put in place by a private actor, Hickok contends, they would need to adhere to the principles laid out in chapters II and III of the draft — which covers fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice, data quality, data storage limitation, accountability and consent.

For feeds used by the state for reasons such as public safety, the consent clause will not apply. But state actors will still need to adhere to the principles laid out in chapter II. If CCTVs are used for the purpose of prevention, detection, investigation and prosecution of a crime, it will be exempt from adhering to the requirements of the bill. However, this use must be backed by a law passed in Parliament and the data cannot be retained once its purpose has been met.

There are more legal restrictions if the CCTV application is integrated with capabilities that capture biometrics. "Clear responsibilities and reasons should be enunciated, the policies should be clearly documented and publicised and, importantly, the cost and benefits should be ascertained," Hickock argues. ¡§It is important to have technical safeguards like encryption and procurement guidelines.

Legal and privacy issues aside, the commercial aspect is clearly looking bright. Prama Hikvision, a Chinese-Indian joint venture, has invested Rs 100 crore in a factory in Bhiwandi to make 500,000 cameras a month. A second factory, possibly in Telangana, is expected to go on stream soon, with a monthly capacity of 1,50,000 units. "CCTVs have gone from being used by a sliver of companies, primarily banks and jewellers, to being adopted by a much broader audience," says Ashish Dhakan, MD and CEO, Prama Hikvision. "Our client list includes companies in the sectors of transportation, power, petroleum, oil and gas and retail."

Another trend market players have spotted is a shift from analog, which used tapes to record footage, to digital systems, where recording time and storage space are not major constraints. "We see continuous enhancement to megapixel (displays) from lowresolution, improved compression technology. This allows more data, more storage capacity, and overall lowering of cost for storage recording devices," says Sharad Yadav, general manager, Honeywell Building Technologies, India. Frost and Sullivan analyst Tiwari lists emerging offerings - including intelligent video surveillance, wireless systems and higher resolution of visuals - as features that will define the next-generation devices.

But digital also comes with some dangers. As CCTV cameras go from standalone devices to being digital and connected ones, experts say there is a risk of hacking. Hackers may also be able to use the network as a gateway. This could give hackers access to much more than just the camera feed. "Cybersecurity is a constant focus for us," says Holla of Axis Communications. "While no camera is hackproof, we believe we have built enough capabilities to react to these hacks and quickly release patches to secure them."

Others such as Hickok of CIS say more safeguards are required. "Technical safeguards like encryption and procurement guidelines are also important, as has been highlighted by the UK Information Commissioner's Office," she says. Keeping the cameras safe may be as important as safeguarding the lives these devices monitor.

For more details visit https://cis-india.org/internet-governance/news/economic-times-rahul-sachitanand-october-14-2018-sales-of-surveillance-cameras-are-soaring-raising-questions-about-privacy

Why Data Localisation Might Lead To Unchecked Surveillance

pranesh — 2018-10-16T14:08:34Z

In recent times, there has been a rash of policies and regulations that propose that the data that Indian entities handle be physically stored on servers in India, in some cases exclusively. In other cases, only a copy needs to be stored.

The article was published in Bloomberg Quint on October 15, 2018 and also mirrored in the Quint.

In April 2018, the Reserve Bank of India put out a circular requiring that all “data relating to payment systems operated by them are stored in a system only in India” within six months. Lesser requirements have been imposed on all Indian companies’ accounting data since 2014 (the back-up of the books of account and other books that are stored electronically must be stored in India, the broadcasting sector under the Foreign Direct Investment policy, must locally store subscriber information, and the telecom sector under the Unified Access licence, may not transfer their subscriber data outside India).

The draft e-commerce policy has a wide-ranging requirement of exclusive local storage for “community data collected by Internet of Things devices in public space” and “data generated by users in India from various sources including e-commerce platforms, social media, search engines, etc.”, as does the draft e-pharmacy regulations, which stipulate that “the data generated” by e-pharmacy portals be stored only locally.

While companies such as Airtel, Reliance, PhonePe (majority-owned by Walmart) and Alibaba, have spoken up in support the government’s data localisation efforts, others like Facebook, Amazon, Microsoft, and Mastercard have led the way in opposing it.

Just this week, two U.S. Senators wrote to the Prime Minister’s office arguing that the RBI’s data localisation regulations along with the proposals in the draft e-commerce and cloud computing policies are “key trade barriers”. In her dissenting note to the Srikrishna Committee's report, Rama Vedashree of the Data Security Council of India notes that, “mandating localisation may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the IT-BPM (information technology-business process management) industry.”

Justification For Data Localisation

What are the reasons for these moves towards data localisation?

Given the opacity of policymaking in India, many of the policies and regulations provide no justification at all. Even the ones that do, don’t provide cogent reasoning.

The RBI says it needs “unfettered supervisory access” and hence needs data to be stored in India. However, it fails to state why such unfettered access is not possible for data stored outside of India.

As long as an entity can be compelled by Indian laws to engage in local data storage, that same entity can also be compelled by that same law to provide access to their non-local data, which would be just as effective.

What if they don’t provide such access? Would they be blacklisted from operating in India, just as they would if they didn’t engage in local data storage? Is there any investigatory benefit to storing data in India? As any data forensic expert would note, chain of custody and data integrity are what are most important components of data handling in fraud investigation, and not physical access to hard drives. It would be difficult for the government to say that it will block all Google services if the company doesn’t provide all the data that Indian law enforcement agencies request from it. However, it would be facile for the RBI to bar Google Pay from operating in India if Google doesn’t provide it “unfettered supervisory access” to data.

The most exhaustive justification of data localisation in any official Indian policy document is that contained in the Srikrishna Committee’s report on data protection. The report argues that there are several benefits to data localisation:

Effective enforcement,
Avoiding reliance on undersea cables,
Avoiding foreign surveillance on data stored outside India,
Building an “Artificial Intelligence ecosystem”

Of these, the last three reasons are risible.

Not A Barrier To Surveillance

Requiring mirroring of personal data on Indian servers will not magically give rise to experts skilled in statistics, machine learning, or artificial intelligence, nor will it somehow lead to the development of the infrastructure needed for AI.

The United States and China are both global leaders in AI, yet no one would argue that China’s data localisation policies have helped it or that America’s lack of data localisation polices have hampered it.

On the question of foreign surveillance, data mirroring will not have any impact, since the Srikrishna Committee’s recommendation would not prevent companies from storing most personal data outside of India.

Even for “sensitive personal data” and for “critical personal data”, which may be required to be stored in India alone, such measures are unlikely to prevent agencies like the U.S. National Security Agency or the United Kingdom’s Government Communications Headquarters from being able to indulge in extraterritorial surveillance.

In 2013, slides from an NSA presentation that were leaked by Edward Snowden showed that the NSA’s “BOUNDLESSINFORMANT” programme collected 12.6 billion instances of telephony and Internet metadata (for instance, which websites you visited and who all you called) from India in just one month, making India one of the top 5 targets.

This shows that technically, surveillance in India is not a challenge for the NSA.

So, forcing data mirroring enhances Indian domestic intelligence agencies’ abilities to engage in surveillance, without doing much to diminish the abilities of skilled foreign intelligence agencies.

As I have noted in the past, the technological solution to reducing mass surveillance is to use decentralised and federated services with built-in encryption, using open standards and open source software.

Reducing reliance on undersea cables is, just like reducing foreign surveillance on Indians’ data, a laudable goal. However, a mandate of mirroring personal data in India, which is what the draft Data Protection Bill proposes for all non-sensitive personal data, will not help. Data will stay within India if the processing happens within India. However, if the processing happens outside of India, as is often the case, then undersea cables will still need to be relied upon.

The better way to keep data within India is to incentivise the creation of data centres and working towards reducing the cost of internet interconnection by encouraging more peering among Internet connectivity providers.

While data mirroring will not help in improving the enforcement of any data protection or privacy law, it will aid Indian law enforcement agencies in gaining easier access to personal data.

The MLAT Route

Currently, many forms of law enforcement agency requests for data have to go through onerous channels called ‘mutual legal assistance treaties’. These MLAT requests take time and are ill-suited to the needs of modern criminal investigations. However, the U.S., recognising this, passed a law called the CLOUD Act in March 2018. While the CLOUD Act compels companies like Google and Amazon, which have data stored in Indian data centres, to provide that data upon receiving legal requests from U.S. law enforcement agencies, it also enables easier access to foreign law enforcement agencies to data stored in the U.S. as long as they fulfill certain procedural and rule-of-law checks.

While the Srikrishna Committee does acknowledge the CLOUD Act in a footnote, it doesn’t analyse its impact, doesn’t provide suggestions on how India can do this, and only outlines the negative consequences of MLATs.

Further, it is inconceivable that the millions of foreign services that Indians access and provide their personal data to will suddenly find a data centre in India and will start keeping such personal data in India. Instead, a much likelier outcome, one which the Srikrishna Committee doesn’t even examine, is that many smaller web services may find such requirements too onerous and opt to block users from India, similar to the way that Indiatimes and the Los Angeles Times opted to block all readers from the European Union due to the coming into force of the new data protection law.

The government could be spending its political will on finding solutions to the law enforcement agency data access question, and negotiating solutions at the international level, especially with the U.S. government. However it is not doing so.

Given this, the recent spate of data localisation policies and regulation can only be seen as part of an attempt to increase the scope and ease of the Indian government’s surveillance activities, while India’s privacy laws still remain very weak and offer inadequate legal protection against privacy-violating surveillance. Because of this, we should be wary of such requirements, as well as of the companies that are vocal in embracing data localisation.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance

Community Standards Roundtable Conversations

Admin — 2018-10-16T14:01:55Z

Ambika Tandon was a participant in a roundtable organized by Facebook, School of Media & Cultural Studies, and Tata Institute of Social Sciences in Bengaluru on October 7, 2018.

The agenda for the roundtable was to discuss their community standards, particularly hate speech and harassment, and receive feedback from a feminist and gendered lens. Click to read more.

For more details visit https://cis-india.org/internet-governance/news/community-standards-roundtable-conversations

Indian Feminist Judgment Project Workshop

Admin — 2018-10-16T13:34:06Z

Swaraj Paul Barooah was a discussant at the Indian Feminist Judgment Project 'righting together' workshop organised in Delhi by Jindal from October 6 - 7, 2018.

Swaraj provided commentary on the re-writing of a patent application from a feminist perspective. Click here to view the agenda.

For more details visit https://cis-india.org/internet-governance/news/indian-feminist-judgment-project-workshop

September 2018 Newsletter

praskrishna — 2018-10-16T06:28:42Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights

Wikisource is one of the trending Wikimedia projects. Many new editors and new books to Indic language Wikisource's get added over a period of time. However, new editors as well as existing editors face numerous problems while working with the content online. The Centre for Internet & Society's Access to Knowledge (CIS-A2K) team, to help the editors, has created a Wikisource Handbook for Indian communities. CIS invites feedback to the first draft of this Handbook.
Centre for Internet & Society (CIS) participated in the 5th Global Congress on IP and Public Interest held in Washington in a big way. CIS signed on as a supporting member to the Civil Society Proposal for a Treaty on Education and Research Activities.
Sunil Abraham, in an article in the Hindustan Times, explores what leads to fake news. He has revealed that transparency regulations is the need of the hour especially for election campaigns and political advertising.
Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu co-authored a blog post which examines cross-border data sharing. The authors have argued that conventional methods of compelling the presentation of evidence available for investigative agencies often fail when the evidence is not present within the territorial boundaries of the state.
Arindrajit Basu and Elonnai Hickok wrote a blog entry on usage of artificial intelligence in governance sector in India. As per research though artificial intelligence has the potential to ameliorate structural inefficiencies in governmental functions, the deployment of this technology across sub-sectors is still on the horizons.
Amber Sinha, Elonnai Hickok and Arindrajit Basu produced a research paper on the implications of artificial intelligence in India in various sectors such as health, banking, manufacturing, and governance sectors.
Artificial Intelligence in many ways is in direct conflict with traditional data protection principles and requirements including consent, purpose limitation, data minimization, retention and deletion, accountability, and transparency. Authors Elonnai Hickok and Amber Sinha have explained this in a blog entry.
The researchers@work programme has selected 10 essays, based on an open call announced in August, engaging with the thematic of "offline". The abstracts of the selected essays have been published, and the final essays will be published on the upcoming r@w blog.

Articles

India’s post-truth society (Swaraj Paul Barooah; Hindu Businessline; September 7, 2018).
Digital Native: #MemeToo (Nishant Shah; Indian Express; September 9, 2018).
The Right Words for Love (Nishant Shah; Indian Express; September 23, 2018).
A trust deficit between advertisers and publishers is leading to fake news (Sunil Abraham; Hindustan Times; September 30, 2018).
Digital Native: Hardly Friends Like That (Nishant Shah; Indian Express; September 30, 2018).

CIS in the News

Can this curb your addiction? (Surupasree Sarmmah; Deccan Herald; September 5, 2018).
'Why should we talk to Dunzo?' State regulators fume at liquor delivery (Aroon Deep; Medianama; September 7, 2018).
#NAMAprivacy: Data Protection Authority's regulatory and enforcement challenges (Rana; Medianama; September 9, 2018).
'What Security Breach?' The Unchanging Tone of UIDAI's Denials (Karan Saini; The Wire; September 12, 2018).
Haryana Cops Say Internet Shutdowns Hurt Police Operations (Gopal Sathe; Huffington Post; September 19, 2018).
Find ways to trace origin of messages: Government to WhatsApp (Surabhi Aggarwal; Economic Times; September 20, 2018).
Net nanny meets muscular law (Laxmi Murthy; Himal South Asian; September 26, 2018).
After Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar (Nishant Sharma; Bloomberg Quint; September 27, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Copyright and Patent

Participation in Event

5th Global Congress on IP and the Public Interest (Organized by PublicCitizen, Washington College of Law, American University, O'Neill Institute and the American Assembly, Columbia University; Washington D.C.; September 24 - 29, 2018). Sunil Abraham, Anubha Sinha and Swaraj Paul Barooah were panelists at the event.

Wikipedia

Publication

Wikisource Handbook for Indian Communities (Bodhisattwa Mandal and Ananth Subray P. V.; September 19, 2018).

Blog Entry

Christ (DU) students enrolls for 3rd Wikipedia certificate course (Ananth Subray; September 23, 2018).

Events Organized

Copyright Workshop (CIS; New Delhi; September 1 - 2, 2018).
Meeting on Digitization and Content Donation (Bhandarkar Oriental Research Institute; Pune; September 6, 2018).
Orientation session on Sanskrit Wikipedia (Tilak Maharashtra Vidyapeeth; Pune; September 6, 2018).
Workshop on FOSS, Unicode & Wikimedia Projects for Publishers, Printers, Designers and Writers (Fergusson College; Pune; September 7, 2018).
Workshop in MKCL regarding Vanbodh Project with TRTI (Maharashtra Knowledge Corporation Limited; Mumbai; September 11, 2018).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Research Papers

The Srikrishna Committee Data Protection Bill and Artificial Intelligence in India (Amber Sinha and Elonnai Hickok; September 3, 2018).
AI in India: A Policy Agenda (Amber Sinha, Elonnai Hickok and Arindrajit Basu; September 5, 2018).
Artificial Intelligence in the Governance Sector in India (Arindrajit Basu and Elonnai Hickok; edited by Amber Sinha, Pranav MB and Vishnu Ramachandran; ecosystem mapping by Shweta Mohandas and Anamika Kundu; September 14, 2018).
Cross-Border Data Sharing and India: A study in Processes, Content and Capacity (Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu; September 27, 2018).

Participation in Events

Online Cogitatum on AI and Ethics in India (Organized by Takshashila; Takshashila Institution; August 27, 2018). Elonnai Hickok participated in the event.
Conference on Data Protection (Organized by National Institute of Public Finance and Policy; New Delhi; September 4, 2018). Sunil Abraham and Amber Sinha were discussant in the session Disclosures in Privacy Policies: Does Consent Work?
Symposium on Data Privacy and Citizen's Rights (Organized by Tech Law Forum of NALSAR University of Law; Hyderabad; September 9, 2018).
Gender and Privacy: Countering the Patriarchal Gaze (Organized by Privacy International; United Kingdom; September 13 - 14, 2018).
Meeting of Information Systems Security and Biometrics Sectional Committee (Organized by Bureau of Indian Standards; New Delhi; September 14, 2018).
Forecasting the Implications of the CLOUD Act Around the World (Organized by Global Network Initiative; Russell Senate Office Building, Washington D.C.; September 18, 2018). Elonnai Hickok was a speaker.
Networked Economies and Gender Action Learning (Organized by IDRC and facilitated by Gender at Work; Ottawa; September 20 - 21, 2018). Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in the meeting. Sunil Abraham, Swaraj Paul Barooah and Ambika Tandon also attended a workshop on Gender Action Learning on September 24 - 25, 2018, which discussed strategies to work on gender under a grant for Cyber Policy Centres.
Round Table Discussion on Personal Data Protection Bill (Organized by SFLC; Bengaluru; September 25, 2018). Shweta Mohandas participated in the event and moderated the first session on Data Protection Principles (Rights and Obligations).

Cyber Security

Event Organized

Symposium on India’s Cyber Strategy (India Habitat Centre, New Delhi; August 31, 2018).

Participation in Event

Cyber-Security in the Age of Smart Manufacturing (Organized by Federation of Indian Chamber of Commerce & industry (FICCI) in association with Karnataka Innovation and Technology Society, and Government of Karnataka; The Lalit Ashok, Bengaluru; September 26, 2018). Arindrajit Basu attended the event.

researchers@work

The researchers@Work (r@w) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa.

Blog Entry

Essays on 'Offline' - Selected Abstracts (P.P. Sneha; September 6, 2018).
Digital Native: #MemeToo (Nishant Shah; Indian Express; September 9, 2018).
The Right Words for Love (Nishant Shah; Indian Express; September 23, 2018).
Digital Native: Hardly Friends Like That (Nishant Shah; Indian Express; September 30, 2018).

Participation in Event

Plenary Talk at Jyothi Nivas College Research Symposium (Organized by Jyoti Nivas College; Bangalore; September 28, 2018). P.P. Sneha made a presentation on presentation on new reading and writing practices in the digital context.

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/september-2018-newsletter

State of Work in India

Admin — 2018-10-09T14:25:37Z

Aayush Rathi and Ambika Tandon attended a panel discussion organized by Bangalore International Centre (TERI) and Azim Premji University, on Wednesday, October 3, 2018 in Bengaluru. A report titled 'State of Working India' by the Centre for Sustainable Employment was released on the occasion.

The report can be accessed here

For more details visit https://cis-india.org/internet-governance/news/state-of-work-in-india

Roundtable on Cyber-security and the Private Sector

pranav — 2018-10-15T09:18:35Z

The Centre for Internet & Society (CIS) invites you to a roundtable discussion on cyber-security and the private sector. The event will be held at Omidyar Network office in Bangalore from 10.00 a.m. to 4.00 p.m.

An increased proliferation of cyber attacks from multiple vectors and a variety of actors has necessitated a multi-stakeholder response to cyber-security that requires private sector involvement, both at the policy and technical fields. This contribution has come in the recent past not only through active involvement at the domestic levels but also through norm-setting in the international arena.

This symposium seeks to discuss the various cyber-security concerns in the Indian private sector and maps initiatives being undertaken by various actors towards furthering cyber-security in an attempt to identify challenges, points of tension, brainstorm solutions-thereby mapping the way forward through engagement not only with private sector actors but also in dialogue with civil society and policy-makers. CIS has undertaken some preliminary research in this area to further discussion in this area and serve as a forum for sharing perspectives for various stakeholders.

The symposium will be divided into three sessions, broadly in the form of a roundtable with different modus operandi in each session.

A Concept Note for the event can be found here, and the agenda can be found here. If you would like to attend, please rsvp pranav@cis-india.org, or register here.

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-cyber-security-and-the-private-sector

CyFy 2018

Admin — 2018-10-08T15:36:40Z

Swaraj Paul Barooah and Arindrajit Basu participated in CyFy 2018 organized by Observer Research Foundation at Hotel Taj Mahal, New Delhi from October 3 - 5, 2018.

Click to see the agenda

For more details visit https://cis-india.org/internet-governance/news/cyfy-2018

Gmail users beware while giving access

Admin — 2018-10-08T15:25:26Z

Recently, Google admitted to giving hundreds of firms access to users’ Gmail inboxes. It also revealed that many apps are able to scan and share data from email inboxes. However, Google explained that it vets third parties that are given access, and permission should be given by the user.

The article by Surupasree Sarmmah was published in Deccan Herald on October 4, 2018.

Metrolife asks Gmail users if they were aware of giving permission to third-party apps and talks to an expert to see if access to emails can make a user vulnerable to blackmail, loss of individual liberty and compromise on one’s safety.

Vinod Singha, finance lead, IDP Events, says, “It is shocking that a third party is given access to a user’s Facebook and Gmail data. These third-party apps will put the user’s name on a target group to sell products and services, without the person’s knowledge. It’s high time we, as users, become aware of both advantages and disadvantages of online data sharing.”

Pallavi Shivakumar, assistant professor, says, “There should be more transparency and accountability from these app developers. There might not be any violation from their end but this is definitely a case of infiltration. I also feel that people need to be more aware of the footprint they are leaving behind.”

Aayush Rathi, policy officer, Centre for Internet and Society, says that the Cambridge Analytica scandal is an example of misuse of access to data granted to third parties.

He elaborates, “Google mandates every user to give consent to a third-party app before the app can access their information. A screen asking your permission to let the app access to your inbox pops up. While you may willingly click on that, the ripple effects will create problems — people you send emails to and who you receive emails from may also be impacted. Further, while as a user I may consent to a third party getting access to my inbox, what we may not be able to control is their sharing of our data with a fourth party.”

He adds that technically, Google is in the clear because unless an app gets consent from the user, it can’t access your inbox. The apps are also vetted by Google to see if they are in consonance with privacy standards; this is even before they are permitted to take permission from a user. “From a security point of view, Google claims to have high-end malware detection systems in place. Apps within the play store ecosystem can be vetted by Google but there are applications outside the ecosystem that can be used too. One of the central questions then becomes the degree to which we want Google to close down its API while maintaining data portability and interoperability considerations,” Aayush told Metrolife.

What can a user do?

Do your own vetting before giving access to a third-party app.
Regular review of the third-party applications you have given access to through Google settings on Gmail. email ID Google Google Account

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-october-4-2018-surupasree-sarmmah-gmail-users-beware-while-giving-access

Net nanny meets muscular law

Admin — 2018-10-02T05:48:32Z

India’s new human-trafficking bill could criminalise sex workers and curtail free speech.

The article by Laxmi Murthy was published in Himal South Asian on September 26, 2018.

When conservative morality is armed with the law and prejudice is given legal validity, the state is transformed into a wet nurse cum security guard. The Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill 2018, passed on 26 July in the lower house of the Indian Parliament, represents a growing trend of increased state surveillance and control, and a carceral approach to dealing with non-compliance with overbroad and vague laws laced with prudery.

Trafficking in persons, as defined by the United Nations, is “the recruitment, transportation, transfer, harbouring or receipt of persons” by coercion, deception or the abuse of power or position for the purpose of exploitation. Human trafficking is considered to be a form of modern-day slavery and is outlawed in most countries.

Following the ratification of the United Nations Convention for the Suppression of the Traffic in Persons and of the Exploitation of the Prostitution of Others in 1949, India enacted the Suppression of Immoral Traffic in Women and Girls Act 1956. However, nowhere was trafficking clearly defined in the law. The acronym of this law, SITA, seemingly deliberately modelled after Sita, the chaste wife of Rama from the epic Ramayana, reinforced the moralism already codified into law. Moving from suppression to prevention of ‘immoral’ trafficking took three decades, but the Immoral Traffic (Prevention) Act (ITPA), as the act was renamed in 1986, continued to prioritise morality over human rights, focusing its attention on raiding brothels and “rescuing and rehabilitating” sex workers, whether or not they wanted such intervention. Though sex work is not illegal per se in India – with some notable exceptions with respect to soliciting in public places – the ITPA views consensual adult sex work as a misnomer and approaches all women in sex work as victims in need of rescue. This ultimately criminalises even consenting adult sex workers by treating solicitation, brothel ownership and procurement as criminal activity.

Unfortunately, the 2018 trafficking bill has been drafted with this very mindset, and goes on to widen the scope to cover “aggravated” forms of trafficking, including trafficking for the purpose of forced labour, begging, trafficking by administering chemical substance or hormones for early sexual maturity among other things. It also includes in its ambit trafficking for the purpose of surrogacy, at a time when questions around commercial surrogacy and consent of surrogates have yet to be settled in Indian law.

The bill also aims to unify existing criminal law provisions on trafficking. The definition of trafficking in the Indian law is drawn primarily from Section 370 of the Indian Penal Code (IPC), which includes ‘any act’ of physical exploitation, sexual exploitation, slavery or practices similar to slavery and servitude. Trafficking under this bill also includes begging and domestic work. However, critics of the bill, including a collective of sex-worker-rights groups and organisations working with bonded labour, children and adolescents under the banner of the Coalition for an Inclusive Approach on the Trafficking Bill, say that the bill, with its criminalised approach, will further stigmatise sex workers, transgender persons and beggars. The supposed ‘victims’ of trafficking would, therefore, be forcibly rescued, rehabilitated and repatriated, and denied their chosen residence as well as their means of livelihood. The elaborate anti-trafficking bureaucracy to be set up at district, state and national levels seems unwieldy and without representation of the communities it purports to protect.

Cross-purposes

The anti-trafficking bill embodies a constitutional conundrum: in attempting to fulfil the mandate under Article 23 of the Constitution – to protect persons from exploitation inherent in human trafficking – it can potentially violate fundamental freedoms, in particular, the freedom of speech and expression, a core protection guaranteed by Article 19.

According to Section 39 (2) of the bill, “Whoever solicits or publicises electronically, taking or distributing obscene photographs or videos or providing materials or soliciting or guiding tourists or using agents or any other form which may lead to the trafficking of a person shall be punished (emphasis added)”.

This provision, while intending to criminalise online soliciting, casts a wide net and prescribes penalties – rigorous imprisonment for a term of five to ten years and a fine between INR 50,000 (USD 700) and INR 100,000 (USD 1400) – for vaguely defined acts which may lead to trafficking. It is not necessary, as per this provision, to prove a direct causal link between these acts – such as distributing obscene photographs or providing materials – and the actual crime of trafficking. Such a broad brush is highly problematic and violates well-established tenets of criminal jurisprudence which require criminal intention (mens rea) along with the actual criminal act (actus reus). That is, a criminal act must be accompanied by a criminal intention. Without any burden to prove a causal link, anything deemed to potentially lead to trafficking can be proscribed – for example, any artistic work, academic publication or cinematic representation.

Sexually explicit content – text, audio and visual – has evoked deeply contentious opinions right from the time of the Kamasutra and the erotic sculptures of the Khajuraho temples. There is no one single position on pornography or obscenity among feminists, despite their shared concern about enhancing women’s rights and stopping exploitation. On the one hand, American feminist Robin Morgan’s famous pronouncement back in 1974, that pornography is the theory and rape is the practice, implying that pornography was directly responsible for violence and sexual abuse of women, influenced early feminists the world over, and continues to hold sway among sections of women’s rights advocates. However, while images undoubtedly impact on the human psyche, the causal links between pornography and rape are not established firmly enough to warrant censorship and bans. On the other hand, sex-positive feminists who celebrate varied expressions of sexual desire, especially female sexuality, advocates of feminist pornography (which is not seen as a contradiction in terms), adult entertainers and sex workers have practiced and theorised sexual desire and its many manifestations in ways that are undergirded by consent, respect, agency and autonomy, but not necessarily confined to contemporary social mores. Conversations around sexuality and desire have moved beyond criminalisation of what is considered deviant, but echoes of these conversations do not seem to have been heard in the corridors of the Parliament.

With the prevalent moral disapproval of pornography and adult entertainment, the phrase “taking or distributing obscene photographs or videos or providing materials” can easily be misinterpreted as leading to trafficking. The word ‘obscene’ is itself too subjective and culturally loaded a term to withstand rigorous legal scrutiny. It is a no-brainer that deciding what is aesthetically pleasing erotica and what is unacceptable pornography is in the eye of the beholder and is, therefore, subjective. Where there is no requirement to prove intention, or mens rea, any image or video deemed to be obscene can be censored. This could bring into its ambit online material, articles, literature, magazines as well as artists and their work, and consenting adult sexual interactions in the digital space including adult dating apps like Tinder or OkCupid.

It was only as recently as 2014 that India’s Supreme Court jettisoned the archaic Hicklin Test, which was developed in an 1868 case in England to determine whether specific material could “deprave and corrupt those whose minds are open to such influences”. This outdated standard was applied, for instance, in the landmark case of Udeshi v State of Maharashtra in 1964 to uphold the ban on the D H Lawrence classic Lady Chatterley’s Lover and to convict Ranjit Udeshi, a bookseller, under Section 292 of the IPC for distributing “obscene” material.

Half a century on, in 2014, Anand Bazaar Patrika, publishers of Sportsworld, a magazine which reprinted a nude photograph of tennis champion Boris Becker and his fiancée, won the case in the apex court which rejected the Hicklin Test. However, the court adopted a ‘community standards’ test derived from the 1957 Roth v United States case that determined what was obscene and was, therefore, unprotected by the First Amendment to the American Constitution that protects freedom of speech. The ‘community standards’ test has itself been challenged for its vagueness, since what is considered to have social importance is itself variable. In addition, the Supreme Court in the Sportsworld case allowed the nude photograph because, in the court’s view, it did not have “a tendency to arouse feeling or reveal an overt sexual desire”. The nude photograph of a white-skinned Becker with his dark-skinned fiancée was deemed to be in the public interest, as its intention was to cast a spotlight on racism and apartheid. However, the justification that the photo did not arouse sexual desire and was, therefore, acceptable, is both highly subjective and problematic in its criminalisation of sexual desire, in that it allows – without any evidence whatsoever – the dangerous possibility of nudity having a causal effect on violence.

Stormy seas and safe harbours

The Trafficking Bill 2018 in its “offences related to media” chapter, continues in its inexorable march towards criminalisation on the basis of vague definitions. According to Section 36, a person is said to be engaged in trafficking of person even if that person “advertises, publishes, prints, broadcasts or distributes, or causes the advertisement, publication, printing or broadcast or distribution by any means, including the use of information technology or any brochure, flyer or any propaganda material that promotes trafficking of person or exploitation of a trafficked person in any manner.”

However, since “promoting trafficking or exploitation” has not been clearly defined, it makes room for different interpretations of liability. There is little in this provision that attempts to impose a clear, rigorous standard of evidence that could demonstrate direct cause. The Bengaluru-based non-profit Centre for Internet and Society (CIS) cautions that, under this clause, the likelihood of authors of adult material, videographers, filmmakers and internet sites being charged with promoting trafficking or exploitation is quite high, since the clause might build a legal link between hosting or producing pornography and trafficking.

Clamping down on internet freedom on the basis of obscenity is not new. In July 2015, the government banned 857 websites that it considered pornographic. This followed the Kamlesh Vaswani case in the Supreme Court where the then chief justice of India expressed his inability to order a ban as it would go against the right to personal liberty guaranteed in Article 21 of the Constitution. In their submission challenging the ban, and underlining the subjectivity in viewing and interpreting content, the Internet Service Providers Association of India (ISPAI) said, “one man’s pornography is another man’s high art”, making it impossible for them to ban any sites. The ISPs were later told that they should ban only sites showing child pornography, but they submitted that they neither created content nor owned it and that it was not possible for them to view content before hosting it. And therein lies one of the most controversial features of the trafficking bill.

The most pernicious provision of the bill, Section 41 (2), displays a complete lack of understanding of the manner in which the digital space functions. The section penalises anyone who “distributes, or sells or stores, in any form in any electronic or printed form showing incidence of sexual exploitation, sexual assault, or rape for the purpose of exploitation or for coercion of the victim or his family members, or for unlawful gain.”

As the CIS critique of the bill points out, digital infrastructure requires third party intermediaries to handle information during transmission, storage or display. As it is not always desirable or even practically possible to verify the legality of every bit of data that gets transferred or stored by the intermediary, the CIS points out, the law provides ‘safe harbours’ to protect intermediaries from liability, ensuring that entities that act as architectural requirements and intermediary platforms are able to operate smoothly and without fear. It must be noted that users who upload and initiate transfer of information online, are not always the same parties who are directly involved in transmission of content.

In India, immunity from liability or a ‘safe harbour’ for intermediaries involved with transmission or temporary storage of content is currently provided by Section 79 of the Information Technology Act 2000 (IT Act), on condition that they: (i) act as a mere ‘conduit’ and do not initiate the transmission, select the receiver of the transmission, or select or modify the information contained in the transmission and (ii) exercise due diligence, which has been defined under the law. The provision for safe harbours has also been tested in court, notably in the case of the virtual market Baazee.com (later acquired by eBay), which had hosted an advertisement for an ‘obscene’ video for two days before it was taken down. The court held that the IT Act would prevail over the IPC, and the managers could not be held liable for the content of the advertisement.

With Section 59 of the proposed trafficking bill set to override existing legislation, the provision of safe harbours under the IT Act will be in jeopardy. Notably, this move to prosecute internet intermediaries is in keeping with a worldwide trend. In April 2018, the United States President Donald Trump signed into law two controversial pieces of legislation aimed to tackle human trafficking online, which have grave implications for free speech. The US Congress bill, the Fight Online Sex Trafficking Act (FOSTA), and the Senate bill, the Stop Enabling Sex Traffickers Act (SESTA), have been welcomed by some as a victory for victims of sex trafficking. Alarmingly, however, the bills, better known by their acronyms FOSTA-SESTA, create an exception to the safe harbour rule, ie Section 230 of the 1996 Communications Decency Act (CDA). This provision, which is regarded as a landmark protection, says “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” For over two decades, in the spirit of actualising the immense potential of the digital space to share information, ideas and opinions, this section has provided immunity for intermediaries, allowing users to freely generate content without making platforms and ISPs accountable for such content.

Under FOSTA-SESTA, however, websites are liable to be penalised for advertisements promoting consensual adult sex work, dating or escort services (such as Backpage.com or Craigslist) which could be deemed to promote trafficking. Sex-worker-rights activists in the US posit that such an unwarranted clampdown on these avenues through which adult sex workers could safely screen clients and avoid potentially dangerous situations, is putting them at risk.

Despite the protests against the impact of FOSTA-SESTA on the internet and free expression, parliamentarians in the United Kingdom seem set to follow a similar regulatory route. An All-Party Parliamentary Group (APPG) on Prostitution and the Global Sex Trade in July 2018 called for a ban on “prostitution websites”, by which they mean virtual advertising sites such as Vivastreet and Adultwork which host adult advertisements. Anticipating the same fallout as in the US, Amnesty UK tweeted, “Taking down these platforms will push sex workers deeper underground exposing them to greater risks of violence, exploitation and trafficking.”

Beyond criminalisation

According to Interpol, trafficking in human beings is a multi-billion-dollar international criminal industry, which is usually carried out for forced labour, sexual exploitation or for harvesting of tissue, cells and organs. Despite this recognition of the different motives for trafficking, the crime has largely been linked – in the popular imagination, media and, unfortunately, even law enforcement – to sexual exploitation. The thrust of anti-trafficking efforts in India, post-Independence, set the stage for decades of human-rights violations in the name of anti-trafficking, using an ineffective law that penalised victims more than traffickers. The proposed bill, with its ill-conceived criminalised regime, is likely to do more harm than good, and give rise to a repressive regime that is not in the interests of marginalised populations most vulnerable to traffickers. Not only is the bill unlikely to make any dent in the organised trafficking networks, but the fallout of its provisions policing the internet is also likely to hamper freedom of expression and consensual, adult sexual activity mediated through the digital space.

For more details visit https://cis-india.org/internet-governance/news/himal-south-asian-laxmi-murthy-net-nanny-meets-muscular-law

Networked Economies and Gender Action Learning

Admin — 2018-10-02T03:10:02Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in a meeting organized by IDRC for grantees under their networked economies programme to discuss gender-based outputs and development outcomes in their work. The event was held in Ottawa on September 20 - 21, 2018, facilitated by Gender at Work.

Sunil Abraham, Swaraj Paul Barooah and Ambika Tandon also attended a workshop on Gender Action Learning on September 24 - 25, 2018, which discussed strategies to work on gender under a grant for Cyber Policy Centres. Other organizations present at the workshop were Research ICT Africa, Lirne Asia, and Centre Latam Digital at CIDE, Mexico. Gender at Work facilitated this workshop as well, and will be working with all the grantees over a period of 18 months.

For more details visit https://cis-india.org/internet-governance/news/networked-economies-and-gender-action-learning

Cyber-Security in the Age of Smart Manufacturing

Admin — 2018-10-02T00:23:45Z

Arindrajit Basu attended the event 'Cyber-security in the age of Smart Manufacturing.' The event 'BTS - CyberComm 2018' was organised by the Federation of Indian Chamber of Commerce & industry (FICCI) in association with Karnataka Innovation and Technology Society, and Government of Karnataka at The Lalit Ashok, Bengaluru on September 26, 2018.

The event was aimed at understanding the cyber security threats revolving around Industry 4.0 and smart manufacturing. The speakers included Mr. Gaurav Gupta, Principal Secretary, IT, BT and S&T Department, Government of Karnataka;Mr. Sanjay Mujoo, Vice President, Pointnext Global Centre Bangalore, Hewlett Packard Enterprise, India;Mr. Yogesh Andlay, Founder, Nucleus Software & Polaris Financial Technology and Mr. Ambrish Bakaya, Co-Chair, ICT and Digital Economy Committee FICCI.

Apart from discussing how to cover the threat vectors as businesses increasingly become digitised and use digital supply chains,the event was also useful in terms of obtaining an understanding of how the Karnataka government is approaching the digital ecosystem. The Centres of Excellence aim to bring on board academics, industry bodies and practitioners to develop best practices. FICCI, which was co-hosting this event indicated that they will continue to work with the government to further this agenda.

For more details visit https://cis-india.org/internet-governance/news/cyber-security-in-the-age-of-smart-manufacturing

After Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar

Admin — 2018-10-01T23:39:42Z

The 12-digit Aadhaar number is now out of bounds for fintech companies in India.

The article by Nishant Sharma was published in Bloomberg Quint on September 27, 2018. Pranesh Prakash was quoted.

Video

With the Supreme Court on Wednesday terming Aadhaar authentication by private companies as “unconstitutional”, companies such as online wallets and e-tailers, among others, will now have to make changes to how they onboard and verify customers, in addition to how they transact.

In a 567-page majority judgment authored by Justice Sikri and concurred upon by two other judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—it said that Section 57 of the Aadhaar Act, which allows private companies to use Aadhaar for authentication services based on a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.

“What it essentially means is that the private bodies, such as lending platforms, wallets, or any private entity, cannot use Aadhaar for authentication,” said Anirudh Rastogi founder at Ikigai Law (formerly TRA), a law firm that specialises in representing businesses on data privacy.

The decision is set to impact private companies right from Flipkart-owned PhonePe, Paytm, Reliance Jio and Amazon, among others, which rely on Aadhaar for e-verification. Amazon recently launched cardless equated monthly installments on Amazon Pay through the digital finance platform Capital Float and asked customers to provide Aadhaar numbers or virtual ID and PAN details on the Amazon app for verification.

'Aadhaar Is Just Another ID'

Pranesh Prakash, fellow, Centre for Internet and Society, said that with this judgment Aadhaar is no longer an identity infrastructure as its creators have dreamt of. “It is now just another ID.”

For those opposed to Aadhaar, on privacy and security grounds, this may be a part victory. But for the Fintech industry it stymies the use of quick Aadhaar-based e-KYC (know your customer norms) to onboard customers. “The fintech industry thrives on the instant paperless mantra, and this move will curb its rapid growth, ” Amrish Rau, co-founder of PayU, said in a text message.

The verdict is also set to push up costs for the industry. Rau said: “Conducting physical KYC would be a costly affair, with every physical KYC costing about Rs 100 per person.”

Companies like PhonePe await more clarity. “We are waiting to hear from bodies like the Reserve Bank of India, UIDAI on what KYC that will be required for wallets moving ahead," Sameer Nigam, cofounder of PhonePe, said. "Whether we go to no KYC, lower limit environment or go to the physical KYC environment."

The judgment also stated that the identification number will not be mandatory for opening bank accounts, mobile-phone connections or for admissions into educational institutions. However, Aadhaar will continue to be mandatory for the distribution of state-sponsored welfare schemes including direct benefit transfers and the public distribution system. Taxpayers will have to link their Permanent Account Numbers to the biometric database.

Aadhaar-Based KYC: Allowed With Consent?

The Supreme Court has concluded that the part of section 57 which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals.

Prasanna S, a Supreme Court advocate and lawyer for one of the petitioners in the Aadhaar matter interpreted it to mean that even if a customer voluntarily wants to use Aadhaar for e-KYC, businesses cannot accept it.

They have struck down the part of Section 57 that allows use of Aadhaar based on a contract. A contract, by nature is voluntary, But since the court has struck down this part, even voluntary use won’t be permitted.

Prasanna S, Advocate, Supreme Court

Jaitley Hints At Legal Backing

Meanwhile, Finance Minister Arun Jaitley on Wednesday hinted that the Centre is likely to examine whether separate legal backing is needed for Section 57 of the Aadhaar Act, the newswire PTI reported. “So, let us first read the judgement. There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing,” Jaitley was quoted as saying.

Rastogi of Ikigai Law said that the court has left open for the government to promulgate a law to enable private parties to use Aadhaar that can withstand judicial scrutiny.

Rahul Matthan, a technology partner at law firm Trilegal differed with this view. He said that since the apex court has ruled that private entities cannot access the Aadhaar infrastructure, it means that even if the government brings a specific law to allow for that, it would be unconstitutional.

Prasanna agreed with this interpretation.

The court has hinted that commercial exploitation of personal information will fail the proportionality test laid down by it in the Right to Privacy judgment. This is one of the grounds for them to conclude that Section 57 is unconstitutional. So even a law is introduced, private access will be impermissible.

Prasanna S, Advocate, Supreme Court

Are Aadhaar-Based KYCs Tainted?

Since the use of Aadhaar by private entities has been struck down, does it mean entities who have used it for KYC so far have to re-do that exercise? And data that was collected as part of Aadhaar-based KYC- does that need to be deleted?

The majority order hasn’t specifically addressed these questions, Matthan pointed out. But went on to explain that his reading of the judgment is that the court wants things to remain as they are.

The Supreme Court has said that collection of data before the Aadhaar Act was introduced is valid. If you follow that sentiment, may be we can argue that there’s no requirement to delete the data.

Rahul Matthan, Partner, Trilegal

Whatever has been done without the authority of law has to go, Prasanna said. But this outcome may not be practical and another hearing before the Supreme Court may be required to clear these questions, he added.

Private entities such as the online cab aggregator Ola have already removed eKYC from its e-wallet when BloombergQuint last checked. Others may follow suit.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar

Cross-Border Data Sharing and India: A study in Processes, Content and Capacity

Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu — 2018-09-29T00:37:39Z

A majority of criminal investigations in the modern era necessitate law enforcement access to electronic evidence stored extra-territorially. The conventional methods of compelling the presentation of evidence available for investigative agencies often fail when the evidence is not present within the territorial boundaries of the state.

The crux of the issue lies in the age old international law tenet of territorial sovereignty.Investigating crimes is a sovereign act and it cannot be exercised in the territory of another country without that country’s consent or through a permissive principle of extra-territorial jurisdiction. Certain countries have explicit statutory provisions which disallow companies incorporated in their territory from disclosing data to foreign jurisdictions. The United States of America, which houses most of the leading technological firms like Google, Apple, Microsoft, Facebook, and Whatsapp, has this requirement.

This necessitates a consent based international model for cross border data sharing as a completely ad-hoc system of requests for each investigation would be ineffective. Towards this, Mutual Legal Assistance Treaties (MLATs) are the most widely used method for cross border data sharing, with letters rogatory, emergency requests and informal requests being other methods available to most investigators. While recent gambits towards ring-fencing the data within Indian shores might alter the contours of the debate, a sustainable long-term strategy requires a coherent negotiation strategy that enables co-operation with a range of international partners.

This negotiation strategy needs to be underscored by domestic safeguards that ensure human rights guarantees in compliance with international standards, robust identification and augmentation of capacity and clear articulation of how India’s strategy lines up with the existing tenets of International law. This report studies the workings of the Mutual Legal Assistance Treaty (MLAT) between the USA and India and identifies hurdles in its existing form, culls out suggestions for improvement and explores how recent legislative developments, such as the CLOUD Act might alter the landscape.

The path forward lies in undertaking process based reforms within India with an eye on leveraging these developments to articulate a strategically beneficial when negotiating with external partners.As the nature of policing changes to a model that increasingly relies on electronic evidence, India needs to ensure that it’s technical strides made in accessing this evidence is not held back by the lack of an enabling policy environment. While the data localisation provisions introduced in the draft Personal Data Protection Bill may alter the landscape once it becomes law, this paper retains its relevance in terms of guiding the processes, content and capacity to adequately manoeuvre the present conflict of laws situation and accessing data not belonging to Indians that may be needed for criminal investigations.As a disclaimer,the report and graphics contained within it have been drafted using publicly available information and may not reflect real world practices.

Click here to download the report With research assistance from Sarath Mathew and Navya Alam and visualisation by Saumyaa Naidu

For more details visit https://cis-india.org/internet-governance/blog/cross-border-data-sharing-and-india-a-study-in-processes-content-and-capacity

Takshashila's online Cogitatum on AI and Ethics in India

Admin — 2018-09-26T01:46:39Z

Elonnai Hickok participated in an event organized by Takhshashila on August 27, 2018 and made a presentation on Ethics and AI in India. The event was held in Takshashila Institution

Click to view the slides

For more details visit https://cis-india.org/internet-governance/news/takshashilas-online-cogitatum-on-ai-and-ethics-in-india