We are anonymous, we are legion

Decrypting Automated Facial Recognition Systems (AFRS) and Delineating Related Privacy Concerns

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:01:48Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the first of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The use of aggregated Big Data by governments has the potential to exacerbate power asymmetries and erode civil liberties like few technologies of the past. In order to guard against the aggressive aggregation and manipulation of the data generated by individuals who are branded as suspect, it is critical that our firmly established constitutional rights protect human dignity in the face of this potential erosion.

The increasing ubiquity of Automated Facial Recognition Systems (AFRS) serve as a prime example of the rising desire of governments to push fundamental rights to the brink. With AFRS, the core fundamental right in question is privacy, although questions have been posed regarding the potential violation of other related rights, such as the Right to Equality and the Right to Free Speech and Expression, as well.

There is a rich corpus of literature, (see here, here and an excellent recent paper by Smriti Parsheera here) from a diverse coterie of scholars that call out the challenges posed by AFRS, particularly with respect to its proportionality as a restriction over the right to privacy. Our contribution to this discourse focuses on a very specific question around a ‘reasonable expectation of privacy’ — the standard identified for the protection of privacy in public spaces across jurisdictions, including in India. This is because at this juncture, the precise nature of the AFRS which will eventually be used and the regulations it will be subject to are not clear.

In Retd. K.S Puttaswamy (Retd.) v. Union of India: Justice Chandrachud (Puttaswamy I), the Indian Supreme Court was concerned with the question whether there exists a fundamental right to privacy under the Indian Constitution. A nine-judge bench of the Court recognized that the right to privacy is a fundamental right implicit inter alia in the right to life within Article 21 of the Constitution.

The right to privacy protects people and not places. Every person is entitled, however, to a reasonable expectation of privacy. The expectation of privacy must be twofold. First, the person must prove that the alleged act could inflict some harm. Such harm must be real and not be speculative or imaginary. Second, society must recognize this expectation as reasonable. The test of reasonable expectations is contextual, i.e., the extent to which it safeguards privacy depends on the place at which the individual is.

In order to pass any constitutional test, therefore, AFRS must satisfy the ‘reasonable expectation’ test articulated in Puttaswamy. However, in this context, the test itself has multiple contours. Do we have a right to privacy in a public place? Is AFRS collecting any data that specifically violates a right to privacy? Is the aggregation of that data a potential violation?

After providing a brief introduction to the use cases of AFRS in India and across the world, we embark upon answering all these questions.

Primer on Automated Facial Recognition Systems (AFRS)

Facial recognition is a biometric technology that utilises cameras to match stored or live footage of individuals (including both stills and moving footage) with images or video from an existing database. Some systems might also be used to analyze broader demographic trends or conduct sentiment analysis through crowd scanning.

While the use of photographs and video footage have been core components of police investigation, the use of algorithms to process vast tracts of Big Data (characterized by ‘Volume, Velocity, and Variety), and compare disparate and discrete data points allows for the derivation of hitherto unfeasible insights on the subjects of Big Data.

The utilisation of AFRS for law enforcement is rapidly spreading around the world. A Global AI Surveillance Index compiled by the Carnegie Endowment for International Peace found that at least sixty-four countries are incorporating facial recognition systems into their AI surveillance programs.

Chinese technology company Yitu has entered into a partnership with security forces in Malaysia to equip police officers with facial recognition body cameras that, powered by enabling technologies, would allow a comparison of images caught by the live body cameras with images from several central databases.

In England and Wales, London Metropolitan Police, South Wales Police, and Leicestershire Police are all in the process of developing technologies that allow for the identification and comparison of live images with those stored in a database.

The technology is being developed by Japanese firm NEC and the police force has limited ability to oversee or modify the software, given its proprietary nature. The Deputy Chief of South Wales Police stated that “the tech is given to [them] as a sealed box… [and the police force themselves] have no input – whatever it does, it does what it does.”

In the US, Baltimore’s police set up facial recognition cameras to track and arrest protestors — a system that reached its zenith during the 2018 riots in the city.

It is suspected that authorities in Hong Kong are also using AFRS to clamp down on the ongoing pro-democracy protests.

In India, the Ministry of Home Affairs, through the National Crime Records Bureau put out a tender for a new AFRS, whose stated objective is to “act as a foundation for national level searchable platform of facial images.” The AFRS will pull facial image data from CCTV feeds and compare these with existing records across databases including the Crime and Criminal Tracking Networks and Systems (CCTNS), Inter-operable Criminal Justice System (or ICJS), Immigration Visa Foreigner Registration Tracking (IVFRT), Passport, Prisons and state police records.

Plans are also afoot to integrate this with the yet to be deployed National Automated Fingerprint Identification System (NAFIS), thereby creating a multi-faceted surveillance system.

Despite raising eyeballs due to its potential all-pervasive scope, this tender is not the first instance of AFRS being used by Indian authorities. Punjab Police, in partnership with Gurugram-based start-up Staqu has launched and commenced implementation of the Punjab Artificial Intelligence System (PAIS) which uses digitised criminal records and automated facial recognition to retrieve information on a suspected criminal and essentially tracks their public whereabouts, which poses potential constitutional questions.

This was published by AI Policy Exchange.

For more details visit https://cis-india.org/internet-governance/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns

Extra-Territorial Surveillance and the Incapacitation of Human Rights

Arindrajit Basu — 2020-01-02T11:02:26Z

This paper was published in Volume 12 (2) of the NUJS Law Review.

Our networked data trails dictate, define, and modulate societies in hitherto inconceivable ways. The ability to access and manipulate that data is a product of stark power asymmetry in geo-politics, leading to a dynamic that privileges the interests of a few over the right to privacy and dignity of the many. I argue that the persistent de facto violation of human rights norms through extraterritorial surveillance conducted by western intelligence agencies, compounded by the failure of judicial intervention in the West has lead to the incapacitation of international human rights law. Despite robust jurisprudence including case law, comments by the United Nations, and widespread state practice on the right to privacy and the application of human rights obligations to extraterritorial stakeholders, extraterritorial surveillance continues with aplomb. Procedural safeguards and proportionality tests regularly sway towards a ‘ritual incantation’ of national security even in scenarios where a less intrusive option is available. The vulnerable citizen abroad is unable to challenge these processes and becomes an unwitting victim of nefarious surveillance practices that further widens global power asymmetry and entrenches geo-political fissures.

The full article can be found here.

For more details visit https://cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights

ICANN takes one step forward in its human rights and accountability commitments

Akriti Bopanna and Ephraim Percy Kenyanito — 2019-12-19T11:35:16Z

Akriti Bopanna and Ephraim Percy Kenyanito take a look at ICANN's Implementation Assessment Report for the Workstream 2 recommendations and break down the key human rights considerations in it. Akriti chairs the Cross Community Working Party on Human Rights at ICANN and Ephraim works on Human Rights and Business for Article 19, leading their ICANN engagement.

The article was first published on Article 19 on December 16, 2019

ICANN is the international non-profit organization that brings together various stakeholders to create policies aimed at coordinating the Domain Name System. Some of these stakeholders include representatives from government, civil society, academia, the private sector, and the technical community.

During the recently concluded 66th International Meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Montreal (Canada); the ICANN board adopted by consensus the recommendations contained within the Work Stream 2 (WS2) Final Report. This report was generated as part of steps towards accountability after the September 30th 2016 U.S. government handing over of its unilateral control over ICANN, through its previous stewardship role of the Internet Assigned Names and Numbers Authority (IANA).

The Workstream 2 Recommendations on Accountability are seen as a big step ahead in the incorporation of human rights in ICANN’s various processes, with over 100 recommendations on aspects ranging from diversity to transparency. An Implementation Team has been constituted which comprises the Co-chairs and the rapporteurs from the WS2 subgroups. They will primarily help the ICANN organization in interpreting recommendations of the groups where further clarification is needed on how to implement the same. As the next step, an Implementation Assessment Report has recently been published which looks at the various resources and steps needed. The steps are categorized into actions meant for one of the 3; the ICANN Board, Community and the ICANN organization itself. These will be funded by ICANN’s General Operating Fund, the Board and the org.

The report is divided into the following 8 issues: 1) Diversity, 2) Guidelines for Good Faith, 3) Recommendations for a Framework of Interpretation for Human Rights, 4) Jurisdiction of Settlement of Dispute Issues, 5) Recommendations for Improving the ICANN Office of the Ombudsman, 6) Recommendations to increase SO/ AC Accountability, 7) Recommendations to increase Staff Accountability and 8) Recommendations to improve ICANN Transparency.

This blog will take a look at the essential human rights related considerations of the report and how the digital rights community can get involved with the effectuation of the recommendations.

Diversity

The core issues concerning the issue of diversity revolve around the need for a uniform definition of the parameters of diversity and a community discussion on the ones already identified; geographic representation, language, gender, age, physical disability, diverse skills and stakeholder constituency. An agreed upon definition of all of these is necessary before its Board approval and application consistently through the various parts of ICANN. In addition, it is also required to formulate a standard template for diversity data collection and report generation. This sub group’s recommendations are estimated to be implemented in 6-18 months. Many of the recommendations need to be analyzed for compliance with the General Data Protection Regulation (GDPR) such as collecting of information relating to disability. For now, the GDPR is only referenced with no further details on how steps considered will either comply or contrast the law.

Good faith Guidelines

The Empowered Community (EC) which includes all the Supporting Organizations, At-Large-Advisory-Committee and Government Advisory Council, are called upon to conceptualize guidelines to be followed when individuals from the EC are participating in Board Removal Processes. Subsequent to this, the implementation will take 6-12 months.

Framework of Interpretation for Human Rights

Central to the human rights conversation and finally approved, is the Human Rights Framework of Interpretation. However the report does not give a specific timeline for its implementation, only mentioning that this process will take more than 12 months. The task within this is to establish practices of how the core value of respecting human rights will be balanced with other core values while developing ICANN policies and execution of its operations. All policy development processes, reviews, Cross Community Working Group recommendations will need a framework to consider and incorporate human rights, in tandem with the Framework of Interpretation. It will also have to be shown that policies and recommendations sent to the Board have factored in the FOI.

Transparency

The recommendations focus on the following four key areas as listed below:
1. Improving ICANN’s Documentary Information Disclosure Policy (DIDP).
2. Documenting and Reporting on ICANN’s Interactions with Governments.
3. Improving Transparency of Board Deliberations.
4. Improving ICANN’s Anonymous Hotline (Whistleblower Protection).

The bulk of the burden for implementation is put on ICANN org with the community providing oversight and ensuring ICANN lives up to its commitments under various policies and laws. Subsequent to this, the implementation will take 6-12 months.

How the ICANN community can contribute to this work

This is a defining moment on the future of ICANN and there are great opportunities for the ICANN multistakeholder community to continue shaping the future of the Internet. Some of the envisioned actions by the community include:

monitoring and assessing the performance of the various ICANN bodies, and acting on the recommendations that emerge from those accountability processes. This will only be done through collaborative formulation of processes and procedures for PDPS, CCWGs etc to incorporate HR considerations and subsequently implementation of the best practices suggested for improving SO/ACs accountability and transparency;
conducting diversity assessments to inform objectives and strategies for diversity criteria;
supporting contracted parties through legal advice for change in their agreements when it comes to choice of law and venue recommendations;
contributing to conversations where the Ombudsman can expand his/her involvement that go beyond current jurisdiction and authority

For more details visit https://cis-india.org/internet-governance/blog/article-19-akriti-bopanna-and-ephraim-percy-kenyanito-december-16-2019-icann-takes-one-step-forward-in-its-human-rights-and-accountability-commitments

Call for Comments: Model Security Standards for the Indian Fintech Industry

pranav — 2019-12-16T13:16:25Z

The Centre for Internet and Society is pleased to make available the Draft document of Model Security Standards for the Indian Fintech Industry, for feedback and comments from all stakeholders. The objective of this document which was first published in November 2019, is to ensure that the data of users is dealt with in a secure and safe manner by the Fintech Industry, and that smaller businesses in the Fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches.

We invite any parties interested in the field of technology policy, including but not limited to lawyers, policy researchers, and engineers, to send in your feedback/comments on the draft document by the 16th of January 2020. We intend to publish our final draft by the end of January 2020. We look forward to receiving your contributions to make this document more comprehensive and effective. Please find a copy of the draft document here.

For more details visit https://cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry

IETF106

Admin — 2019-12-15T06:14:02Z

Gurshabad Grover participated at IETF106, which was held in Singapore 16-22 November, 2019.

In the meeting of the Human Rights Protocol Considerations (hrpc) research group, I presented an update to draft-irtf-hrpc-guidelines-03 (Guidelines for Human Rights Protocol and Architecture Considerations), which is an Internet Draft adopted by the hrpc rg that he is co-editing with Niels ten Oever. More info here.

Among other working/research group meetings, I participated theTransport Layer Security (tls) and the Privacy Enhancements and Assessments research group (pearg) sessions. I also participated inseveral side meetings, including the Public Interest Technology Group(pitg) meeting.

Agenda for the IETF and the different WGs/RG can be found on the IETF website.

For more details visit https://cis-india.org/internet-governance/news/ietf106

Stakeholder Consultation on Digital Assets for Women’s Economic Empowerment | UN Women + SEWA

Admin — 2020-04-07T13:14:40Z

On December 06, 2019, Ambika Tandon and Aayush Rathi participated in a "Stakeholder Consultation on Digital Assets for Women’s Economic Empowerment: Addressing Barriers and Enhancing Opportunities for Women in Informal Economy and in Agriculture".

Aayush and Ambika participated upon the invite of UN Women and Self Employed Women's Association (SEWA), who were the organisers of the consultation. The consultation was from 9:30 am to 4:30 pm on 6th December, 2019 at the Claridges Hotel, New Delhi.

Former UN Secretary-General Mr. Ban Ki Moon established the UN High-Level Panel on Women’s Economic Empowerment (UNHLP-WEE) to make action oriented recommendations on how to improve economic outcomes for women in the context of the Sustainable Development Agenda 2030.The panel submitted its final report to the UN Secretary General in 2017, identifying seven drivers for women’s economic empowerment and laying out concrete actions for accelerating progress towards women’s full and equal economic participation.

In February 2019, SEWA Bharat and UN Women had organized a National consultation on “Taking Action Towards Transformative Change for Women in the Informal Sector in India” in India with civil society organizations, researchers, philanthropists and international organizations to prioritize action on the drivers for women’s economic empowerment in the context of India. Four drivers, amongst seven, were prioritized through the consultative process. Driver 4 on Building Assets – Digital, Financial and Property is one of the critical drivers for Women’s Economic Empowerment in India and has been prioritized for the first stakeholder consultation in the roadmap development process to contextualize the recommendation of HLP in the Indian context.

The primary objectives, then, of this consultation were as follows:

To provide a platform for sharing of experiences in research, programming and policy to ensure digital assets for women in the informal economy and in agriculture;
To identify proven and promising practices in this regard;
To develop an action agenda including identification of areas for research, programming and policy to reduce the gender digital divide.

*Detailed agenda*

Download the detailed agenda here.

*Participation*

At the consultation, Aayush contributed to the breakout group on DBT while Ambika contributed to the one on employment. The consultation led to rich discussions as on-ground experiences and learning from implementation programs were shared widely to devise a roadmap and policy recommendations.

For more details visit https://cis-india.org/internet-governance/news/stakeholder-consultation-on-digital-assets-for-women2019s-economic-empowerment-un-women-sewa

Power over privacy: New Personal Data Protection Bill fails to really protect the citizen’s right to privacy

Nikhil Pahwa — 2019-12-15T05:57:31Z

Nikhil Pahwa throws light on the new personal data protection bill.

The article by Nikhil Pahwa was published in the Times of India on December 12, 2019. CIS report was mentioned.

Earlier this year, in April, a data breach in the Election Commission of Philippines led to the leakage of personal information of over 55 million eligible voters on a searchable website: including names, addresses and date of birth. This was not the first data breach from the Election Commission. After the first, which took place in March 2016, where 340 GB of voter data was published online by a group of hackers called LulzSec Pilipinas, the National Privacy Commission of Philippines found that the Election Commission had violated the Data Privacy Act of 2012, and recommended criminal prosecution of its chairman, finding him liable when the agency failed to dispense its duty as a “personal information controller”.

It’s 2019, and that recommendation has still not been acted upon, because the National Privacy Commission of Philippines only has recommendatory powers for criminal prosecution. Meanwhile, data breaches continue at the Election Commission of Philippines.

Between 2017 and 2018, Aadhaar related personally identifiable data of several Indian citizens, including names, addresses, bank account numbers, in some cases pregnancy information and even religion and caste information of individuals, was published online by Indian government departments. The Centre for Internet and Society, in a report, estimated that personally identifiable data for 130-135 million Indian citizens had been leaked, thus putting them at risk. 210 government websites had made Aadhaar related data public, UIDAI confirmed in response to an RTI in 2017.

No one was held liable. There was no data protection law, no data protection authority, no criminal prosecution was recommended. Around that time, the Indian government was instead arguing in the Supreme Court that privacy isn’t a fundamental right under the Indian Constitution.

What we can learn from these two instances is that for the enforcement of a citizen’s right to privacy, and ensuring that no one takes the protection of data lightly, there needs to be a strong privacy law that holds even the government responsible, and above all, a strong data protection authority that is independent and has powers to penalise even government officials. On some of these counts, the Personal Data Protection Bill, 2019, disappoints.

First, members of the Data Protection Authority will no longer be appointed by independent entities from diverse backgrounds: where they were previously going to be appointed by a committee comprising the Chief Justice of India or a Supreme Court judge, the Cabinet secretary, and an independent expert, the power to appoint members to DPA now rests solely with government officials, including the appointment of adjudicating officers. In addition, the central government, in the interest of “national security, sovereignty, international relations and public order, can issue directions to DPA, which DPA will be bound by. Powers of DPA have also been reduced: while in the previous version of the bill, DPA had the sole power to categorise data as sensitive personal data, in the current version, the power rests with the central government, albeit in consultation with DPA. The central government will also notify any social media company as a significant data fiduciary, and not DPA. Only the central government can determine what critical personal data is, and not DPA.

This dependence on the government for appointments, functions and definitions, will invariably impact the independence of DPA, and even though the 2019 version of the bill gives it the authority to fine the state a maximum of Rs 5-15 crore, depending on the offence, i’d be surprised if this ever happens.

The bill does create significant exceptions for the state to acquire and process data, and an opportunity to create a base for surveillance reform in the country has been lost. The previous version of the bill had brought some sense of safety against mass surveillance, when it included the condition that processing of data by the government must be “necessary and proportionate”, drawing from Supreme Court’s historic right to privacy judgment. This is particularly important given that the bill also gives power to the government to exempt any agency from the provisions of the bill for processing of personal data, which includes acquiring data from any public or private entity.

Effectively, this means that government agencies may be exempt from any scrutiny by DPA, and can even collect data from third parties (for example, fin-tech companies, health-tech startups) without the user even knowing. Forget recommending criminal prosecution for mass surveillance, India’s DPA won’t even be able to fine a government agency for such a violation of the fundamental right to privacy. The government also has vast exceptions for data processing: “for the performance of any function of the state authorised by law”.

This aside, one of the more curious clauses in the bill is around non-personal data. The government, a few months ago, constituted a committee led by Infosys co-founder Kris Gopalakrishnan to look into the governance of non-personal data. Non-personal data, as the term suggests, is any data that is not related to an individual. In the bill, the government has given itself the right to acquire this data, which is essentially a company’s intellectual property, to “promote framing of policies for digital economy”. Why non-personal data finds a mention in a Personal Data Protection Bill is beyond comprehension, and this move will not inspire much confidence in businesses operating in India, when the state claims eminent domain over intellectual property.

It’s unfortunate minister Ravi Shankar Prasad is sending the bill to a select committee, given the fact that such significant changes to the bill should have led to another public consultation.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-december-12-2019-power-over-privacy

India’s record on internet shutdown gets bleaker; now blocked in 2 NE states

Admin — 2019-12-15T05:51:20Z

India reported over 100 internet shutdown in 2018, according to an annual study of Freedom House, a US-based non-profit research organization.

The article was published in the Hindustan Times on December 11, 2019. Pranesh Prakash was quoted.

The internet shutdown on Tuesday in Arunachal Pradesh and Tripura amid spiraling protests against the Citizenship (Amendment) Bill in the Northeast is the latest in a series of such shutdowns across India, which topped the list of countries that resorted to such measures in 2018.

India reported over 100 internet shutdown in 2018, according to an annual study of Freedom House, a US-based non-profit research organization. The study on the internet and digital media freedom was conducted in over 65 countries, which cover 87% of the world’s internet users

Police and administrative authorities have cited protests and other security reasons to routinely snap the internet in India.

The Centre promulgated the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017, under the Indian Telegraph Act, 1885, in August 2017 for legal sanction to the shutdowns.

As per the rules, Union home ministry secretary or secretaries of state home departments can order temporary suspension of the internet. An internet suspension order has to be taken up for review within five days.

Prior to 2017, authorities could shut down the internet under Section 144 of the Code of Criminal Procedure (CrPC), which empowers an executive magistrate to prohibit an assembly of over four people.

Section 5 (2) of the Telegraph Act, 1855, allowed the government to prevent transmission of any telegraphic message during a public emergency or in the interest of public safety.

The Kashmir Valley has remained under an internet shutdown since August 4. The shutdown was imposed hours ahead of the nullification of the Constitution’s Article 370 that gave Jammu and Kashmir special status.

Internet and phone lines were snapped ahead of Republic Day celebrations in 2010 in one of the first reported shutdowns in the Valley. Kashmir also holds the record for the longest shutdown when the internet was snapped for 133 days after the killing of Hizbul Mujahideen militant Burhan Wani in July 2016. The current shutdown, with 122 days and counting, is the second-longest.

The 100-day blackout in Darjeeling during the Gorkha agitation in 2016 is the third-longest internet shutdown in India.

Ahead of the verdict in the Ram Janmabhoomi-Babri Masjid title suit last month, the internet was shut down in parts of Maharashtra, Rajasthan, Haryana and Uttar Pradesh. The internet was shut down for three days in Gujarat during the agitation for a quota in jobs and educational institutes for the Patidar community in 2015.

As per the Software Freedom Law Centre, which provides free legal services to protect Free and Open Source Software, the total number of shutdowns in Indian since 2012 is more than 359. As per the tracker -- internetshutdowns.in -- which records such instances from newspaper clippings -- there have been 89 internet shutdowns in 2019, 134 in 2018, and 79 in 2017.

“As a part of this project, we track incidents of Internet shutdowns across India in an attempt to draw attention to the troubling trend of disconnecting access to Internet services, for reasons ranging from curbing unrest to preventing cheating in an examination,” it states as part of its purpose.

In September this year, the Kerala High Court held that access to the internet is a fundamental right. According to Pranesh Prakash of the Centre for Internet Society, the shutdowns are largely unlawful.

“David Kaye, the UN special rapporteur on the right to freedom of opinion and expression, has condemned the shutdowns and noted that the principles of proportionality and necessity should be adhered to in case of shutdowns. Yet, there have been several instances where lives have been lost in Kashmir due to the lockdown,” he said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-december-11-2019-indias-record-on-internet-shutdown-gets-bleaker

Outrage As Privileged IITians Use Tech To Spy On Sweepers

Rachna Khaira — 2019-12-15T05:33:21Z

Some members of the housekeeping staff at IIT Ropar were put under round the clock surveillance during working hours for many days in February this year without their consent. IIT Ropar Director Prof S K Das has ordered a probe into the incident.

The article by Rachna Khaira was published in Huffington Post on December 31, 2019. Aayush Rathi was quoted.

The Indian Institute of Technology (IIT), Ropar is conducting a probe into the reported tagging and round the clock electronic surveillance of some housekeeping staff members as part of an experiment run by the Technology Business Incubation Foundation (TBIF) located at the IIT campus in February this year.

HuffPost India has learnt that the TBIF, a tech incubator run within IIT Ropar, signed off on the “Sweepy” project in which housekeeping staff were given wristbands and brooms secretly embedded with tracking chips, without seeking the consent of the janitorial staff, or informing IIT Ropar management.

While the housekeeping staff were told the wristbands would record their pulse and heart beat, and that they should wear it while cleaning the campus, the tracking chips were used to track to assess if they were sweeping out hard-to-reach corners of the institute.

Prof. Sarit Kumar Das, Director IIT Ropar told HuffPost India that a three member committee comprising of Prof. Bijoy H Barua, Prof. Javed Agrewala and Prof. Deepak Kashyap has been set up to look into the matter.

“We at the IIT Ropar respect privacy and condemn any such violation made by any of our student or staff member,” said Prof. Das. “Before conducting any experiment on human beings, an approval has to be sought from the human ethics team constituted in our institution and they present a case to me after seeking a written consent from the people who would undergo the experiment. Only, after getting my approval, such an experiment can be conducted at the campus.”

Sweeping surveillance

J K Sharma, the Chief Operating Officer of TBIF, told HuffPost India that his tech incubator deliberately misled the housekeeping staff about the true purpose of the wristband as they felt the housekeeping staff wouldn’t agree to wear such a device.

While elaborating more on the ‘Sweepy’ project, Sharma said that the project was based on an idea that came to the hostellers who were upset over the housekeeping staff for not cleaning their rooms.

“The sweepers were not working properly and despite reporting the matter several times to the authorities, they were not taking any cognisance. Perturbed, the students developed this programme in which the location of the sweeper can be recorded and monitored in a control room by a gadget tied to the sweeper’s wrist,” said Sharma.

He further added that a beacon records the activity of the sensor pasted to the broom or mop held by the sweeper and can monitor the area and the time in which it was used. The report was produced digitally on the screen.

Was a consent sought from the sweepers before tagging them?

“The testing was done in a secret manner as the housekeeping staff may not have given their consent for the trial. We tried it on three sweepers and while two of them were found working dedicatedly, one was found to have missed cleaning from few areas assigned to him,” said Sharma.

The findings were shared with the housekeeping supervisor who later directed his staff to do their duty more diligently.

The team working on the project however told HuffPost India that they secured the privacy of the housekeeping staff by removing the microphone from the gadgets tied to their wrists.

This technology does not have video feature and only monitors location of a moving object and is quite cheap as compared to the radio-frequency identification (RFID) technology that uses electromagnetic fields to automatically identify and track tags attached to objects.

The testing was done in a secret manner as the housekeeping staff may not have given their consent for the trial. We tried it on three sweepers and while two of them were found working dedicatedly, one was found to have missed cleaning from few areas assigned to himJ K Sharma, Chief Executive Officer, Technology Business Incubation Foundation, IIT Ropar

Calling this an increasingly commonplace trend of covert spying on domestic workers without their knowledge, Ayush Rathi, Programme Officer, Centre for Internet and Society, said that the housekeeping staff was made to wear the gadget under a false pretense is telling.

“This is a classic example of how the access to privacy is stratified along the axes of class, caste and gender. And ties in closely with a key purpose of surveillance — that of exerting control over people’s bodies to conform to the surveiller’s ideas of right and wrong,” said Rathi.

He further added that in many ways, this story captures the zeitgeist of the 21st century. The is the essence of so much of what qualifies as innovation today is that they seek to find technological solutions to problems that are structural in nature.

“So, in this instance it is very evident that the objective sought to be achieved was not to merely ‘fix’ the problem of the housekeeping staff performing its duties well, but to solely hold them guilty for failing to do so,” said Rathi.

An alternate, albeit more tedious, approach would have been to speak with the workers and iron out the struggles they were facing at the workplace that were preventing them from performing their job well. Any solution could only have been prepared thereafter — he added.

As per Prof. Das, a major problem with the engineering students is that unlike medical students, 90 percent of their experiments are based on machines and not human beings.

“There is too much deficiency of the understanding of human psychology amongst engineering students. To curb this, we at the IIT have started a mandatory course on human ethics which is being taught by some of the renowned human psychology experts. Still sometimes, the violations gets reported,” said Prof. Das.

For more details visit https://cis-india.org/internet-governance/news/huffignton-post-december-13-2019-rachna-khaira-outrage-as-privileged-iit-ians-use-tech-to-spy-on-sweepers

WhatsApp spy attack and after

Theres Sudeep — 2019-12-15T05:06:27Z

Bengaluru experts analyse the Pegasus snooping scandal, and provide advice on what you can do about the gaping holes in your mobile phone security.

The article by Theres Sudeep was published in Deccan Herald on November 6, 2019. Aayush Rathi was quoted.

Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.

The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10. WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.

Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism. Speculation is rife that there is government involvement in the snooping.

Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says,“The targets of the attack seem to be those who had critical things to say about the current government.”Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17.

It shows severity rating as “High”.WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created. Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus,specially, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.

But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says. Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.

NOTHING TO HIDE?

Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it. But the minute such a demand is made they would feel uncomfortable.”This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.Many people believe only illegal activity leads to surveillance, but that is not the case.“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.

UPDATE SECURITY

So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.

Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after

In Twitter India’s Arbitrary Suspensions, a Question of What Constitutes a Public Space

torsha — 2019-12-12T16:54:05Z

A discussion is underway about the way social media platforms may have to operate within the tenets of constitutional protections of free speech.

The article by Torsha Sarkar was published in the Wire on December 7, 2019.

On October, 26 2019, Twitter suspended the account of senior advocate Sanjay Hegde. The reason? He had previously put up the famous photo of August Landmesser refusing to do the Nazi salute in a sea of crowd in the Blohm Voss shipyard.

According to the social media platform, the image violated Twitter’s ‘hateful imagery’ guidelines, despite the photo being around for decades and usually being recognised as a sign of resistance against blind authoritarianism.

August Landmesser. Photo: Public Domain

Twitter briefly revoked the suspension on October 27, but promptly suspended Hegde’s account again. This time, the action was prompted by Hegde quote-tweeting parts of a poem by Gorakh Pandey, titled ‘Hang him’, which was written in protest of the first death penalties given to two peasant revolutionaries in an independent India. This time, Hegde was informed that his account would not be restored.

Spurred by what he believed was Twitter’s arbitrary exercise of power, he proceeded to file a legal notice with Twitter, and asked the Ministry of Electronics and Information Technology (MeitY) to intervene in the matter. It is the subject matter of this ask that becomes of interest.

In his complaint, Hegde first outlines how the content shared by him did not violate any of Twitter’s community guidelines. He then goes on to highlight how his fundamental right of dissemination and receipt of information under Article 19(1)(a) were obstructed by the action of Twitter. Here, he places reliance to several key decisions of the Indian and the US Supreme court on media freedom, which provided thrust to his argument that a citizen’s right to free speech is meaningless if control was concentrated in the hands of a few private parties.

Vertical or horizontal?

One of the first things we learn about fundamental rights is that they are enforceable against the government, and that they allow the individual to have a remedy against the excesses of the all-powerful state. This understanding of fundamental rights is usually called the ‘vertical’ approach – where the state, or the allied public authority is at the top and the individual, a non-public entity is at the bottom.

However, there is another, albeit underdeveloped, thread of constitutional jurisprudence that argues that in certain circumstances these rights can be claimed against another private entity. This is called the ‘horizontal’ application of fundamental rights.

In that note, Hegde’s contention essentially becomes this – claiming an enforceable remedy against the private entity for supposedly violating his fundamental right. This is clearly an ask for the Centre to consider a horizontal application of Article 19(1)(a) against large social media companies.

What could this mean?

Lawyer Gautam Bhatia has argued that there are several ways in which a fundamental right can be enforced against another private entity. It must be noted that he derives this classification on the touchstone of existing judicial decisions, which is different from seeking an executive intervention. Nevertheless, it is interesting to consider the logic of his arguments as a thought exercise. Bhatia points out that one of the ways in which fundamental rights can be applied to a private entity is by assimilating the concerned entity as a ‘state’ as per Article 12.

There is a considerable amount of jurisprudence on the nature of the test to determine whether the assailed entity is state. In 2002, the Supreme Court held that for an entity to be deemed state, it must be ‘functionally, financially and administratively dominated by or under the control of the Government’. If we go by this test, then a social media platform would most probably not come within the ambit of Article 12.

However, there is a thread of recent developments that might be interesting to consider. Earlier this year, a federal court of appeals in the US ruled that the First Amendment prohibits President Donald Trump, who used his Twitter for government purposes, from blocking his critics. The court further held that when a public official uses their account for official purposes, then the account ceases to be a mere private account. This judgment has a sharp bearing in the current discussion, and the way social media platforms may have to operate within the tenets of constitutional protections of free speech.

Although the opinion of the federal court clearly noted that they did not concern themselves with the application of the First Amendment rights to the social media platforms, one cannot help but wonder – if the court rules that certain spaces in a social media account are ‘public’ by default, and that politicians cannot exclude critiques from those spaces, then can the company itself block or impede certain messages? If the company does it, can an enforceable remedy then be made against them?

A US court ruled that Donald Trump cannot block people on his Twitter account. Photo: Reuters

What can be done?

Of course, there is no straight answer to this question. On one hand, social media platforms, owing to the enormous concentration of power and opaque moderating policies, have become gatekeepers of online speech to a large extent. If such power is left unchecked, then, as Hegde’s request demonstrates, a citizen’s free speech rights are meaningless.

On the other hand, if we definitively agree that in certain circumstances, citizens should be allowed to claim remedies against these companies’ arbitrary exercise of power, then are we setting ourselves for a slippery slope? Would we make exceptions to the nature of spaces in the social media based on who is using it? If we do, then what would be the extent to which we would limit the company’s power of regulating speech in such space? How would such limitation work in consonance with the company’s need to protect public officials from targeted harassment?

At this juncture, given the novelty of the situation, our decisions should also be measured. One way of addressing this obvious paradigm shift is by considering the idea of oversight structures more seriously.

I have previously written about the possibility of having an independent regulator as a compromise between overtly stern government regulation and allowing social media companies to have free reign over the things that go on their platforms. In light of the recent events, this might be a useful alternative to consider.

Hegde had also asked the MeitY to issue guidelines to ensure that any censorship of speech in these social media platforms is to be done in accordance with the principles of Article 19.

If we presume that certain social media platforms are large and powerful enough to be treated akin to public spaces, then having an oversight authority to arbitrate and ensure the enforcement of constitutional principles for future disputes may just be the first step towards more evidence-based policymaking.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-torsha-sarkar-december-7-2019-twitter-arbitrary-suspension-public-space

Cyber security tips for small businesses

Theres Sudeep — 2019-12-05T23:35:59Z

It is important to have good cyber security practices, experts recommend.

The article by Theres Sudeep was published in the Deccan Herald on December 1, 2019. Arindrajit Basu was quoted.

Many times small businesses don’t allocate any of their budgets to cybersecurity. This is due to the common misconception that it’s only larger companies and governments that need to worry about attacks by hackers and the like.

This is not the case as Arindrajit Basu of The Centre for Internet and Society explains, “The kind of risks that smaller players are vulnerable to may not be on the scale of threats that larger companies encounter, but it is equally important for them to have good cybersecurity practices,” he says.

Phishing, an attempt to obtain sensitive information by disguising oneself as a trustworthy entity, and ransomware, a type of malware that threatens to publish the victim’s data or block access to it unless a ransom is paid, are the two most common kinds of attacks on small business according to Basu.

He adds that many hackers see small businesses as an easy way into a larger network. Once the smaller nodes are breached, they can easily get to the bigger players on the network.

Bengaluru, the startup capital of the country, has many such small businesses that need to better their cybersecurity practices.

The first and foremost step recommended by Basu is to create a strategy within your business plan and revise it periodically. This must include employee training and guidelines on what to if there is a breach.

Apart from this owners and employees are advised to routinely change passwords and back up their data on a device that doesn’t connect to the internet.

Owners are also advised to monitor access to admin accounts.

Many small businesses and startups don’t have offices of their own, which means employees end up working at a cafe or the like.

When working at these venues, make sure to carry your own WiFi or use the hotspot from your phone. Open WiFi networks are vulnerable to attacks.

Basu concludes by saying that small businesses must be periodically audited by an independent cybersecurity firm.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-december-1-2019-theres-sudeep-cyber-security-tips-for-small-businesses

Why having more CCTV cameras does not translate to crime prevention

Manasa Rao — 2019-12-05T23:26:25Z

Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

The article by Manasa Rao was published the News Minute on September 3, 2019. Pranav M. Bidare was quoted.

In August, a couple from Tamil Nadu’s Tirunelveli district made national headlines for their bravery. True to the Tamil adage ‘vallavanukku pullum aayudham’ (for the strong man, even a blade of grass is a weapon), when thieves entered their home, they fought them with chairs, slippers and even a bucket. Despite being armed with sickles, the masked miscreants fled the scene unable to match the counter-attack mounted by 70-year-old Shanmugavel and 65-year-old Senthamarai. The incident was caught on CCTV camera and the couple, whose video quickly went viral, was celebrated for their valour and made for the perfect social media feel-good story. However, as the news cycle was focused on them, senior police officers from the state and many commentators pointed to the importance of the CCTV camera footage. After all, the whole world watched their courage thanks to the CCTV camera affixed on the couple's front yard.

Since 2017, the Tamil Nadu Police has been aggressively pushing for citizens to install CCTV cameras. A techno-futuristic awareness campaign video released last year even roped in popular Kollywood star Vikram to help the police force. “If there are CCTV cameras, crimes are prevented, evidenced and importantly, it provides evidence in court. So, each of us will compulsorily fix a CCTV camera wherever we are,” says Vikram. In a bold declaration, the motto of the campaign affirms, “With CCTV everywhere, Tamil Nadu has become a place without crime.” At the end of the video Vikram suggests Big Brother is watching, stating, “Everything. Everywhere. We're watching.”

But do more CCTV cameras necessarily translate to crime prevention and deterrence? Can technology substitute addressing social, psychological, economic and other individual factors that largely lead to criminality? And what are the perils of over-reliance on technology to fight crime?

What the numbers say

A study released in August by tech research group Comparitech ranked Chennai as 32nd out of 50 of the most surveilled cities in the world. The research group, with the use of government reports, police websites and news articles, puts the total number of cameras in the city at 50,000. With a 2016 estimated population of 1.07 crore in Chennai, that is 4.67 cameras per 1,000 people.

With the help of Numbeo, a crowd-sourced database of perceived crime rates, the study puts Chennai’s crime index at 40.39. On a scale of 0 to 100, this is an estimation of overall level of crime in a given city. This score means Chennai’s crime index is ranked ‘moderate’. Similarly, on a 100 point scale, the city's safety index— quite the opposite of crime index— is at 59.61. The higher the safety index, the safer a city is considered to be.

The two other Indian cities on the list of 50 are New Delhi ranked No. 20 with 1,79,000 cameras for 1.86 crore people (9.62 cameras per 1,000 people) and Lucknow ranked at No. 40 with 9,300 cameras for 35.89 lakh people (2.59 cameras per 1,000 people). The capital's crime index is at 58.77 while its safety index is 41.23. The UP city on the other hand has a crime index of 45.30 and a safety index of 54.70.

Stating that the higher number of cameras ‘just barely correlates’ with a higher safety index and lower crime index, the study concludes, “Broadly speaking, more cameras doesn’t necessarily result in people feeling safer.” While the presence of CCTV cameras may not inherently be bad, experts say that they cannot become a substitute for tackling crime and its causes which transcend the realm of technology. These involve tailored and specific approaches which stem from community building.

The infallible CCTV myth

Pranav MB, policy officer at the Centre for Internet and Society in Bengaluru observes that in the long run, over-reliance on CCTV cameras would merely propel criminals to innovate, as opposed to helping deter the crime from taking place. He says, “While it seems intuitive that the presence of a CCTV camera will have a deterring effect on criminal activity, numerous studies over the past decade have concluded that this is not really the case. The idea of a deterring effect also relies on the assumption that the actors are making educated intelligent choices about their future, which is often not the case with persons that commit criminal acts. So the deterring effect of CCTV cameras is not likely to be much more than the already deterring effect that exists because of criminal law and law enforcement.”

Busting the myth that CCTV cameras are foolproof, Pranav adds that public infrastructure as simple as a streetlight could aid in safer neighbourhoods. “The fact remains, however, that if you are not using advanced technology, a simple mask will render you unidentifiable by most basic CCTV cameras. As more advanced and more expensive technology is used, you are only necessitating the need for innovation among criminals to identify new loopholes that they can exploit in the technology. This is not an argument that generally holds against the use of technology, but in the case of CCTV cameras, it has been seen that simple street lights much better serve the goal of deterrence of crimes,” he says.

However, cops disagree with the findings. One IPS officer who works with the police’s Law and Order department in Chennai tells TNM that the presence of CCTV cameras has helped them nab a range of criminals from chain-snatchers to stalkers who have hacked women to death. Praising the use of facial recognition software like FaceTagr that was introduced a few years ago, the officer says, “CCTV cameras have a dissuading effect on criminals. At the very least they serve as a warning but in most cases, we can easily match them to criminals on our existing local, station-wise database. Especially when it comes to areas like T Nagar, Purasawalkam or other crime-prone suburbs, CCTV cameras are an invaluable tool for law enforcement.”

“Even in cases of sexual abuse, street harassment or trafficking, private CCTV cameras have been helpful. Shop owners or residents have come forward with the footage in public interest,” he says, admitting that the Centre’s release of the long-pending National Crime Records Bureau (NCRB) statistics could show a correlation between the push to install CCTVs and crime rates.

With a lack of NCRB data, there are no statistical answers to whether indeed installation of CCTV cameras has helped lowering of crime rates. However, as per one report in The Hindu, the police report a 30% drop in the crime rate in the city following the installation of CCTV cameras. According to their estimate for chain snatching alone, the city police claims that the number of cases have dropped from 792 in 2012 to 538 following the installation of CCTV cameras in 2018.

Over-reliance on technology

Agreeing that law enforcement must be cautious while employing technology to solve crimes, Dr M Priyamvadha, associate professor at the Department of Criminology, University of Madras says her detailed interviews with over 200 incarcerated burglars across Tamil Nadu reveal that they are always on the lookout for a CCTV camera. “They simply use a jammer worth Rs 2,000 (a handy device that disrupts the signal range of a camera) to skirt the presence of a CCTV camera,” she reports. However, the professor cautions that one must not over-sell the capabilities of a CCTV camera in crime prevention.

“We must remember that CCTV cameras don't deter all crimes. If there is family or domestic violence, there won't be a CCTV camera inside the four walls of a house to reveal it. For burglaries, robberies and such offences, you can rely on CCTV cameras. How far it helps is a question mark. You can neither completely say it prevents crime nor that it is a waste,” she says.

The professor points out that even when deploying CCTV cameras across the city, law enforcement does not account for wear and tear and maintenance which forms an important part of monitoring security.

Echoing the sentiment, Pranav says that CCTV cameras primarily serve as sources of electronic evidence in criminal cases. “Their deterring effect has repeatedly been observed to not balance out the costs of installing and running them.”

Privacy, data protection concerns

Chennai-based independent tech researcher Srikanth points to the inherent surveillance dangers thanks to the centralised way in which the city police collects the CCTV data. “There is something concerning especially about Chennai City Traffic Police and other various city police’s approach to CCTV. The fundamental shift is that, at least in the city, these cameras are connected to the police control room. So data gets centrally collated. When centralization kicks in, power abuse isn't far away. This way it is far easier for police to destroy evidence,” he alleges.

Srikanth also points out, “CCTVs (especially connected ones) are usually funded by residents and/or merchants who spend their money in putting up the infrastructure, but freely give away the data to the police (often in good faith). There is no oversight on usage, storage, retention of this data and by sheer monopoly on law and order, the police is able to connect a vast number of private CCTVs on to its network.”

Significantly, he expresses concerns about there being no laws that govern the usage of CCTV footage by the police. “Even if one gives into the legitimate state aim to control crime, even if one can argue violation of privacy is proportional, there is no law around use of CCTV by police, let alone using them in investigations. That the state engages with private vendors (such as FaceTagr) and many others also provides these service providers access to data,” he explains.

Pranav also warns, “Furthermore, CCTV cameras also result in compromising the privacy of individuals, and if implemented by the state (as in the case of law enforcement), creates added surveillance risks. Compounding on this is the issue of the recorded video footage, which if stored/transmitted/managed in an non-secure manner creates data protection risks as well. This is especially true in India, where it is difficult to obtain the required infrastructure and expertise in running an effective and secure CCTV camera system.”

'Technology cannot replace interpersonal relationships'

Advising pragmatic thinking when it comes to crime prevention, professor Priyamvadha says that technology should complement what she calls the ‘human touch'. Junking the ‘holistic’ one-size-fits-all approach that is often paraded as a solution, the criminologist says that each crime requires a tailored method of tackling it. “For each and every crime, there is a different strategy. There maybe crimes committed by juveniles, crimes committed against women. For example, if female foeticide is rampant in a village, it is important to understand the village, the preferences of the people there and the caste practices present among them,” she observes.

While technology often allows law enforcement to cover more ground in cases of limited manpower, there’s also a chance the cameras could be seen as a substitute for forging interpersonal relationships between police and the people they seek to protect. “With quick transferring of cops nowadays, the local police station doesn’t have an understanding of the ongoings. Interpersonal relationships are more important than technological advances,” she notes.

For more details visit https://cis-india.org/internet-governance/news/why-having-more-cctv-cameras-does-not-translate-to-crime-prevention

A Deep Dive into Content Takedown Timeframes

torsha — 2020-06-26T11:59:06Z

Since the 1990s, internet usage has seen a massive growth, facilitated in part, by growing importance of intermediaries, that act as gateways to the internet. Intermediaries such as Internet Service Providers (ISPs), web-hosting providers, social-media platforms and search engines provide key services which propel social, economic and political development. However, these developments are also offset by instances of users engaging with the platforms in an unlawful manner. The scale and openness of the internet makes regulating such behaviour challenging, and in turn pose several interrelated policy questions.

In this report, we will consider one such question by examining the appropriate time frame for an intermediary to respond to a government content removal request. The way legislations around the world choose to frame this answer has wider ramifications on issues of free speech and ease of carrying out operations for intermediaries. Through the course of our research, we found, for instance:

An one-size-fits-all model for illegal content may not be productive. The issue of regulating liability online contain several nuances, which must be considered for more holistic law-making. If regulation is made with only the tech incumbents in mind, then the ramifications of the same would become incredibly burdensome for the smaller companies in the market.
Determining an appropriate turnaround time for an intermediary must also consider the nature and impact of the content in question. For instance, the Impact Assessment on the Proposal for a Regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content online cites research that shows that one-third of all links to Daesh propaganda were disseminated within the first one-hour of its appearance, and three-fourths of these links were shared within four hours of their release. This was the basic rationale for the subsequent enactment of the EU Terrorism Regulation, which proposed an one-hour time-frame for intermediaries to remove terrorist content.
Understanding the impact of specific turnaround times on intermediaries requires the law to introduce in-built transparency reporting mechanisms. Such an exercise, performed periodically, generates useful feedback, which can be, in turn used to improve the system.

Corrigendum: Please note that in the section concerning 'Regulation on Preventing the Dissemination of Terrorist Content Online', the report mentions that the Regulation has been 'passed in 2019'. At the time of writing the report, the Regulation had only been passed in the European Parliament, and as of May 2020, is currently in the process of a trilogue.

Disclosure: CIS is a recipient of research grants from Facebook India.

Click to download the research paper by Torsha Sarkar (with research assistance from Keying Geng and Merrin Muhammed Ashraf; edited by Elonnai Hickok, Akriti Bopanna, and Gurshabad Grover; inputs from Tanaya Rajwade)

For more details visit https://cis-india.org/internet-governance/blog/torsha-sarkar-november-30-2019-a-deep-dive-into-content-takedown-timeframes

Proposals to regulate social media run into multiple roadblocks

Saumya Tewari and Abhijit Ahaskar — 2019-11-28T14:16:25Z

The Cambridge Analytica scandal, the Pegasus spyware attack on WhatsApp and the growing misuse of social media platforms to spread misinformation have made governments world over, including in India, realise the limitations of existing laws in dealing with the misuse of these platforms.

The article by Saumya Tewari and Abhijit Ahaskar was published by Livemint on November 27, 2019. Gurshabad Grover was quoted.

“The draft guidelines are already in place and we have invited comments from all stakeholders across the country for the same. We have already conducted nationwide discussion with social activists, platforms and states and committed to the court that we will submit the intermediary guidelines by 15 January," said N.N. Kaul, media adviser to electronics and information technology minister Ravi Shankar Prasad.

The need for greater regulation of social media companies stems from the growing feeling that they are not doing enough to curb the misuse of their platforms. In recent times, many of them have been involved in brushes with the government and courts. For instance, short-video app TikTok was accused of promoting pornography among teens and temporarily banned from app stores following a Madras high court order; WhatsApp was slammed for not being able to curb fake messages which led to several cases of mob lynchings in 2018 and, more recently, for the Pegasus spyware attack. Twitter too has been criticised for failing to curb hate speech.

While the draft talks about intermediaries as a whole and doesn’t specify any particular segment, the proposals that apply to social media companies include setting up an India office and having a nodal officer for liaising with the government, furnishing information within 24 hours and tracing the source of a post or information. While forcing companies to have a nodal officer in the country can make these platforms more accountable to legal requests, it also makes them vulnerable to government pressure.

“Having offices in India allows the government to exert extralegal pressure on the company officials by forcing them to comply with informal requests. It is only useful if the intermediaries are willing to push back on the pressure and not entertain any informal request from the government," said Gurshabad Grover, research manager at the Centre for Internet and Society.

China-based TikTok, in a statement, emphasised that it is committed to respecting local laws and actively coordinates with law enforcement agencies through an India-based grievance officer. TikTok claims to have removed six million videos between July 2018 and April 2019 for violation of its guidelines.

Some of these proposals have been flagged on grounds of privacy. For instance, the traceability clause is going to have a huge impact on specific platforms such as WhatsApp and Telegram that encrypt all messages and calls. Enforcing traceability and deploying technology-based automated tools to proactively identify and disable public access to malicious content will force them to break or lower the encryption as has been pointed out by industry in the past.

WhatsApp maintained its official stance from February and reiterated that what is contemplated by the rules is not possible today given the end-to-end encryption that it provides. The rules would require the company to re-architect WhatsApp, which would lead to a different product, one that would not be fundamentally private.

“The fact that India doesn’t have an encryption law per say also complicates the scenario. In fact, section 84A (introduced after an amendment in 2008) of IT Act 2000 has specific provisions authorizing central government for coming up with a policy on encryption. It has been 11 years but there is still no law on it," said Pavan Duggal, a cyberlaw expert.

Further, to ensure that companies abide by the proposed rules and furnish information within 24 hours, the government will have to address hurdles in mutual legal assistance treaty between India and the US, which is why many of these requests take a lot of time to process. “The target of the government should be having an executive agreement with the US under the Cloud Act. The US has significant stakes in the data localization debate as many of the companies are based in the US, and that can be used as leverage to negotiate such an agreement. That will allow law enforcement agencies in India to have expedited access to information held by platforms which are based outside the country," Grover said.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-27-2019-saumya-tewari-and-abhijit-ahaskar-proposals-to-regulate-social-media-run-into-multiple-roadblocks