We are anonymous, we are legion

NGOs, individuals urge state CMs to curb Internet shutdown

praskrishna — 2017-04-07T02:43:39Z

Amid rising instances of Internet curbs, a group of individuals and organisations have urged the chief ministers of 12 states to only restrict specific online content rather than resort to complete shutdown.

The article was published in the Times of India on April 4, 2017.

SFLC.in, a Delhi-based not-for-profit organisation, along with various Internet-related firms have sent letters in this regard to the chief ministers of these states impacted by Internet shutdowns.

The letters have been written to the chief ministers of Uttar Pradesh, Nagaland, Manipur, Maharashtra, J&K, Jharkhand, Rajasthan, Meghalaya, Arunachal Pradesh, Bihar, Gujarat and Haryana.

"The Internet shutdowns are imposed using state power under Section 144 by these specific states and not by the Union Government. The central government is bound to follow the process under Section 69 IT act.

"These letters to the chief ministers of all 12 states, which have been affected by Internet shutdowns till date, are an effort by us to address the source of the problem," SFLC.in President and Legal Director Mishi Choudhary told .

As per Internet Shutdown tracker of SFLC, there have been 28 incidents of Internet closure in Jammu & Kashmir, 9 cases each in Gujarat and Haryana, 8 in Rajasthan, 3 Nagaland, 2 cases each in Uttar Pradesh, Bihar and Manipur and 1 incident each in Maharashtra, Jharkhand, Meghalaya and Arunachal Pradesh since 2012.

As per the tracker, far India has experienced a record number of 66 such incidents since 2012, with the number increasing more than two-fold from 14 in 2015 to 31 in 2016.

The letters sent to the chief ministers urge them to "take requisite action that would prohibit the issuance of orders that make Internet services entirely inaccessible for a particular area, and rather recommend that Section 69A and the procedure established by the rules therein be applied to limit the restriction to certain specific online content."

The signatories of the letters include the Centre for Internet and Society, Digital Empowerment Foundation, Internet Democracy Project, IT for Change and Society for Knowledge Commons, individuals like Anivar Aravind (Executive Director, Indic Project), IIT Bombay professor Kannan Moudgalya and others.

"We are hopeful that our efforts will make the government take in account the enormous effects of Internet shutdowns on the social-economic condition of our citizens and understand their plight," Choudhary said. PRS MKJ

For more details visit https://cis-india.org/internet-governance/news/times-of-india-april-4-2017-ngos-individuals-urge-state-cms-to-curb-internet-shutdown

NGOs say eG8 report must stress internet rights

praskrishna — 2011-06-22T04:17:55Z

More than 35 NGOs from around the world signed a joint declaration requesting that issues concerning freedom of speech be included in the report set to be presented to G8 heads of government by the organisers and participants of the eG8 Forum held in Paris. The news was published in TELECOMPAPER on May 26, 2011.

Read the full story in TELECOMPAPER

For more details visit https://cis-india.org/news/e-g-8-report-internet-rights

NGO questions people's privacy in UID scheme

praskrishna — 2012-01-12T11:45:07Z

Taking a leaf out of the recommendations of the parliamentary standing committee on finance (SCF) that raised objections on the National Identification Authority of India Bill 2010, Delhi-based NGOs have called upon the Jharkhand government to stay the execution of UID projects in the state. Jaideep Deogharia's article was published in the Times of India on 11 January 2012.

Citing excerpts from the recommendations of the SCF, headed by BJP MP Yashwant Sinha, the NGO activists asserted that the MoU signed by the government on June 25, 2010, was without any legal and constitutional mandate.

This claim, however, remains unfounded as the UIDAI is functioning under an executive order of the department of planning and has no links with the NIDAI Bill. The issue was recently clarified by the director general and mission director of UIDAI when he addressed the media in the capital during his three-day visit.

Organizing a round table, report on SCF and its implications for Aadhaar project and National Population register for multipurpose National ID Card (MNIC),

Citizens Forum for Civil Liberties member Gopal Krishna said given the fact that the Election Commission had shortlisted 15 documents as evidence of identity and citizenship, there was no need to have the 16th instrument (read UID).

"It violates citizens' basic and constitutional right to privacy because collecting biometric information of an individual was limited to criminals," he said clarifying that even in case of prisoners, the fingerprint data is supposed to be deleted after acquittal under the Prisoner Identification Act.

JT D'Souza, an expert in biometrics technology, Mumbai, gave a presentation on how biometric information was vulnerable to exploitation. Using a finger print reader, he demonstrated fake finger prints being read by the machine. He said a fingerprint on a semi solid wax slab can be filled up with adhesive and allowed to set for eight hours. "Once the adhesive block is removed, it takes up the exact marks of finger prints using which any finger print reader can be fooled," he said.

Another participant, Sunil Abraham, director, Centre for Internet and Society, Bangalore, said there is no data protection or privacy law in place. "The UID project was allowed to march on without any protection being put in place," he said.

"On one hand, the government wants its citizens to be transparent by giving all their biometric and demographic data, but on the other hand, people in higher authorities are making every bid to conceal facts and function in a non-transparent manner," he said.

D' Souza also raised questions about the uniqueness of fingerprints as it has never been tested on a vast population. Citing examples from foreign countries where fingerprint studies have proved to be ineffectual in establishing non duplication, he said biometric data if hacked could be misused.

Read the original published in the Times of India

For more details visit https://cis-india.org/news/ngo-questions-peoples-privacy-in-uid-scheme

NGO invites public to peruse its accounts

praskrishna — 2013-05-21T14:38:38Z

Domlur-based The Centre for Internet and Society opens its books for anyone to see and track every rupee of the Rs 13.13 crore it received from donors.

This article by Vandana Kamath was published in the Bangalore Mirror on May 18, 2013. Sunil Abraham is quoted.

In an unusual but ‘clean’ way of celebrating its fifth anniversary, a city-based non-governmental organisation (NGO) has invited the general public to inspect its books of accounts, check out its list of donors and view contracts. At a time when several NGOs are under the scanner for trying to shroud financial transactions in secrecy, The Centre for Internet and Society (CIS), a non-profit research organisation that defends consumer rights on the Internet, has upped its policy of transparency a notch.

Located in Domlur and largely patronised by Bangalore’s tech community, CIS’s books of accounts will be available for public scrutiny during its fifth anniversary celebrations from May 20 to 23 and will show how the NGO has spent the Rs 13.13 crore it has received from donors since its launch.

Speaking to Bangalore Mirror, CIS executive director Sunil Abraham admitted that the move was to dispel any lingering doubts on the motives of his organisation. “These days, many NGOs have been in the news for misappropriation of donations,” Abraham said. “We want to keep our books of accounts open to the public. Apart from details like salaries drawn by each board member, many other details like contractual obligations with entities, details of donors and official travel expenses by board members can also be obtained. Anybody can walk into our office and ask to see the accounts. A photocopy of all the details will also be given to them at the earliest.”

In fact, a recent debate in the Rajya Sabha centred on the lack of transparency among NGOs receiving contributions from overseas after the Foreign Contribution Regulation Act (FCRA) was passed in 2010. With 17 donors, a majority of who are from overseas, CIS ensures that every rupee obtained is well spent and accounted for.

“We have made public a list of donors and their share of contributions to our society,” Abraham said. “This will give everybody a clear picture of the funds we receive and where and how it is being spent.”

CIS is primarily funded by the Kusuma Trust, The Wikimedia Foundation and The Hans Foundation among others. The society was founded in 2008 and has 17 staff of whom four are based in Delhi and the rest in Bangalore. The society also has seven distinguished fellows and five fellows.

It conducts policy research programmes on topics like accessibility, access to knowledge, openness, internet governance and telecom. The society has churned out 641 research items in five years that include essays, books and blog entries on the topics. It has also conducted research on the accessibility of the e-governance system and has suggested ways to make it more disabled-friendly.

As part of its anniversary celebrations, the society will hold a four-day event in its office starting May 20 that will include an exhibition showcasing its activities so far. Various artists like Kiran Subbaiah, Tara Kelton, Navin Thomas and Abhishekh Hazra are expected to participate and give live demonstrations.

For more details visit https://cis-india.org/news/bangalore-mirror-vandana-kamath-may-18-2013-ngo-invites-public-to-peruse-its-accounts

New Trends in Industry Self-Governance

praskrishna — 2012-10-04T11:37:54Z

Oxford Internet Institute, University of Oxford, UK and Media Change & Innovation Division, IPMZ, University of Zurich, Switzerland and Nominet, UK is organising this workshop on November 7, 2012 at the seventh annual IGF meeting to be held in Baku, Azerbaijan. This workshop will be held in Conference Room 2, from 4.30 p.m. to 6.00 p.m. Sunil Abraham is one of the panelists at this workshop.

Concise description of the proposed workshop:
Informal rule setting still plays a significant role in Internet governance. Non-governmental governance can occur at two levels: by shared rules negotiated through bodies like ICANN, and via private ordering by individual firms with significant market power. This panel will explore these two levels drawing on research into ICANN and two recent cases: the Google Books [non-] settlement, and several governments’ demands that service providers such as Research In Motion and Facebook give local law enforcement agencies access to user communications.

Google’s project to digitize, index, and later to sell access to large numbers of out-of-print books is a leading example of an Internet-triggered shift from public to private regulation and the declining authority of copyright law. It triggered a major international controversy encompassing three class action lawsuits, a proposed and subsequently amended settlement by the litigating parties, more than 400 filings by class-members and "friends of the court" (including the French and German governments), two court hearings, various conferences, innumerous blog entries and articles. A New York federal district court ultimately rejected a proposed settlement between Google and representatives of book authors and publishers, stating that the issues would be “more appropriately decided by Congress than through an agreement among private, self-interested parties."

While almost all states allow law enforcement agencies to intercept Internet communications, the growing use of encryption has restricted access to in-transit communications and social networking data. The governments of India and several Middle Eastern nations have all pressed Research In Motion to allow police access to BlackBerry encrypted messages, threatening otherwise to shut down services. RIM has installed local servers in several countries to meet these demands. The Indian government is reportedly now looking at encrypted services provided by Google and Skype. These and other online services, often hosted in the US, receive frequent requests from foreign law enforcement agencies for user data. Such requests have no statutory force, but may be voluntarily granted under US law – raising questions about user privacy and the oversight of this access.

These cases have much wider implications for other Internet services and users around the world. The proposed workshop will facilitate a multi-stakeholder exploration of these implications.

Four researchers will give precise, provocative five-minute opening statements on the key lessons for Internet rule setting from these cases. Each speaker will pose three specific questions on the accountability, viability and efficiency of these governance structures. These questions will kick-off roundtable discussion between the panelists from government, civil society, business and the technical community. The objective will be to draw out further lessons in how the public interest can best be protected in informal Internet governance processes, with contributions and questions from workshop and remote participants.representing official positions.

Background Paper:

Name of the organiser(s) of the workshop and their affiliation to various stakeholder groups:
Ian Brown, Oxford Internet Institute, University of Oxford
William Drake, University of Zurich Business, technical community, Civil Society, government co-sponsors in process (TBD)

Have you, or any of your co-organisers, organised an IGF workshop before?: Yes
Please provide link(s) to workshop(s) or report(s):
http://www.intgovforum.org/cms/index.php/component/chronocontact/?chronoformname=Workshopsreports2009View&curr=1&wr=84

Provide the names and affiliations of the panellists you are planning to invite:
Sunil Abraham, Centre for Internet and Society, Bangalore
Ian Brown, Oxford Internet Institute, University of Oxford (Moderator)
William Drake, University of Zurich
Jeanette Hoffman, Wissenschaftszentrum Berlin
Emily Taylor, Independent Consultant, UK
Rolf Weber, University of Zurich
Google representative TBC
Government representative TBC

For more details visit https://cis-india.org/news/new-trends-in-industry-self-governance

New Standard Operating Procedures for Lawful Interception and Monitoring

divij — 2014-03-20T05:13:13Z

Government issues new guidelines to TSP’s to assist Lawful Interception and Monitoring.

Even as the Central Government prepares the Central Monitoring System for the unrestricted monitoring of all personal communication, the Department of Telecom has issued new guidelines for Telecom Service Providers to assist in responding to requests for interception and monitoring of communications from security agencies.

These guidelines do not appear to be publicly accessible, but according to news items, under the “Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers”, the TSP’s must now provide for lawful interception and monitoring requests for voice calls, Short message Service (SMS), General Packet Radio Service (GPRS) and Value Added Service (VAS) including Multi Message Service (MMS), data and voice in 3G/4G/Long Term Evolution (LTE) including video call or Voice Over Internet protocol (VoIP). This move comes just days after the Home Ministry suggested that the Department of Telecom either change the rules under their Telecom Policies such as the Unified Access Service Licence (UASL) to include VoIP monitoring, or, drastically, block all VoIP services on the internet, which would include several communication applications including Skype and GTalk. (See the article published by Economic Times).

The guidelines will supposedly also provide for some basic safeguards to ensure that non-authorized interception does not take place, such as ensuring that the interception is only to be provided by the Chief Nodal Officer of a TSP and only upon the issue of an order by the Home Secretary at the Central or State Government. Furthermore, these requests must only be in written, in untampered and sealed envelopes with no overwriting, etc. and bearing the order number issued by the concerned Secretary, with the date of the order. However, in exigent circumstances the order may be provided by email, provided that the physical copy is sent within two days of the order, else the interception order must be terminated. Inquiry processes are detailed under the new SOP’s which can verify whether the request was in original and addressed to the Nodal Officer and from which designated security agency it was issued, and can also verify the issue of an acknowledgment of compliance of the order by the TSP within two days of its receipt. The new guidelines also clarify the issue of interception of roaming subscribers by the State Government where the subscriber is registered. According to the guidelines, an order by the government of the state where such a caller has registered is sufficient and does not need vetting by the Home Secretary at the centre.

Notwithstanding the additional “safeguards” against unlawful or unauthorized interception, the message to take away from these guidelines is the Government’s continued efforts to expand its surveillance regime to comprehensively monitor every action and every communication at its whim. These requests for monitoring, undertaken by “security agencies” which include taxation agencies and the SEBI, are flawed not merely because of the possibility of “unauthorized” interception, rather because the legal basis of the interception is vague, broad and widely susceptible to misuse, as the recent “snoopgate” allegations against the Gujarat government have shown. (See the article published by the Hindu).

The current regime, based on a wide interpretation of Section 5(2) of the Indian Telegraph Act and the telecom policies of the Department of Telecom, do not have adequate safeguards for preventing misuse by those in power – such as the requirement of reasonable suspicion or a warrant. Without a sound legal basis for interception, which protects the privacy rights of individuals, any additional safeguards are more or less moot, since the real threat of intrusive surveillance and infringing of basic privacy exists regardless of whether it is done under the seal of the Home Secretary or not.

Resources

For more details visit https://cis-india.org/internet-governance/blog/new-standard-operating-procedures-for-lawful-interception-and-monitoring

New rules to ensure due diligence: IT dept

praskrishna — 2011-05-23T06:12:39Z

Facing widespread criticism over new IT rules that put certain amount of liability on intermediaries like Google and Facebook for user-generated content, the government clarified that the rules are simply seeking "due diligence" on the part of websites and web hosts. This news was published in the Times of India on May 11, 2011.

The new rules were notified on April 11. Activists and Internet companies say that the rules are archaic and loosely worded and may lead to harassment of web users and website owners. The Times of India was first to report on the issue on April 27.

The ministry of information and technology said, "The terms specified in the rules are in accordance with the terms used by most of the intermediaries as part of their existing practices, policies and terms of service which they have published on their website."

It also clarified the "department of telecommunication has reiterated that there is no intention of the government to acquire regulatory jurisdiction over content under these rules".

The government has claimed that before it made the rules final, it had sought public comments over the draft. "None of the industry associations and other stakeholders objected to the formulation which is now being cited in some section of media," it claimed.

However, sources told TOI that companies like Google had objected to loose wordings of the documents and asked government not to put any liability on intermediary for user-generated content on the web. "We too approached the government with our concerns. For our communication, we never received any acknowledgment," said Sunil Abraham, executive director at the Centre for Internet and Society (CIS).

"Given the fact that final rules are more or less similar to the draft rules, I can say that nobody in the government took into account the objections raised by CIS and many other organizations," he added.

Google had earlier told TOI that new rules would adversely affect businesses that depend upon online collaboration to prosper. "We believe that a free and open Internet is essential for the growth of digital economy and safeguarding freedom of expression.

If Internet platforms are held liable for third party content, it would lead to self-censorship and reduce the free flow of information," a Google spokesperson said.

Read the original published by the Times of India here

For more details visit https://cis-india.org/news/new-rules-for-due-diligence

New rules leave social media users vulnerable: Experts

Krupa Joseph — 2021-06-14T11:27:53Z

They analyse the implications of the government vs Twitter controversy on individual privacy

The article by Krupa Joseph was published in the Deccan Herald on 10 June 2021. Torsha Sarkar has been quoted.

The government had notified the changes on February 25, and allowed social media companies three months to comply. Twitter and WhatsApp had then separately approached the Delhi High Court against the new regulations, fearing they could compromise user privacy.

On Monday, the court gave Twitter three weeks to file a response to the government’s charge that it had not appointed a grievance officer as claimed.

Vague rules

Karthik Srinivasan, communications consultant, who uses his blog Beast of Traal to comment on social media, says the new rules are “vague and open-ended”.

“Coupled with the fact that we still do not have a data protection law, the rules could be severely misused both by government and private entities,” he says.

Users are particularly vulnerable in a country where anything and everything offends a lot of people, he says.

Law overreach

Torsha Sarkar, researcher with the Centre for Internet and Society, says the rules introduce additional obligations for social media platforms and classify intermediaries.

“Intermediaries with over five million users would have obligations to introduce traceability, instal automated filtering, provide detailed grievance redressal mechanisms, and publish compliance reports detailing action taken on takedown orders,” she says.

While some of these obligations are similar to those laid down internationally, some alterations are causing concern. The traceability requirement, for example, is highly contentious as it would erode user privacy.

“It is also concerning that the user threshold, for a country like India, with such vast Internet usage, is set at a very low level. This means that even smaller social media platforms might becompelled to carry out economically crippling obligations,” she explains.

The legislative overreach is seen in how the initial draft , which only covered entities like Twitter and Facebook, now seeks to cover digital news media and content curators like Netfl ixand Hulu, she says.

Stretching the scope of the legislation this way is undemocratic since it was not subject to any public consultation, she notes.

Case in High Court

Mishi Choudhary, technology lawyer and founder of SFLC.in, a legal services organisation specialising in law, technology and policy, says the IT rules notified by the government are unconstitutional. “In the garb of addressing misinformation and regulating technology companies, the government has been exceeding the powers granted through subordinate legislation and using it for political purposes,” she says. It is on these grounds that the Free and Open Source Software community has challenged the new rules in the Kerala High Court. “Technology companies need regulation but not at the expense of user rights,” she says.

Congress ‘toolkit’ row

A few weeks after social media platforms were asked to take down posts critical of thegovernment’s management of India’s Covid-19 crisis, Twitter once again found itself at thereceiving end. Last week, Twitter labelled a tweet by BJP leader Sambit Patra, accusing theCongress of working with a ‘toolkit, as ‘manipulated media’. Twitter says it gives the label totweets that include media (videos, audio, and images) that are “deceptively altered orfabricated”. The Delhi police then sent a notice to Twitter in connection and asked the micro-blogging site to explain the reasons for assigning the tag. The police also conducted raids onTwitter offices in India. Things escalated when Twitter said the government was intimidating it. The government hit back saying law-making was its privileges, and Twitter, being a social media platform, should not dictate legal policy framework.

New rules

Under the new IT rules, social media companies like Facebook, WhatsApp and Twitter will be responsible for identifying the originator of a flagged message within 36 hours. They also have to appoint a chief compliance officer, a nodal contact person and a resident grievance officer. Failing to comply with these rules would cause the platforms to lose their status as intermediaries, and make them liable for whatever is posted on their platforms.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-krupa-joseph-june-10-2021-new-rules-leave-social-media-users-vulnerable

New rules for govt agencies to ensure security of personal data

praskrishna — 2017-06-07T13:51:29Z

The new rules put the onus on government departments and agencies to safeguard personal data or information held by them.

The article by Komal Gupta was published by Livemint on June 2, 2017.

Government departments handling personal data or information will have to ensure that end-users are made aware of the data usage and collection and their consent is taken either in writing or electronically, according to new guidelines issued by the government for security of personal data. Sensitive personal data such as passwords, financial information (bank account, credit card, debit card and other payment instrument details), medical records and history, sexual orientation, physical and mental health, and biometric information cannot be stored by agencies without encryption, say the guidelines issued by the ministry of electronics and information technology (IT) on 22 May.

The rules put the onus on government departments and agencies to safeguard personal data or information held by them. To be sure, the Information Technology Act 2000 and Aadhaar Act 2016 have laid down most of these rules. The new guidelines seek answers to questions being asked on data protection under the Aadhaar Act. “If agency is storing Aadhaar number or sensitive personal information in database, data must be encrypted and stored. Encryption keys must be protected securely, preferably using Hardware Security Modules (HSMs). If simple spreadsheets are used, it must be password protected and securely stored,” according to the guidelines.

In April, the IT Ministry issued a notification directing all government departments to remove any personal data published on their websites or through other avenues. The guidelines require regular audits to ensure effectiveness of data protection and also call for swift action on any breach of personal data. In cases where an Aadhaar number has to be printed, it should be truncated or masked. The guidelines say only the last four digits of the 12-digit unique identity number can be displayed or printed.

According to a research report issued by Bengaluru-based think tank Centre for Internet and Society on 1 May, four government portals could have made public around 130-135 million Aadhaar numbers and around 100 million bank account numbers.

For more details visit https://cis-india.org/internet-governance/news/livemint-june-2-2017-komal-gupta-new-rules-for-govt-agencies-to-ensure-security-of-personal-data

New regulations in place; Aadhaar Card records to be preserved for 7 yrs by Centre

praskrishna — 2016-10-17T14:46:31Z

UIDAI chief executive office ABP Pandey said that the concerns regarding Aadhar card-related benefits were "exaggerated" and that the agency will keep the records in case any disputes arise in the future.

The article was published in the Financial Express on October 17, 2016. Sunil Abraham was quoted.

As per new regulations, the government will now keep a record for seven years of all services and benefits that are availed using Aadhaar number. Fearing that the database might be used for surveillance, the Unique Identification Authority of India (UIDAI) will preserve the records.

UIDAI chief executive office ABP Pandey said that the concerns regarding Aadhar card-related benefits were “exaggerated” and that the agency will keep the records in case any disputes arise in the future.

Pandey added that the information will be available online for two years and shall be shifted to the offline archives for the next five years. In that case, users will be able to check the records only for two years. However, the rules won’t apply for security agencies and that they will need a district judge’s permission to access the data.

According to HT, the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.

Talking about this Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society said that once Aadhar becomes mandatory, it can be misused to conduct a 360-degree surveillance on any person.

Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.
The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily, reports HT.

Meanwhile, The Unique Identification Authority of India (UIDAI) has launched a drive to enrol any leftover population for Aadhaar in 22 states and UTs that have “statistically” hit 100 per cent coverage for adults.

The ‘Challenge drive’ starts from October 15 for a month, a UIDAI statement said, adding that as of today, over 106.69 crore Aadhaar numbers have been generated across the country.

For more details visit https://cis-india.org/internet-governance/news/financial-express-october-17-2016-new-regulations-in-place-aadhaar-card-records-to-be-preserved-for-7-yrs-by-centre

New Recommendations to Regulate Online Hate Speech Could Pose More Problems Than Solutions

amber — 2018-01-02T03:06:18Z

The T.K. Viswanathan committee’s recommendations could prove to be dangerous for free speech if acted upon without resolving its flaws.

The article was published by Wire on October 14, 2017

It was reported last week that an expert committee headed by T.K. Viswanathan, former secretary general of Lok Sabha, recommended that the Indian Penal Code (IPC), the Code of Criminal Procedure and the Information Technology Act be amended to include stringent penal provisions regarding online hate speech. While this report has not been made public, the Indian Express reported that the committee’s recommendations include, among other things, insertion and expansion of penal provisions in the IPC on ‘incitement to hatred’ (Section 153C) and ‘causing fear, alarm or provocation of violence’ (Section 505A) to include online speech, and creation of the offices of state cyber crime coordinator and district cyber crime cell.

Online hate speech has been among the more complex issues with regard to the regulation of technology. The complexity of restricting hate speech has to do with a number of factors, including the ubiquity of strong opinions in online speech, often offensive to certain groups, the interplay between individual and group rights, and the tensions between the values of dignity, liberty and equality. Siddharth Narrain has pointed out in his thesis on hate speech law that the use of law to curb offensive or hurtful speech has been done by religious groups, caste based groups, occupation based groups with strong caste associations, language groups and gender based groups. The range of actions arising from such uses of the law include the banning of books, criminal proceedings for political satire, or even ‘liking’ political posts on social media.

The relationship between speech acts and acts of violence is a complicated issue with little consensus on appropriate ways to regulate it. Scholars such as Jonathan Maynard have advocated greater reliance on non-legal responses such as counter speech, as the use of criminal law to tackle speech often has the effect of chilling forms of dissent. The formulation and application of legal tests in criminal law with respect to hate speech is also hard as hate speech has much to do with the content of speech as it has to do with the context, including factors such as power structures. Speech by a figure in a position of power also has a greater likelihood to result in a call for violence.

Before looking at the specific recommendations made by the T.K. Viswanathan committee, it would be worthwhile to also look at the background of this committee. The committee notes with approval the Law Commission of India’s 267th report on the issue of hate speech. The Law Commission, in turn, was acting at the behest of observations made by the Supreme Court in Pravasi Bhalai Sangathan v. Union of India in 2014. In this case, the Supreme Court exhibited judicial restraint and refused to frame guidelines prohibiting political hate speech, and had instead requested the Law Commission to look into it. However, the court noted with approval international case law on the issues, particularly the observations in the Canadian case Saskatchewan v. Whatcott. Relying on Whatcott, the Supreme Court provides a definition of hate speech that includes the following statements:

“Hate speech is an effort to marginalise individuals based on their membership in a group. Using expression that exposes the group to hatred, hate speech seeks to delegitimise group members in the eyes of the majority, reducing their social standing and acceptance within society. Hate speech, therefore, rises beyond causing distress to individual group members..[and] lays the groundwork for later, broad attacks on vulnerable that can range from discrimination, to ostracism, segregation, deportation, violence and, in the most extreme cases, to genocide. Hate speech also impacts a protected group’s ability to respond to the substantive ideas under debate, thereby placing a serious barrier to their full participation in our democracy.”

Thus, it is evident that the Supreme Court itself clearly states that hate speech must be viewed through the lens of the right to equality, and relates to speech not merely offensive or hurtful to specific individuals, but also inciting discrimination or violence on the basis of inclusion of individuals within certain groups. It is important to note that it is the consequence of speech that is the determinative factor in interpreting hate speech, more so than even perhaps the content of the speech. This is also broadly reflected in the Law Commission’s report that identifies the status of the author of the speech, the status of victims of the speech, the potential impact of the speech and whether it amounts to incitement as key identifying criteria of hate speech.

However, in the commission’s recommendations, these principles are not fairly represented in the suggested new Sections 153C and 505A, as per a draft released by the Internet Freedom Foundation. Section 505A, for instance, refers to “highly disparaging, indecent, abusive, inflammatory, false or grossly offensive information” and “derogatory information.” These are extremely broad terms, not having any guiding jurisprudence within Indian or international law, which may be helpful in restrictively interpreting them. It is important to note the similarities between this provision and the repealed Section 66A of the Information Technology Act, which sought to criminalise speech that was “grossly offensive,” having “menacing character,” or “causing annoyance..danger..insult..enmity, hatred or ill will.”

These terms in the recommended Section 505A also run foul of the observations of Justice Nariman in Shreya Singhal v. Union of India, where he took exception to the nature of the terms in Section 66A by stating that, “Information that may be grossly offensive or which causes annoyance or inconvenience are undefined terms which take into the net a very large amount of protected and innocent speech.” While these terms are somewhat tempered in this provision with a requirement to show intent to “cause fear of injury or alarm,” they remain exceedingly broad and contrary to the requirement that restrictions on speech must be couched in the narrowest possible terms.

The T.K. Viswanathan committee, in addition, seeks to bring, within the scope of the prospective Sections 153C and 505A, electronic speech. As per its recommendations, ‘means of communication’ would include “any words either spoken or written, signs, visible representations, information, audio, video or combination of both transmitted, retransmitted or sent through any telecommunication service, communication device or computer resource.” This could have the impact of bringing in a provision that has some similar effects as that of the now defunct Section 66A of the Information Technology Act. The lack of regard for the Supreme Court’s observations on hate speech, the need to look at it through the lens of equality and the over-broadness of restrictions on speech are likely to be dangerous for free speech if the recommendations of this committee are acted upon.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-

New privacy Bill more refined & has wider ambit, say experts

praskrishna — 2014-04-03T11:06:51Z

But creates wide exceptions for government agencies.

The article by Surabhi Agarwal was published in the Business Standard on April 2, 2014. CIS welcomes changes in the Bill but is cautious of the wide exceptions.

The government’s latest attempt to draft a privacy Bill is being termed by as a refined one by experts as it expands its ambit.

However, the Bill creates some wide exceptions for law enforcement and intelligence agencies to collect personal information of individuals. The government has made several attempts at drafting a privacy Bill since 2010, with the aim of protecting individuals against data misuse by government or private agencies.

The first draft, released in 2011, extended the Right to Privacy to citizens of India. But, the 2014 version has expanded its ambit to cover all residents of the country. The 2014 Bill also recognises the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India. In contrast, the 2011 Bill did not explicitly recognise the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.

Both the drafts include a list of circumstances under which authorisation for the collection and processing of sensitive personal data is not required. The lists are broadly the same. However, the latest version exempts insurance company and government intelligence agencies collecting or processing data “in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.”

A Bangalore-based Internet think-tank Centre for Internet and Society said it welcomed many changes in the Bill, but were cautious on the wide exceptions.

“The Bill carves out another exception for government agencies, allowing disclosure of sensitive personal data without consent to government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation, including cyber incidents, prosecution and punishment of offences,” the Centre for Internet and Society said in a note analysing the provisions of the Bill.

The privacy Bill was originally conceptualised to ensure the data collected by the government under various new projects such as Aadhaar or the National Information Grid (NATGRID) are not misused in any way. But incidents, such as the tapping of phone conversations involving former lobbyist Niira Radia, prompted the government to expand the ambit of the privacy law from just being a data protection one to also cover surveillance and interception.

However, it was unable to reach a consensus due to inter-ministerial conflicts as the law was superseding various provisions under several existing legislations.

The government also set up a committee under retired Delhi high court judge Ajit P Shah under the aegis of the Planning Commission to study international best practices on privacy and surveillance. This committee filed a report in 2012.

Some additions to the Bill include the term personal identifier, defined by any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.

The Bill has also re-defined sensitive personal data to denote personal data relating to physical and mental health, including medical history, biometric, bodily or genetic information, criminal convictions, password, banking credit and financial data, narco analysis or polygraph test data and sexual orientation.

Once the law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary.

It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.

For more details visit https://cis-india.org/news/business-standard-april-3-2014-surabhi-agarwal-new-privacy-bill-more-refined-has-wider-ambit-say-experts

New movies lose out due to piracy

Admin — 2019-02-02T02:24:42Z

Piracy continues to be a huge concern among filmmakers but it can also be a marketing strategy for small-budget films.

The article by Surupasree Sarmmah was published in Deccan Herald on January 23, 2019. Akriti Bopanna was quoted.

Despite a slew of measures taken by filmmakers, pirated versions of recently released films like ‘Uri: The Surgical Strike’, ‘Viswasam’, ‘KGF’ and ‘Why Cheat India’ were leaked online on websites like TamilRockers. Piracy has been a huge concern for all movie industries in India, national and regional, but experts say that not much can be done when a film is leaked online.

Neville J Kattakayam, author of the book ‘The All Seeing Digital Eyes: A Guide To Privacy, Security and Literacy’, says, “The maximum one can do is to control the servers in a particular jurisdiction. But there are servers in unlikely places — like somewhere out in the sea. These places don’t fall under any jurisdiction, national or international. It becomes impossible to control the servers then.”

Talking about the process of piracy, he explains that once a content is leaked, it mirages into different servers across to the world; not just online but offline too. “There are mirror sites having the same content that are immediately born. Accessibility wise, it’s all out there; there is nothing that one can completely restrict,” he says.

Neville feels that it is largely in the hands of the producers to restrict access to their material until the movie is released. With people usually preferring good quality prints, theatrical replicas are not favoured much, he told Metrolife.

“From what I have heard, the piracy usually happens when the copy is being sent to the censor board. Some intermediate source, who really wants to kill a movie, leaks it from there. That is the real challenge,” says Neville.

Hemanth M Rao, a director, says that when a movie is leaked online, the effort, time and money put in is at stake. “You feel robbed. Most people would want to go to the theatres to watch a film but with incidents of piracy on the rise, the life span of a movie is shortened,” he says.

However, he adds that the audience is beginning to understand the impact piracy has on the movie industry, especially at a time when there is intense competition between regional language industries.

He has a word of praise for the Kannada Film Industry, which he feels is safeguarding interests of the artistes.

“We have a close tie-up with the city police. We monitor where all a film is playing after its release. In case we come to know about any illegal activities, we intimate the police who act swiftly. This way, the access is cut down.”

“Another thing that upsets me is the habit of going live on Facebook while one is at the theatre. I don’t understand what pleasure people get out of it,” he says.

According to a new draft rule, being contemplated by the IT Ministry, host websites will be liable for any illegal content uploaded on their platform. Currently, a website is liable only for unlawful actions; like uploading copyrighted content without permission.

“The Government can block access to the original host of the pirated content if needed however the traction and virality these kinds of content get make it very difficult to contain their spread. It ends up being a blanket ban on sites such as torrent sites where all the content is not illegal yet the site is blocked as a whole,” says Akriti Bopanna, Policy Officer, Centre for Internet and Society.

The time taken for legal recourse doesn’t help either. Though filmmakers can approach the court for a ban on the website or server, the time taken for a legal remedy is way too long. By that time, the same link would have appeared in two or three other websites, says Akriti. “A leaked movie can be easily downloaded and sent to someone instantly.”

She feels that a more effective method than banning a website or a server would be to educate people.

“Not many know about copyright infringement, it is important to spread awareness from the grassroots level. Though we have messages on piracy shown at the start of every movie, these need to be more creative and fun so they will stay in the audience’s minds. Maybe the industry, as a whole, can do this as a community initiative,” she opines.

Small players don’t care much about piracy

Small-budget movies take piracy as a marketing strategy. They feel that once people watch the movie and write reviews, the film will get an overall boost — allowing them to sell more tickets in theatres.

However, major players spend crores on their movies and depend on ticket sales to get back the amount.

Difficult to claim copyright from different websites

Prominent production companies are targeting streaming websites who have uploaded their movies, citing copyright issues. However, floating websites like citytorrents and TamilRockers keep changing their domain name and it becomes impossible to counter them.

-Neville J Kattakayam

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-surupasree-sarmmah-january-23-2019-new-movies-lose-out-due-to-piracy

New Media, personalisation and the role of algorithms

amber — 2017-01-16T07:20:52Z

In his much acclaimed book, The Filter Bubble, Eli Pariser explains how personalisation of services on the web works and laments that they are creating individual bubbles for each user, which run counter to the idea of the Internet as an inherently open place. While Pariser’s book looks at the practices of various large companies providing online services, he briefly touches upon the role of new media such as search engines and social media portals in new curation. Building upon Pariser’s unexplored argument, this article looks at the impact of algorithmic decision-making and Big Data in the context of news reporting and curation.

Everything which bars freedom and fullness of communication sets up barriers that divide human beings into sets and cliques, into antagonistic sects and factions, and thereby undermines the democratic way of life. —John Dewey

Eli Pariser, in his book, The Filter Bubble,[1] refers to the scholarship by Walter Lippmann and John Dewey as integral to the evolution of the understanding of the democratic and ethical duties of the Fourth Estate. Lippmann was disillusioned by the role of newspapers in propaganda for the First World War. He responded with three books in quick succession — Liberty and the News,[2] Public Opinion[3] and The Phantom Public.[4] Lippmann brought attention the fact that the process of news-reporting was conducted through privately determined and unexamined standards. The failure of the Fourth Estate to perform its democratic functions, was, in the opinion of Lippmann, one of the prime factors responsible for the public not being an informed and rational entity. John Dewey, while rejecting Lippmann’s arguments that matters of public policy can only be determined by inside experts with training and education, did acknowledge the his critique of the media.

Pariser points to the creation of a wall between editorial decisionmaking and advertiser interests, as the eventual result of the Lippmann and Dewey debate. While accepting that this division between the financial and reporting sides of media houses has not been always observed, Pariser emphasises that the fact that the standard exists is important.[5] Unlike traditional media, the new media which relies on algorithmic decision-making for personalisation is not subject to the same standards which try to mitigate the influence of commercial interests on editorial decisions while performing many of the same functions as the traditional media.[6]

How personalisation algorithms work

Kevin Slavin, at his famous talk in the TEDGLobal Conference, characterised algorithms as “maths that computers use to decide stuff” and that it was infiltrating every aspect of our lives.[7] According to Slavin’s view, algorithms can be seen as control technologies and shape our world constantly through media and information systems, dynamically modifying content and function through these programmed routines. Search engines and social media platforms perpetually rank user-generated content through algorithms.[8]

Personalisation technologies have various advantages. It translates into more relevant content, which for service providers means more clicks and revenue and for consumer, less time spent on finding the content.[9] However, it also leads to privacy compromise, lack of control and reduced individual capability.[10] Search engines like Google use the famous PageRank algorithm, which combined with geographical location and previous searches yields most relevant search results.[11] PageRank algorithm uses various real time variables dependent on both voluntary and involuntary user inputs. These variables include number of clicks, number of occurrences of the key terms and number of references by other credible pages etc. This data in turn determines the order of pages in search results and influences the way we perceive, understand and analyse information.[12] Maps showing real time traffic information retrieve data from laser and infrared sensors alongside the road and from information from devices of users. Once this real time data is combined with historical trends, these maps recommend rout to every user, hence influencing the traffic patterns.[13]

Even though this phenomenon of personalization may appears to be new, it has been prevalent in the society for ages.[14] The history of mass media culture clearly shows personalization has always been a method to increase market, market reach and customer satisfaction.[15] Newspapers have sections dedicated to special topics, radio and TV have channels dedicated to different interest groups, age groups and consumers.[16] These personalised sections in a newspaper and personalised channels on radio and television don’t just provide greater satisfaction to the readers or listeners or consumers, they also provide targeted advertisement space for the advertisers and content developers. However, digital footprints and mass collection of data have made this phenomenon much more granular and detailed. Geographical location of an individual can tell a lot about their community, their culture and other important traits local to a community.[17] This data further assists in personalisation. Current developments in technology not only help in better collection of data about personal preferences but also help in better personalisation.

Pariser mentions three ways in which the personalization technologies of this day are different from those of the past. First, for the very first time, individuals are alone in the filter bubble. While in traditional forms of personalisation, there were various individuals who shared the same frame of reference, now there is a separate sets of filters governing the dissemination of content to each individual.[18] Second, the personalisation technologies are entirely invisible now, and there is little that consumers can do to control or modify them.[19] Third, often the decision to be subject to these personalisation technologies is not an informed choice. A good example of this would be an individual’s geographical location.[20]

The neutrality of New Media?

More and more, we have noticed personalisation technologies having an impact on how we consume news on the Internet. Google News, Facebook’s News Feed which tries to put together a dynamic feed for both personal and global stories, and Twitter’s trending hashtag feature, have brought forward these services are key drivers of an emerging news ecosystem. Initially, this new media was hailed as a natural consequence of the Internet which would enable greater public participation, allow journalists to find more stories and engage with the readers directly. An illustration of the same could be seen in the way Internet based news media and social networking websites behaved in the aftermath of Israel’s attacks on a United Nations run school in Gaza strip. While much of the international Internet media covered the story, Israel’s home media did not cover the story. The only exception to this was the liberal Israeli news website Ha’aretz.[21] Network graph details of Twitter, for a few days immediately after the incident clearly show the social media manifestation of the event in the personalised cyberspace. It is clearly visible that when most of the word was re-tweeting news of this heinous act of Israel, Israeli’s hardly re-tweeted this news. In fact they were busty re-tweeting the news of rocket attacks on Israel.[22]

The use of social media in newsmaking was hailed by many scholars as symptomatic of the decentralisation characteristic of the Internet. It has been seen as movement towards greater grassroots participation by negating the ‘gatekeeping’ role traditionally played by editors. Thomas Poell and José van Dijck punch holes in theory of social media and other online technologies as mere facilitators of user participation and translators of user preferences through Big Data analytics.[23] They quote T. Gillespie’s work which talks of the narrative of these online services as platforms which are “open, neutral, egalitarian and progressive support for activity.”[24]

Pedro Domingos calls the overwhelming number of choices as the defining problem of the information age, and machine learning and data analytics as the largest part of this solution.[25] The primary function of algorithmic decision making in the context of consumption of content is to narrow down the choices. Domingos is more optimistic about the impact of these technologies, and he says “last step of the decision is usually still for humans to make, but learners intelligently reduce the choices to something a human can manage.”[26] On the other hand, Pariser is more circumspect about the coercive result of machine learning algorithms. Whichever way we lean, we have to accept that a large part of personalisation algorithms is to select and prioritize content by categorising it on the basis of relevance and popularity.

Poell and van Dijck call this a new knowledge logic which in effect replaces human judgement (as, earlier exercised by editors) to some kind of proxy decisionmaking based on data. Their main thesis is that there is little evidence to suggest that the latter is more democratic than former and creates new problems of its own. They go on to compare the practices of various services including Facebook’s new graph and Twitter’s trending topic, and conclude that they prioritise breaking news stories over other kinds of content.[27] For instance, the algorithm for the trending topics depends not on the volume but the velocity of the tweets with the hashtag or term. It could be argued that given this predilection, the algorithms will rarely prefer complex content. If we go by Lippmann and Dewey’s idea that the role of the Fourth Estate is to inform public debate and accountability of those in positions of power, this aspect of Big Data algorithms does not correspond with this role.

Quantified Audience

Another aspect of use of Big Data and algorithms in New Media that requires attention is that the networked infrastructure enables a quantified audience. C W Anderson who has studied newsroom practices in the US looked at role played by audience quantification and rationalization in shifting newswork practices. He concluded that more and more, journalists are less autonomous in their news decisions and increasingly reliant on audience metrics as a supplement to news judgment.[28] Poell and van Dijck review the the practices by some leading publications such a New York Times, L.A. Times and Huffington Post, and degree to which audience metrics dictates editorial decisions. While New York Times seems to prioritise content on their social media portals based on expectation of spike in user traffic, L.A. Times goes one step further by developing content specifically aimed towards promoting greater social participation. Neither of these practices though compare to the reliance on SEO and SMO strategies of web-born news providers like Huffington Post. They have traffic editors who trawl the Internet for trending topics and popular search terms, the feedback from them dictates the content creation.[29]

Conclusion

The above factors demonstrate that the idea of New Media leading to the Fourth Estate performing its democratic functions does not take into account the actual practices. This idea is based on the erroneous assumption that technology, in general and algorithms, in particular are neutral. While the emergence of New Media might have reduced the gatekeeping role played by the editors, its strong prioritisation of content that will be popular reduce the validity of arguments that it leads to more informed public discussion. As Pariser said, the traditional media scores over the New Media inasmuch as there is an existence of a standard of division between editorial decisionmaking and advertiser interest. While this standard is flouted by media houses all the time, it exists as a metric to aspire to and measure service providers against. The New Media performs many of the same functions and maybe it is time to evolve some principles and ethical standards that take into account the need for it to perform these democratic functions.

Endnotes

^{^[1]} Eli Pariser, The Filter Bubble: What the Internet is hiding from you (The Penguin Press, New York, 2011)

[2] Walter Lippmann, Liberty and News (Harcourt, Brace and Howe, New York 1920) available athttps://archive.org/details/libertyandnews01lippgoog

^{^[3]} Walter Lippmann, Public Opinion (Harcourt, Brace and Howe, New York 1920) available at http://xroads.virginia.edu/~Hyper2/CDFinal/Lippman/cover.html

^{^[4]} Walter Lippmann, The Phantom Public (Transaction Publishers, New York, 1925)

^{^[5]} Supra Note 1 at 35.

^{^[6]} Supra Note 1 at 36.

^{^[7]} https://www.ted.com/talks/kevin_slavin_how_algorithms_shape_our_world/transcript?language=en

^{^[8]} Fenwick McKelvey, “Algorithmic Media Need Democratic Methods: Why Publics Matter”, available at http://www.fenwickmckelvey.com/wp-content/uploads/2014/11/2746-9231-1-PB.pdf.

^{^[9]} http://mashable.com/2011/06/03/filters-eli-pariser/#9tIHrpa_9Eq1

^{^[10]} Helen Ashman, Tim Brailsford, Alexandra Cristea, Quan Z Sheng, Craig Stewart, Elaine Torns and Vincent Wade, “The ethical and social implications of personalization technologies for e-learning” available at http://www.sciencedirect.com/science/article/pii/S0378720614000524.

^{^[11]} Sergey Brin and Lawrence Page, “The Anatomy of a Large-Scale Hypertextual Web Search Engine” available at http://infolab.stanford.edu/pub/papers/google.pdf.

^{^[12]} Ian Rogers, “The Google Pagerank Algorithm and How It Works” available at http://www.cs.princeton.edu/~chazelle/courses/BIB/pagerank.htm.

^{^[13]} Trygve Olson and Terry Nelson, “The Internet’s Impact on Political Parties and Campaigns”, available at http://www.kas.de/wf/doc/kas_19706-544-2-30.pdf?100526130942.

^{^[14]} Ian Witten, “Bias, privacy and and personalisation on the web”, available at http://www.cs.waikato.ac.nz/~ihw/papers/07-IHW-Bias,privacyonweb.pdf.

^{^[15]} Supra Note 1 at 10.

^{^[16]} https://www.americanpressinstitute.org/publications/reports/survey-research/social-demographic-differences-news-habits-attitudes/

^{^[17]} Charles Heatwole, “Culture: A Geographical Perspective” available at http://www.p12.nysed.gov/ciai/socst/grade3/geograph.html.

^{^[18]} Supra Note 1 at 10.

^{^[19]} Id.

^{^[20]} Supra Note 1 at 11.

^{^[21]} Paul Mason, “Why Israel is losing the social media war over Gaza?” available at http://blogs.channel4.com/paul-mason-blog/impact-social-media-israelgaza-conflict/1182.

^{^[22]} Gilad Lotan, Israel, Gaza, War & Data: Social Networks and the Art of Personalizing Propaganda available at www.huffingtonpost.com/entry/israel-gaza-war-social-networks-data_b_5658557.html

^{^[23]} Thomas Poell and José van Dijck, “Social Media and Journalistic Independence” in Media Independence: Working with Freedom or Working for Free?, edited by James Bennett & Niki Strange. (Routledge, London, 2015)

^{^[24]} T Gillespie, “The politics of ‘platforms,” in New Media & Society (Volume 12, Issue 3).

^{^[25]} Pedro Domingos, The Master Algorithm: How the quest for the ultimate learning machine will re-make the world (Basic Books, New York, 2015) at 38.

^{^[26]} Ibid at 40.

^{^[27]} Supra Note 23.

^{^[28]} C W Anderson, Between creative and quantified audiences: Web metrics and changing patterns of newswork in local US newsrooms, available at https://www.academia.edu/10937194/Between_Creative_And_Quantified_Audiences_Web_Metrics_and_Changing_Patterns_of_Newswork_in_Local_U.S._Newsrooms

^{^[29]} Supra Note 23.

For more details visit https://cis-india.org/internet-governance/new-media-personalisation-and-the-role-of-algorithms

New Lock For EU’s Digital Mines

Admin — 2018-03-17T13:10:52Z

Indian companies dealing with European data wait anxiously as the EU pushes in new security rules

The article by Arindam Mukherjee was published in the Outlook in March 26, 2018 issue. Elonnai Hickok was quoted.

Pretty soon, Indian companies, especially those associated with European companies, will have to walk that extra mile to protect personal data. Come May 25, the European Union (EU) will enact a new set of regulations, called the General Data Protection Regulation (GDPR), which will impose stringent conditions for personal data protection and privacy laws.

What’s more, any violation of or non-compliance with the new regulations will attract the strictest of penalties and fines. On an average, the new regulations call for up to 4 per cent of a company’s global revenue as penalty.

With the already huge and rapidly expanding field of big data play across companies and industries, data protection has come under the limelight and many countries are talking in terms of putting in place stringent rules for personal data protection. The EU will be the first off the block with GDPR, which comes into effect in less than three months. It is expected that following the EU’s example, similar regulations will start coming up in other countries as well.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU and its regulations will cover all EU member states and citizens. Accordingly, all companies operating in the EU and having customers there, or even having work outsourced from the EU which involves its citizens’ personal data, will have to fall in line and comply.

The rules under GDPR will be relevant for businesses collecting, processing, storing, and sharing data of EU data subjects. This would include all businesses located in India providing services directly or indirectly to EU data subjects, as well as Indian companies with a presence in Europe.

This has put a lot of Indian IT and ITES companies in a bind given that few Indian companies are in a position to comply with the new GDPR rules and regulations within the given deadline. GDPR necessitates that adequate steps have to be taken to secure EU data wherever it is stored or processed.

At present, India does not have any data privacy law. However, the government has set up a committee of experts under former Supreme Court Justice B.N. Srikrishna to look into matters related to data protection and privacy in the country. The committee has so far come up with a draft protection bill. But it is unlikely that the committee will be able to come out with its final report before the GDPR deadline of May 25.

Huzefa Goawala, who heads GRC, India & SAARC, RSA, says the impact of GDPR will be heavy on India. “A sizeable chunk of Indian companies operate out of the EU including IT/ITeS, manufacturing, financial services and telecom companies,” he adds. “The GDPR will apply to personally identifiable information and internal facing data and external facing data, and organisations will have to protect data on all these fronts. Unfortunately, very few organisations have taken measures to become GDPR compliant at the ground level and are waiting for others to make a move. Larger, tier 1 organisations are in a consultation mode at the moment and are in a preliminary stage of compliance.”

According to Ernst & Young’s forensic data analytics survey (2018) done among Indian companies, 60 per cent of Indian respondents are still not familiar with the GDPR, while only a little over 23 per cent have heard of it but have done nothing about it. “This puts India in a precarious position, especially because it takes time for a company to prepare for GDPR compliance, which involves identifying where all the data resides and taking measures to safeguard it,” says Mukul Shrivastava, partner, Fraud Investigation and Dispute Services, Ernst & Young. “Many large IT-ITeS companies have secure servers in the EU or on cloud. But a lot of EU data processing is either done in India or is outsourced to India. That data needs to be protected under the GDPR.”

Experts say that under GDPR, a company will have to report any breach of data security within 72 hours. In case it fails to do so, stiff penalties will be imposed. With GDPR, the EU wants to stress on how important personally identifiable information is and see what companies are doing to protect it. It calls for deployment of ground level technologies by companies to ensure data security.

To ensure full compliance under GDPR will be a difficult task. “It is not possible to check 100 per cent compliance,” says Vijayshankar Na, cyber law and international information security expert. “There can be multiple versions of personal data in a process. To tap this data and see where all it is flowing in the system will be the toughest part under GDPR. Companies will have to identify all this in order to protect data.”

To help Indian companies, India’s IT representative body Nasscom has sought a “data secure” status for its companies from the EU. The EU has given a similar status to American companies, which ensures some concessions for them. Indian companies would be entitled to similar concessions under GDPR if they get the data secure status. But a decision on this is yet to come.

“As India has not attained data secure status, the collection, processing, storing, and sharing of EU data subjects by Indian companies will continue to be through ‘binding corporate rules’,” says Elonnai Hickok, chief operating officer, CIS (Centre For Internet and Society), Bangalore. “Though GDPR will affect any company handling EU data, the IT sector in India could potentially be impacted the most given the amount of business that it does and potentially could do with the region. For instance, a Deloitte report has estimated the outsourcing opportunity of the Indian IT industry with Europe at $45 billion.”

Hickok says India’s legal regime around privacy, consisting primarily of section 43A of the IT Act and associated rules, has not been found to be data secure by the EU in past assessments. This means that unless practices are guided by binding corporate rules, the standard of practice in India is lower than required by the previous Data Protection Directive (1995) as well as the GDPR. Some of the potentially challenging requirements in the GDPR will include the requirement for reporting breaches, new standards for consent, ensuring the rights of data subjects including access and correction, portability, erasure and deletion, the right to objection, and, if the need arises, the right to request human intervention in automated decisions.

What could also hit Indian companies is that the cost of GDPR compliance will be high—there will be costs related to human capital, periodic updates, IT infrastructure around the data (both hardware and software) and setting up cyber security and incident response programs.

“Europe is an important market for Indian companies,” says Vinayak Godse, senior director, Data Security Council of India (DSCI). “This heightened threshold of privacy may lead to some top line compromise for Indian IT companies. The compliance burden is also bound to increase. The small and mid-size companies looking at the EU as a market may struggle to comply with the new rules.”

The Indian government is trying to bring some order vis a vis data privacy and the Justice Srikrishna panel is expected to expedite the process. “The Government of India is currently developing a national data protection framework, following the Supreme Court judgment of August 2017 recognising an individual’s privacy as a fundamental right,” says Keshav Dhakad, director & assistant general counsel, corporate, External & Legal Affairs, Microsoft India. “The coming of GDPR will help galvanise the discussion in countries outside of Europe and in India.”

As of now though, there is a lot of confusion and Indian companies, staring at a tight deadline, are under stress. If they can speed up the process and comply, they will be safe, but if they fail, they could lose business in one of India’s most promising markets.

For more details visit https://cis-india.org/internet-governance/news/outlook-march-26-2018-new-lock-for-eu-digital-mines