We are anonymous, we are legion

New Recommendations to Regulate Online Hate Speech Could Pose More Problems Than Solutions

amber — 2018-01-02T03:06:18Z

The T.K. Viswanathan committee’s recommendations could prove to be dangerous for free speech if acted upon without resolving its flaws.

The article was published by Wire on October 14, 2017

It was reported last week that an expert committee headed by T.K. Viswanathan, former secretary general of Lok Sabha, recommended that the Indian Penal Code (IPC), the Code of Criminal Procedure and the Information Technology Act be amended to include stringent penal provisions regarding online hate speech. While this report has not been made public, the Indian Express reported that the committee’s recommendations include, among other things, insertion and expansion of penal provisions in the IPC on ‘incitement to hatred’ (Section 153C) and ‘causing fear, alarm or provocation of violence’ (Section 505A) to include online speech, and creation of the offices of state cyber crime coordinator and district cyber crime cell.

Online hate speech has been among the more complex issues with regard to the regulation of technology. The complexity of restricting hate speech has to do with a number of factors, including the ubiquity of strong opinions in online speech, often offensive to certain groups, the interplay between individual and group rights, and the tensions between the values of dignity, liberty and equality. Siddharth Narrain has pointed out in his thesis on hate speech law that the use of law to curb offensive or hurtful speech has been done by religious groups, caste based groups, occupation based groups with strong caste associations, language groups and gender based groups. The range of actions arising from such uses of the law include the banning of books, criminal proceedings for political satire, or even ‘liking’ political posts on social media.

The relationship between speech acts and acts of violence is a complicated issue with little consensus on appropriate ways to regulate it. Scholars such as Jonathan Maynard have advocated greater reliance on non-legal responses such as counter speech, as the use of criminal law to tackle speech often has the effect of chilling forms of dissent. The formulation and application of legal tests in criminal law with respect to hate speech is also hard as hate speech has much to do with the content of speech as it has to do with the context, including factors such as power structures. Speech by a figure in a position of power also has a greater likelihood to result in a call for violence.

Before looking at the specific recommendations made by the T.K. Viswanathan committee, it would be worthwhile to also look at the background of this committee. The committee notes with approval the Law Commission of India’s 267th report on the issue of hate speech. The Law Commission, in turn, was acting at the behest of observations made by the Supreme Court in Pravasi Bhalai Sangathan v. Union of India in 2014. In this case, the Supreme Court exhibited judicial restraint and refused to frame guidelines prohibiting political hate speech, and had instead requested the Law Commission to look into it. However, the court noted with approval international case law on the issues, particularly the observations in the Canadian case Saskatchewan v. Whatcott. Relying on Whatcott, the Supreme Court provides a definition of hate speech that includes the following statements:

“Hate speech is an effort to marginalise individuals based on their membership in a group. Using expression that exposes the group to hatred, hate speech seeks to delegitimise group members in the eyes of the majority, reducing their social standing and acceptance within society. Hate speech, therefore, rises beyond causing distress to individual group members..[and] lays the groundwork for later, broad attacks on vulnerable that can range from discrimination, to ostracism, segregation, deportation, violence and, in the most extreme cases, to genocide. Hate speech also impacts a protected group’s ability to respond to the substantive ideas under debate, thereby placing a serious barrier to their full participation in our democracy.”

Thus, it is evident that the Supreme Court itself clearly states that hate speech must be viewed through the lens of the right to equality, and relates to speech not merely offensive or hurtful to specific individuals, but also inciting discrimination or violence on the basis of inclusion of individuals within certain groups. It is important to note that it is the consequence of speech that is the determinative factor in interpreting hate speech, more so than even perhaps the content of the speech. This is also broadly reflected in the Law Commission’s report that identifies the status of the author of the speech, the status of victims of the speech, the potential impact of the speech and whether it amounts to incitement as key identifying criteria of hate speech.

However, in the commission’s recommendations, these principles are not fairly represented in the suggested new Sections 153C and 505A, as per a draft released by the Internet Freedom Foundation. Section 505A, for instance, refers to “highly disparaging, indecent, abusive, inflammatory, false or grossly offensive information” and “derogatory information.” These are extremely broad terms, not having any guiding jurisprudence within Indian or international law, which may be helpful in restrictively interpreting them. It is important to note the similarities between this provision and the repealed Section 66A of the Information Technology Act, which sought to criminalise speech that was “grossly offensive,” having “menacing character,” or “causing annoyance..danger..insult..enmity, hatred or ill will.”

These terms in the recommended Section 505A also run foul of the observations of Justice Nariman in Shreya Singhal v. Union of India, where he took exception to the nature of the terms in Section 66A by stating that, “Information that may be grossly offensive or which causes annoyance or inconvenience are undefined terms which take into the net a very large amount of protected and innocent speech.” While these terms are somewhat tempered in this provision with a requirement to show intent to “cause fear of injury or alarm,” they remain exceedingly broad and contrary to the requirement that restrictions on speech must be couched in the narrowest possible terms.

The T.K. Viswanathan committee, in addition, seeks to bring, within the scope of the prospective Sections 153C and 505A, electronic speech. As per its recommendations, ‘means of communication’ would include “any words either spoken or written, signs, visible representations, information, audio, video or combination of both transmitted, retransmitted or sent through any telecommunication service, communication device or computer resource.” This could have the impact of bringing in a provision that has some similar effects as that of the now defunct Section 66A of the Information Technology Act. The lack of regard for the Supreme Court’s observations on hate speech, the need to look at it through the lens of equality and the over-broadness of restrictions on speech are likely to be dangerous for free speech if the recommendations of this committee are acted upon.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-

New privacy Bill more refined & has wider ambit, say experts

praskrishna — 2014-04-03T11:06:51Z

But creates wide exceptions for government agencies.

The article by Surabhi Agarwal was published in the Business Standard on April 2, 2014. CIS welcomes changes in the Bill but is cautious of the wide exceptions.

The government’s latest attempt to draft a privacy Bill is being termed by as a refined one by experts as it expands its ambit.

However, the Bill creates some wide exceptions for law enforcement and intelligence agencies to collect personal information of individuals. The government has made several attempts at drafting a privacy Bill since 2010, with the aim of protecting individuals against data misuse by government or private agencies.

The first draft, released in 2011, extended the Right to Privacy to citizens of India. But, the 2014 version has expanded its ambit to cover all residents of the country. The 2014 Bill also recognises the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India. In contrast, the 2011 Bill did not explicitly recognise the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.

Both the drafts include a list of circumstances under which authorisation for the collection and processing of sensitive personal data is not required. The lists are broadly the same. However, the latest version exempts insurance company and government intelligence agencies collecting or processing data “in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.”

A Bangalore-based Internet think-tank Centre for Internet and Society said it welcomed many changes in the Bill, but were cautious on the wide exceptions.

“The Bill carves out another exception for government agencies, allowing disclosure of sensitive personal data without consent to government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation, including cyber incidents, prosecution and punishment of offences,” the Centre for Internet and Society said in a note analysing the provisions of the Bill.

The privacy Bill was originally conceptualised to ensure the data collected by the government under various new projects such as Aadhaar or the National Information Grid (NATGRID) are not misused in any way. But incidents, such as the tapping of phone conversations involving former lobbyist Niira Radia, prompted the government to expand the ambit of the privacy law from just being a data protection one to also cover surveillance and interception.

However, it was unable to reach a consensus due to inter-ministerial conflicts as the law was superseding various provisions under several existing legislations.

The government also set up a committee under retired Delhi high court judge Ajit P Shah under the aegis of the Planning Commission to study international best practices on privacy and surveillance. This committee filed a report in 2012.

Some additions to the Bill include the term personal identifier, defined by any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.

The Bill has also re-defined sensitive personal data to denote personal data relating to physical and mental health, including medical history, biometric, bodily or genetic information, criminal convictions, password, banking credit and financial data, narco analysis or polygraph test data and sexual orientation.

Once the law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary.

It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.

For more details visit https://cis-india.org/news/business-standard-april-3-2014-surabhi-agarwal-new-privacy-bill-more-refined-has-wider-ambit-say-experts

New movies lose out due to piracy

Admin — 2019-02-02T02:24:42Z

Piracy continues to be a huge concern among filmmakers but it can also be a marketing strategy for small-budget films.

The article by Surupasree Sarmmah was published in Deccan Herald on January 23, 2019. Akriti Bopanna was quoted.

Despite a slew of measures taken by filmmakers, pirated versions of recently released films like ‘Uri: The Surgical Strike’, ‘Viswasam’, ‘KGF’ and ‘Why Cheat India’ were leaked online on websites like TamilRockers. Piracy has been a huge concern for all movie industries in India, national and regional, but experts say that not much can be done when a film is leaked online.

Neville J Kattakayam, author of the book ‘The All Seeing Digital Eyes: A Guide To Privacy, Security and Literacy’, says, “The maximum one can do is to control the servers in a particular jurisdiction. But there are servers in unlikely places — like somewhere out in the sea. These places don’t fall under any jurisdiction, national or international. It becomes impossible to control the servers then.”

Talking about the process of piracy, he explains that once a content is leaked, it mirages into different servers across to the world; not just online but offline too. “There are mirror sites having the same content that are immediately born. Accessibility wise, it’s all out there; there is nothing that one can completely restrict,” he says.

Neville feels that it is largely in the hands of the producers to restrict access to their material until the movie is released. With people usually preferring good quality prints, theatrical replicas are not favoured much, he told Metrolife.

“From what I have heard, the piracy usually happens when the copy is being sent to the censor board. Some intermediate source, who really wants to kill a movie, leaks it from there. That is the real challenge,” says Neville.

Hemanth M Rao, a director, says that when a movie is leaked online, the effort, time and money put in is at stake. “You feel robbed. Most people would want to go to the theatres to watch a film but with incidents of piracy on the rise, the life span of a movie is shortened,” he says.

However, he adds that the audience is beginning to understand the impact piracy has on the movie industry, especially at a time when there is intense competition between regional language industries.

He has a word of praise for the Kannada Film Industry, which he feels is safeguarding interests of the artistes.

“We have a close tie-up with the city police. We monitor where all a film is playing after its release. In case we come to know about any illegal activities, we intimate the police who act swiftly. This way, the access is cut down.”

“Another thing that upsets me is the habit of going live on Facebook while one is at the theatre. I don’t understand what pleasure people get out of it,” he says.

According to a new draft rule, being contemplated by the IT Ministry, host websites will be liable for any illegal content uploaded on their platform. Currently, a website is liable only for unlawful actions; like uploading copyrighted content without permission.

“The Government can block access to the original host of the pirated content if needed however the traction and virality these kinds of content get make it very difficult to contain their spread. It ends up being a blanket ban on sites such as torrent sites where all the content is not illegal yet the site is blocked as a whole,” says Akriti Bopanna, Policy Officer, Centre for Internet and Society.

The time taken for legal recourse doesn’t help either. Though filmmakers can approach the court for a ban on the website or server, the time taken for a legal remedy is way too long. By that time, the same link would have appeared in two or three other websites, says Akriti. “A leaked movie can be easily downloaded and sent to someone instantly.”

She feels that a more effective method than banning a website or a server would be to educate people.

“Not many know about copyright infringement, it is important to spread awareness from the grassroots level. Though we have messages on piracy shown at the start of every movie, these need to be more creative and fun so they will stay in the audience’s minds. Maybe the industry, as a whole, can do this as a community initiative,” she opines.

Small players don’t care much about piracy

Small-budget movies take piracy as a marketing strategy. They feel that once people watch the movie and write reviews, the film will get an overall boost — allowing them to sell more tickets in theatres.

However, major players spend crores on their movies and depend on ticket sales to get back the amount.

Difficult to claim copyright from different websites

Prominent production companies are targeting streaming websites who have uploaded their movies, citing copyright issues. However, floating websites like citytorrents and TamilRockers keep changing their domain name and it becomes impossible to counter them.

-Neville J Kattakayam

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-surupasree-sarmmah-january-23-2019-new-movies-lose-out-due-to-piracy

New Media, personalisation and the role of algorithms

amber — 2017-01-16T07:20:52Z

In his much acclaimed book, The Filter Bubble, Eli Pariser explains how personalisation of services on the web works and laments that they are creating individual bubbles for each user, which run counter to the idea of the Internet as an inherently open place. While Pariser’s book looks at the practices of various large companies providing online services, he briefly touches upon the role of new media such as search engines and social media portals in new curation. Building upon Pariser’s unexplored argument, this article looks at the impact of algorithmic decision-making and Big Data in the context of news reporting and curation.

Everything which bars freedom and fullness of communication sets up barriers that divide human beings into sets and cliques, into antagonistic sects and factions, and thereby undermines the democratic way of life. —John Dewey

Eli Pariser, in his book, The Filter Bubble,[1] refers to the scholarship by Walter Lippmann and John Dewey as integral to the evolution of the understanding of the democratic and ethical duties of the Fourth Estate. Lippmann was disillusioned by the role of newspapers in propaganda for the First World War. He responded with three books in quick succession — Liberty and the News,[2] Public Opinion[3] and The Phantom Public.[4] Lippmann brought attention the fact that the process of news-reporting was conducted through privately determined and unexamined standards. The failure of the Fourth Estate to perform its democratic functions, was, in the opinion of Lippmann, one of the prime factors responsible for the public not being an informed and rational entity. John Dewey, while rejecting Lippmann’s arguments that matters of public policy can only be determined by inside experts with training and education, did acknowledge the his critique of the media.

Pariser points to the creation of a wall between editorial decisionmaking and advertiser interests, as the eventual result of the Lippmann and Dewey debate. While accepting that this division between the financial and reporting sides of media houses has not been always observed, Pariser emphasises that the fact that the standard exists is important.[5] Unlike traditional media, the new media which relies on algorithmic decision-making for personalisation is not subject to the same standards which try to mitigate the influence of commercial interests on editorial decisions while performing many of the same functions as the traditional media.[6]

How personalisation algorithms work

Kevin Slavin, at his famous talk in the TEDGLobal Conference, characterised algorithms as “maths that computers use to decide stuff” and that it was infiltrating every aspect of our lives.[7] According to Slavin’s view, algorithms can be seen as control technologies and shape our world constantly through media and information systems, dynamically modifying content and function through these programmed routines. Search engines and social media platforms perpetually rank user-generated content through algorithms.[8]

Personalisation technologies have various advantages. It translates into more relevant content, which for service providers means more clicks and revenue and for consumer, less time spent on finding the content.[9] However, it also leads to privacy compromise, lack of control and reduced individual capability.[10] Search engines like Google use the famous PageRank algorithm, which combined with geographical location and previous searches yields most relevant search results.[11] PageRank algorithm uses various real time variables dependent on both voluntary and involuntary user inputs. These variables include number of clicks, number of occurrences of the key terms and number of references by other credible pages etc. This data in turn determines the order of pages in search results and influences the way we perceive, understand and analyse information.[12] Maps showing real time traffic information retrieve data from laser and infrared sensors alongside the road and from information from devices of users. Once this real time data is combined with historical trends, these maps recommend rout to every user, hence influencing the traffic patterns.[13]

Even though this phenomenon of personalization may appears to be new, it has been prevalent in the society for ages.[14] The history of mass media culture clearly shows personalization has always been a method to increase market, market reach and customer satisfaction.[15] Newspapers have sections dedicated to special topics, radio and TV have channels dedicated to different interest groups, age groups and consumers.[16] These personalised sections in a newspaper and personalised channels on radio and television don’t just provide greater satisfaction to the readers or listeners or consumers, they also provide targeted advertisement space for the advertisers and content developers. However, digital footprints and mass collection of data have made this phenomenon much more granular and detailed. Geographical location of an individual can tell a lot about their community, their culture and other important traits local to a community.[17] This data further assists in personalisation. Current developments in technology not only help in better collection of data about personal preferences but also help in better personalisation.

Pariser mentions three ways in which the personalization technologies of this day are different from those of the past. First, for the very first time, individuals are alone in the filter bubble. While in traditional forms of personalisation, there were various individuals who shared the same frame of reference, now there is a separate sets of filters governing the dissemination of content to each individual.[18] Second, the personalisation technologies are entirely invisible now, and there is little that consumers can do to control or modify them.[19] Third, often the decision to be subject to these personalisation technologies is not an informed choice. A good example of this would be an individual’s geographical location.[20]

The neutrality of New Media?

More and more, we have noticed personalisation technologies having an impact on how we consume news on the Internet. Google News, Facebook’s News Feed which tries to put together a dynamic feed for both personal and global stories, and Twitter’s trending hashtag feature, have brought forward these services are key drivers of an emerging news ecosystem. Initially, this new media was hailed as a natural consequence of the Internet which would enable greater public participation, allow journalists to find more stories and engage with the readers directly. An illustration of the same could be seen in the way Internet based news media and social networking websites behaved in the aftermath of Israel’s attacks on a United Nations run school in Gaza strip. While much of the international Internet media covered the story, Israel’s home media did not cover the story. The only exception to this was the liberal Israeli news website Ha’aretz.[21] Network graph details of Twitter, for a few days immediately after the incident clearly show the social media manifestation of the event in the personalised cyberspace. It is clearly visible that when most of the word was re-tweeting news of this heinous act of Israel, Israeli’s hardly re-tweeted this news. In fact they were busty re-tweeting the news of rocket attacks on Israel.[22]

The use of social media in newsmaking was hailed by many scholars as symptomatic of the decentralisation characteristic of the Internet. It has been seen as movement towards greater grassroots participation by negating the ‘gatekeeping’ role traditionally played by editors. Thomas Poell and José van Dijck punch holes in theory of social media and other online technologies as mere facilitators of user participation and translators of user preferences through Big Data analytics.[23] They quote T. Gillespie’s work which talks of the narrative of these online services as platforms which are “open, neutral, egalitarian and progressive support for activity.”[24]

Pedro Domingos calls the overwhelming number of choices as the defining problem of the information age, and machine learning and data analytics as the largest part of this solution.[25] The primary function of algorithmic decision making in the context of consumption of content is to narrow down the choices. Domingos is more optimistic about the impact of these technologies, and he says “last step of the decision is usually still for humans to make, but learners intelligently reduce the choices to something a human can manage.”[26] On the other hand, Pariser is more circumspect about the coercive result of machine learning algorithms. Whichever way we lean, we have to accept that a large part of personalisation algorithms is to select and prioritize content by categorising it on the basis of relevance and popularity.

Poell and van Dijck call this a new knowledge logic which in effect replaces human judgement (as, earlier exercised by editors) to some kind of proxy decisionmaking based on data. Their main thesis is that there is little evidence to suggest that the latter is more democratic than former and creates new problems of its own. They go on to compare the practices of various services including Facebook’s new graph and Twitter’s trending topic, and conclude that they prioritise breaking news stories over other kinds of content.[27] For instance, the algorithm for the trending topics depends not on the volume but the velocity of the tweets with the hashtag or term. It could be argued that given this predilection, the algorithms will rarely prefer complex content. If we go by Lippmann and Dewey’s idea that the role of the Fourth Estate is to inform public debate and accountability of those in positions of power, this aspect of Big Data algorithms does not correspond with this role.

Quantified Audience

Another aspect of use of Big Data and algorithms in New Media that requires attention is that the networked infrastructure enables a quantified audience. C W Anderson who has studied newsroom practices in the US looked at role played by audience quantification and rationalization in shifting newswork practices. He concluded that more and more, journalists are less autonomous in their news decisions and increasingly reliant on audience metrics as a supplement to news judgment.[28] Poell and van Dijck review the the practices by some leading publications such a New York Times, L.A. Times and Huffington Post, and degree to which audience metrics dictates editorial decisions. While New York Times seems to prioritise content on their social media portals based on expectation of spike in user traffic, L.A. Times goes one step further by developing content specifically aimed towards promoting greater social participation. Neither of these practices though compare to the reliance on SEO and SMO strategies of web-born news providers like Huffington Post. They have traffic editors who trawl the Internet for trending topics and popular search terms, the feedback from them dictates the content creation.[29]

Conclusion

The above factors demonstrate that the idea of New Media leading to the Fourth Estate performing its democratic functions does not take into account the actual practices. This idea is based on the erroneous assumption that technology, in general and algorithms, in particular are neutral. While the emergence of New Media might have reduced the gatekeeping role played by the editors, its strong prioritisation of content that will be popular reduce the validity of arguments that it leads to more informed public discussion. As Pariser said, the traditional media scores over the New Media inasmuch as there is an existence of a standard of division between editorial decisionmaking and advertiser interest. While this standard is flouted by media houses all the time, it exists as a metric to aspire to and measure service providers against. The New Media performs many of the same functions and maybe it is time to evolve some principles and ethical standards that take into account the need for it to perform these democratic functions.

Endnotes

^{^[1]} Eli Pariser, The Filter Bubble: What the Internet is hiding from you (The Penguin Press, New York, 2011)

[2] Walter Lippmann, Liberty and News (Harcourt, Brace and Howe, New York 1920) available athttps://archive.org/details/libertyandnews01lippgoog

^{^[3]} Walter Lippmann, Public Opinion (Harcourt, Brace and Howe, New York 1920) available at http://xroads.virginia.edu/~Hyper2/CDFinal/Lippman/cover.html

^{^[4]} Walter Lippmann, The Phantom Public (Transaction Publishers, New York, 1925)

^{^[5]} Supra Note 1 at 35.

^{^[6]} Supra Note 1 at 36.

^{^[7]} https://www.ted.com/talks/kevin_slavin_how_algorithms_shape_our_world/transcript?language=en

^{^[8]} Fenwick McKelvey, “Algorithmic Media Need Democratic Methods: Why Publics Matter”, available at http://www.fenwickmckelvey.com/wp-content/uploads/2014/11/2746-9231-1-PB.pdf.

^{^[9]} http://mashable.com/2011/06/03/filters-eli-pariser/#9tIHrpa_9Eq1

^{^[10]} Helen Ashman, Tim Brailsford, Alexandra Cristea, Quan Z Sheng, Craig Stewart, Elaine Torns and Vincent Wade, “The ethical and social implications of personalization technologies for e-learning” available at http://www.sciencedirect.com/science/article/pii/S0378720614000524.

^{^[11]} Sergey Brin and Lawrence Page, “The Anatomy of a Large-Scale Hypertextual Web Search Engine” available at http://infolab.stanford.edu/pub/papers/google.pdf.

^{^[12]} Ian Rogers, “The Google Pagerank Algorithm and How It Works” available at http://www.cs.princeton.edu/~chazelle/courses/BIB/pagerank.htm.

^{^[13]} Trygve Olson and Terry Nelson, “The Internet’s Impact on Political Parties and Campaigns”, available at http://www.kas.de/wf/doc/kas_19706-544-2-30.pdf?100526130942.

^{^[14]} Ian Witten, “Bias, privacy and and personalisation on the web”, available at http://www.cs.waikato.ac.nz/~ihw/papers/07-IHW-Bias,privacyonweb.pdf.

^{^[15]} Supra Note 1 at 10.

^{^[16]} https://www.americanpressinstitute.org/publications/reports/survey-research/social-demographic-differences-news-habits-attitudes/

^{^[17]} Charles Heatwole, “Culture: A Geographical Perspective” available at http://www.p12.nysed.gov/ciai/socst/grade3/geograph.html.

^{^[18]} Supra Note 1 at 10.

^{^[19]} Id.

^{^[20]} Supra Note 1 at 11.

^{^[21]} Paul Mason, “Why Israel is losing the social media war over Gaza?” available at http://blogs.channel4.com/paul-mason-blog/impact-social-media-israelgaza-conflict/1182.

^{^[22]} Gilad Lotan, Israel, Gaza, War & Data: Social Networks and the Art of Personalizing Propaganda available at www.huffingtonpost.com/entry/israel-gaza-war-social-networks-data_b_5658557.html

^{^[23]} Thomas Poell and José van Dijck, “Social Media and Journalistic Independence” in Media Independence: Working with Freedom or Working for Free?, edited by James Bennett & Niki Strange. (Routledge, London, 2015)

^{^[24]} T Gillespie, “The politics of ‘platforms,” in New Media & Society (Volume 12, Issue 3).

^{^[25]} Pedro Domingos, The Master Algorithm: How the quest for the ultimate learning machine will re-make the world (Basic Books, New York, 2015) at 38.

^{^[26]} Ibid at 40.

^{^[27]} Supra Note 23.

^{^[28]} C W Anderson, Between creative and quantified audiences: Web metrics and changing patterns of newswork in local US newsrooms, available at https://www.academia.edu/10937194/Between_Creative_And_Quantified_Audiences_Web_Metrics_and_Changing_Patterns_of_Newswork_in_Local_U.S._Newsrooms

^{^[29]} Supra Note 23.

For more details visit https://cis-india.org/internet-governance/new-media-personalisation-and-the-role-of-algorithms

New Lock For EU’s Digital Mines

Admin — 2018-03-17T13:10:52Z

Indian companies dealing with European data wait anxiously as the EU pushes in new security rules

The article by Arindam Mukherjee was published in the Outlook in March 26, 2018 issue. Elonnai Hickok was quoted.

Pretty soon, Indian companies, especially those associated with European companies, will have to walk that extra mile to protect personal data. Come May 25, the European Union (EU) will enact a new set of regulations, called the General Data Protection Regulation (GDPR), which will impose stringent conditions for personal data protection and privacy laws.

What’s more, any violation of or non-compliance with the new regulations will attract the strictest of penalties and fines. On an average, the new regulations call for up to 4 per cent of a company’s global revenue as penalty.

With the already huge and rapidly expanding field of big data play across companies and industries, data protection has come under the limelight and many countries are talking in terms of putting in place stringent rules for personal data protection. The EU will be the first off the block with GDPR, which comes into effect in less than three months. It is expected that following the EU’s example, similar regulations will start coming up in other countries as well.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU and its regulations will cover all EU member states and citizens. Accordingly, all companies operating in the EU and having customers there, or even having work outsourced from the EU which involves its citizens’ personal data, will have to fall in line and comply.

The rules under GDPR will be relevant for businesses collecting, processing, storing, and sharing data of EU data subjects. This would include all businesses located in India providing services directly or indirectly to EU data subjects, as well as Indian companies with a presence in Europe.

This has put a lot of Indian IT and ITES companies in a bind given that few Indian companies are in a position to comply with the new GDPR rules and regulations within the given deadline. GDPR necessitates that adequate steps have to be taken to secure EU data wherever it is stored or processed.

At present, India does not have any data privacy law. However, the government has set up a committee of experts under former Supreme Court Justice B.N. Srikrishna to look into matters related to data protection and privacy in the country. The committee has so far come up with a draft protection bill. But it is unlikely that the committee will be able to come out with its final report before the GDPR deadline of May 25.

Huzefa Goawala, who heads GRC, India & SAARC, RSA, says the impact of GDPR will be heavy on India. “A sizeable chunk of Indian companies operate out of the EU including IT/ITeS, manufacturing, financial services and telecom companies,” he adds. “The GDPR will apply to personally identifiable information and internal facing data and external facing data, and organisations will have to protect data on all these fronts. Unfortunately, very few organisations have taken measures to become GDPR compliant at the ground level and are waiting for others to make a move. Larger, tier 1 organisations are in a consultation mode at the moment and are in a preliminary stage of compliance.”

According to Ernst & Young’s forensic data analytics survey (2018) done among Indian companies, 60 per cent of Indian respondents are still not familiar with the GDPR, while only a little over 23 per cent have heard of it but have done nothing about it. “This puts India in a precarious position, especially because it takes time for a company to prepare for GDPR compliance, which involves identifying where all the data resides and taking measures to safeguard it,” says Mukul Shrivastava, partner, Fraud Investigation and Dispute Services, Ernst & Young. “Many large IT-ITeS companies have secure servers in the EU or on cloud. But a lot of EU data processing is either done in India or is outsourced to India. That data needs to be protected under the GDPR.”

Experts say that under GDPR, a company will have to report any breach of data security within 72 hours. In case it fails to do so, stiff penalties will be imposed. With GDPR, the EU wants to stress on how important personally identifiable information is and see what companies are doing to protect it. It calls for deployment of ground level technologies by companies to ensure data security.

To ensure full compliance under GDPR will be a difficult task. “It is not possible to check 100 per cent compliance,” says Vijayshankar Na, cyber law and international information security expert. “There can be multiple versions of personal data in a process. To tap this data and see where all it is flowing in the system will be the toughest part under GDPR. Companies will have to identify all this in order to protect data.”

To help Indian companies, India’s IT representative body Nasscom has sought a “data secure” status for its companies from the EU. The EU has given a similar status to American companies, which ensures some concessions for them. Indian companies would be entitled to similar concessions under GDPR if they get the data secure status. But a decision on this is yet to come.

“As India has not attained data secure status, the collection, processing, storing, and sharing of EU data subjects by Indian companies will continue to be through ‘binding corporate rules’,” says Elonnai Hickok, chief operating officer, CIS (Centre For Internet and Society), Bangalore. “Though GDPR will affect any company handling EU data, the IT sector in India could potentially be impacted the most given the amount of business that it does and potentially could do with the region. For instance, a Deloitte report has estimated the outsourcing opportunity of the Indian IT industry with Europe at $45 billion.”

Hickok says India’s legal regime around privacy, consisting primarily of section 43A of the IT Act and associated rules, has not been found to be data secure by the EU in past assessments. This means that unless practices are guided by binding corporate rules, the standard of practice in India is lower than required by the previous Data Protection Directive (1995) as well as the GDPR. Some of the potentially challenging requirements in the GDPR will include the requirement for reporting breaches, new standards for consent, ensuring the rights of data subjects including access and correction, portability, erasure and deletion, the right to objection, and, if the need arises, the right to request human intervention in automated decisions.

What could also hit Indian companies is that the cost of GDPR compliance will be high—there will be costs related to human capital, periodic updates, IT infrastructure around the data (both hardware and software) and setting up cyber security and incident response programs.

“Europe is an important market for Indian companies,” says Vinayak Godse, senior director, Data Security Council of India (DSCI). “This heightened threshold of privacy may lead to some top line compromise for Indian IT companies. The compliance burden is also bound to increase. The small and mid-size companies looking at the EU as a market may struggle to comply with the new rules.”

The Indian government is trying to bring some order vis a vis data privacy and the Justice Srikrishna panel is expected to expedite the process. “The Government of India is currently developing a national data protection framework, following the Supreme Court judgment of August 2017 recognising an individual’s privacy as a fundamental right,” says Keshav Dhakad, director & assistant general counsel, corporate, External & Legal Affairs, Microsoft India. “The coming of GDPR will help galvanise the discussion in countries outside of Europe and in India.”

As of now though, there is a lot of confusion and Indian companies, staring at a tight deadline, are under stress. If they can speed up the process and comply, they will be safe, but if they fail, they could lose business in one of India’s most promising markets.

For more details visit https://cis-india.org/internet-governance/news/outlook-march-26-2018-new-lock-for-eu-digital-mines

New law to unlock data economy

praskrishna — 2017-06-12T01:10:06Z

Proposal has been sent to PMO for approval.

The article by Yuthika Bhargava was published in the Hindu on June 9, 2017.

The government is mulling a new data protection law to protect personal data of citizens, while also creating an enabling framework to allow public data to be mined effectively. The move assumes significance amid the debate over security of individuals’ private data, including Aadhaar-linked biometrics, and the rising number of cyber-crimes in the country.

“The Ministry of Electronics and Information Technology (MEIT) is working on a new data protection law. A proposal to this effect has been sent to the Prime Ministers’ Office for approval,” a senior ministry official told The Hindu.

Once the PMO approves it, the ministry will set up a “cross-functional committee” on the issue.

“We want to include all stakeholders. It will be a high-level committee, and all current and future requirements of the sector will be discussed.”

Two chief aims

The official said: “We are working with two main aims – to ensure that personal data of individuals remain protected and is not misused, and to unlock the data economy.”

The official explained that a lot of benefits can be derived from the data that is publicly available, by using technology and big data analytics. “The information can be used for the benefit of both individuals and companies,” the official said.

“The underlying infrastructure of the digital economy is data. India is woefully unprepared to protect its citizens from the avalanche of companies that offer services in exchange for their data, with no comprehensive framework to protect users,” Software Freedom Law Centre (SFLC.in), a non-profit, said in an emailed reply.

Currently, India does not have a separate law for data protection, and there is no body that specifically regulates data privacy.

“There is nominally a data protection law in India in the form of the Reasonable Security Guidelines under Section 43A of the Information Technology Act. However, it is a toothless law and is never used. Even when data leaks such as the ones from the official Narendra Modi app or McDonald’s McDelivery app have happened, section 43A and its rules have not proven of use,” said Pranesh Prakash, policy director at CIS.

Some redress for misuse of personal data by commercial entities is also available under the Consumer Protection Act enacted in 2015, according to information on the website of Privacy International, an NGO. As per the Act, the disclosure of personal information given in confidence is an unfair trade practice.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-yuthika-bhargava-june-9-2017-new-law-to-unlock-data-economy

New Kids on the Blog

praskrishna — 2011-04-01T16:10:34Z

Across the world, the blogosphere is shrinking. But that might not be a bad thing. Look closer, self-indulgence has found newer platforms, and only the fittest and the smartest blogs have survived. This article was published by the Indian Express on February 6, 2011. Indian Express reporter spoke with Nishant Shah.

Meet aneesha, a personable 20-something in a red jacket, with a coffee “without cream” cupped in her hands. Seven years ago, this Delhi-based professional was an avid user of LiveJournal. Most of her friends are from the online world; she met their blogs before she knew them personally. “My family’s perception of me and what I am are very different,” she says, “I hide myself in the layers of the internet.” Aneesha found herself and her friends through blogs; today, however, she has no time or inclination for the blogging world. “We used to write about the sunshine, a cute dog, a nice day. Who has the time for that any more?”

“I quit”. “We are moving out”. “This blog is Dead”.

An aerial view of the blogosphere resembles an abandoned city, with silence blowing through boarded-up windows. Recent Pew Internet Project surveys of teens and adults in the US reveal a decline in blogging among teens and young adults and a modest rise among adults 30 and older. According to the 2010 report, “In 2006, 28 per cent of teens in the 12-17 age group, and adults between 18 and 29 were bloggers, but by 2009, the numbers had dropped to 14 per cent of teens and 15 per cent of adults. During the same period, the percentage of online adults over 30 who were bloggers rose from 7 per cent to 11 per cent.” These numbers reflect American reality, but the blogosphere has not been similarly mapped and analysed in India, says Nishant Shah, director, research, Centre for Internet and Society, Bangalore. When contacted, WordPress, a blog tool and publishing platform, said that they don’t publish country-specific statistics either.

While blogging in itself seems to have peaked and plateaued, blog-like activities have moved to other online spaces. Blogs were at the social media forefront around five years ago. According to Technorati, an internet search engine for blogs, the blogosphere in 2004 was eight times as large as it was in June 2003. Since then, Blogger and WordPress have been stagnating, says Nielsen, a media-research firm. A 2010 article in The Economist pointed out, that according to Blogads, which sells ads, “media buyers’ inquiries increased tenfold between 2004 and 2008, but have grown by only 17 per cent since then.”

But the numbers only tell a part of the story. The immensity of the blogging world means that it will always remain terra incognita. Its vastness allows poorly-written, lazily-reasoned dribbles to exist, but it also provides an unparalleled democratic platform (if you have access to the internet). The blogosphere, which had become an endless echo chamber, has evolved into a more interesting space, with startling diversity. Teenagers have found new fads, and moved out; instead, adults are setting up their couches here. Over the last four-five years, the fittest and smartest blogs have survived, whereas those with a readership of one have sunk to Google’s ocean floor. Few bloggers actually bother to delete their accounts, most starve away because of the author’s neglect and the audiences’ disinterest. The ones that have thrived have created communities of kindred souls, with an eye for beauty or a knack for the kooky. The Indian blogosphere is rich ground for posts on cinema, economics, sports, design and politics. Blogs can be conclaves of critics against the mainstream, they can be crucial support systems for the grieving. But how did we get here?

Peter Merholz, a lover of words and etymologies, and founding partner of consultancy Adaptive Path, created the word “blog” in 1999.

Playing with syllables, he decided to change “weblog” into “blog” for short. This San Francisco-based designer writes in his blog, “I like that it’s roughly onomatopoeic of vomiting. These sites (mine included!) tend to be a kind of information upchucking.”

For something that started as verbal upchucking, blogging has evolved over the decade. Anupam Mukerji, aka the Fake IPL Player, whose blog was the sensational sideshow that overshadowed the second edition of the Indian Premier League in 2009, says, “Self-indulgence is out. People want to be entertained and nobody really cares what you had for breakfast.”

In the early part of this decade, blogging was about self-expression, within a small community (like LiveJournal), says Aneesha. Kiran Jonnalagadda, a Bangalore-based social technologist, and founder of HasGeek, which organises technical discussions, recalls, “Your blog was not secret, but was private by virtue of not many people being online. It was a safe assumption for young people that their parents and siblings would never read their blog. The medium of the blog was the most advanced technology of the day. It was crude by modern standards, but fantastic compared to anything earlier.” Aneesha and Jonnalagadda abandoned LiveJournal after their initial euphoria. Today, it is said, only the Russians use it, since it was bought over by a Russian company in 2007.

Blogging has come of age in India where we now see the growth of the “modern blogger”, says Jonnalagadda, one of the early Indian bloggers. “It’s important to distinguish between these two — the blogger as someone who indulged in self-expression in the early 2000s, who’s now moved to Facebook and other tools, versus the modern blogger who uses the same technology but is actually a small media publisher serving a niche segment.”

Facebook and Twitter are dummy-friendly and easily satisfy the exhibitionist, the voyeur, the curious or the intellectual. In 2010, there were 152 million blogs on the internet; it doesn’t seem much in comparison to 600 million Facebook users. On Facebook, it takes just a few seconds to upload a picture. A “thumbs up” is all it takes to “like” a photo or a comment. A personal update becomes part of the newsflash on friends’ homepages. Facebook’s “Notes” can satisfy the desire to write long, random and personal outpourings. “Tagging” friends in these notes assures one of a readership. Sharing so little with so many has never been this effortless. Blogs, defined as a format of writing, where pieces are arranged in a reverse chronological order, are no longer the preferred tool for the personal.

Technorati reports that the significant growth of mobile blogging is a key trend in 2010. Though the smartphone may still be relatively new in India, bloggers have reported that mobile blogging has lead to shorter posts and to a growing preference for Facebook and Twitter. Kiruba Shankar, CEO of Business Blogging Pvt Ltd, a social media consultancy in Chennai, and a once-prolific blogger, says, “Five years back, I was averaging two posts a day. In 2010, which was my worst year in blogging, I did one post every two months! It’s not that I stopped writing. I just moved my updates to Twitter and Facebook.” Shankar has even written an entire book in 140-character capsules on the merits of collaborative work: Crowdsourcing Tweet. He explains, “I love reading smaller books. I love tweeting my thoughts. I wanted to eat the elephant in smaller bites and so I jotted down points in tweets.”

On the Web, none of these social mediums work in isolation, each is connected with the other. Facebook and Twitter have also become ways to promote blogs, with people often posting their links and thereby increasing their readership and the scope of the conversation.

With blogs moving beyond the personal, the rise of the modern blogger writing for a niche audience is of particular interest. Mumbai-based Chandrahas Choudhury, author of The Middle Stage, a blog of essays on Indian and world literature, says, “Blogs have matured over the years in India. People who are serious have kept it. Lots of the press indulge in the criticism that blogs are not edited. But I’ve seen many great blogs. It’s a very good way of learning how to write good prose.” The Middle Stage provides an important space for literary criticism at a time when newspapers are squeezing out literary columns. Blogs give “maximum freedom”, says Choudhury, as one can increase the content through links; they also allow one to quote freely from other texts, which newspapers do not allow.

Shankar emphasises that search engines give more importance to any site with fresh content, and that blogs have high “archival value”, compared with “Facebook or Twitter where old updates seem to fall off the face of the earth”. The Google requisite for new content has made the group blog a better option than the personal as it makes it easier to generate content regularly. Successful group blogs are making an impact.

Little Design Book, “an online journal of design, visual culture and material culture”, is run by Ruchita Madhok, Aditya Palsule, Avinash Rajagopal and Shreyas Krishnan. The editors, who are based in London, New York, and Bangalore respectively, work collaboratively and communicate through Skype. Through smart and pithy posts, they describe designs that are too good to be true and those which are too awful to seem probable. On this team blog, art and design interact in meaningful ways, producing discussions and insights. Speaking from New York on the behalf of his team, Rajagopal feels that design blogs have taken off recently in India. “The Web is a great place to discuss design because it is an inherently democratic medium. Anyone can have their say.”

Others, who have made use of the democratic and immediate nature of the internet, include Pavitra Mohan, who runs the successful blog Masala Chai, a “creative collective that features south Asian art and design”. These blogs about Indian art and design are few but they are playing an important role in the promotion and criticism of the arts. Mohan says, “There’s high art and low art. They are both provided a uniform platform on the Web.” Started three years ago, the blog recently became a physical reality, with Masala Chai opening its first outlet in Chennai.

Rajagopal feels, however, that there’s still scope for editorialising content. “Many blogs post images of design objects, and say a few obligatory words. This has its necessary place in the blogging world. But we also need many strident, opinionated voices.”

Strident voices with trenchant opinions ring in collective blogs like Kafila, run by no single CEO but by 22 members. Speaking only for himself and not on behalf of Kafila, Shivam Vij, writer and member, says, “Blogging is ‘self-publishing’. To read blogs (and today, together with social media) is to get an uncut view of what a society thinks, without the frame of the organised media. This allows people to use blogging and social media to influence opinion, and thus cause change, good or bad.”

While blogs can be viewed as enjoyable entertainment or a platform for serious discussion and debate, blogs can also change lives. It can make famous the anonymous man stooped over a keyboard, with a prank in his head and spunk in his prose. Anupam Mukerji, the Fake IPL Player whose anonymous blog fooled thousands of cricket fans and administrators, and who revealed his identity in August last year, says, “I am still the same guy, but people respond to me differently. The blog changed my life.”

Blogging was also the “perfect tonic” for actor Lisa Ray, who started writing The Yellow Diaries once she’d been diagnosed with multiple myeloma, a cancer of the white blood cells, in June 2009. Her blog posts, written with heart and without fuss, chronicled her battle with the disease, from being a “cancer intern” to a “cancer survivor”. In what ways did the blog help her? “In every way,” she says. “It helped me process what I was going through. It helped me be honest with myself and face my fears head on. It also helped me connect with others by sharing a very human experience. It helped dilute my fear.” Her blog also helped others, obvious in the hundreds of comments left by readers. Talking about readers’ responses, she says, “I do remember thinking that we suffer from the ‘pathology of perfection’ in contemporary society and the only antidote is to celebrate our ‘humanness’ in all forms. To embrace the hurt and pain as much as the joys and success.”

Blogging was also a tonic for Indian Homemaker or Seema Rao, blogger and mother of Tejaswee Rao, a 19-year-old journalism student who passed away last year. Seema has been a frequent blogger for the last three years and now maintains her daughter’s blog In My Arrogant Opinion. She feels her daughter lives on through her presence on the Web. Sitting in a Gurgaon living room, surrounded by photos of her daughter, Rao says, “The family wanted a memorial gathering. But I know people will talk about her illness, they’ll say you should have gone to another hospital. I feel the blogosphere is more mature. A memorial would have been traumatic. I get support from bloggers, from people who don’t even know my name. On Tejaswee’s birthday, a mother in Hyderabad sent me a cake, with TJ written on it. I don’t know how I would have coped without the blogs.”

The original article was published in the Indian Express

For more details visit https://cis-india.org/news/new-kids

New internet rules open to arbitrary interpretation

praskrishna — 2011-05-06T04:58:57Z

Six years after an e-commerce CEO's arrest for a pornographic CD sold from his website, the government has introduced a liability on intermediaries such as Facebook and Google to "act within 36 hours" of receiving information about offensive content. This article by Manoj Mitta & Javed Anwer was published in the Times of India on April 27, 2011.

Under the rules notified on April 11 under the Information Technology Act, the intermediaries are required to work with the internet user "to disable such information that is in contravention" of the prescribed restrictions. While most of the restrictions in the rules are based on the criminal law (stuff that is blasphemous, obscene, defamatory, paedophilic, etc), some are so loosely worded that they could easily be misused against netizens accustomed to speaking their mind freely, whether on politics or otherwise.

One glaring example of an ill-thought-out provision is the prohibition on saying something that is "insulting any other nation". Since this expression has been mentioned without any qualifications, it could be invoked against anybody who talks disparagingly about other countries.

Apart from encroaching on free speech, the subjective notion of insulting a nation â€” as opposed to valid criticism â€” opens scope for arbitrariness and politically motivated interpretation. The authorities may not, for instance, take action against any content that is bashing Pakistan but may be touchy about similar attacks on the US.

Since such violations and the remedial action taken on them could become a subject of police probe, the rules state that "the intermediary shall preserve such information and associated records for at least 90 days for investigation purposes".

Given their legal repercussions, activists termed the new rules "draconian". Pranesh Prakash of Centre of Internet and Society alleged, "The rules seek to expand government's reach to control content on the internet. This is neither reasonable nor constitutional as the rules undermine the free speech guaranteed by the Constitution."

The intermediaries are also required to appoint a grievance officer and publish his contact details as well as the mechanism by which "users or any victim who suffers" can notify their complaints. The grievance officer is required to redress the complaints within one month of the receipt of the complaint.

Industry sources hold that the 36-hour deadline imposed on the intermediaries to take action on complaints would unduly affect their freedom as service providers in the Indian jurisdiction. A Google spokesperson told TOI that the proposed guidelines could be "particularly damaging to the abilities of Indians who are increasingly using the internet in order to communicate, and the many businesses that depend upon online collaboration to prosper."

Read the original article published by the Times of India here

For more details visit https://cis-india.org/news/internet-rules-arbitary-interpretation

New intermediary guidelines: The good and the bad

TorShark — 2021-03-15T13:52:46Z

In pursuance of the government releasing the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, this blogpost offers a quick rundown of some of the changes brought about the Rules, and how they line up with existing principles of best practices in content moderation, among others.

This article originally appeared in the Down to Earth magazine. Reposted with permission.

-------

The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The operation of these rules would be in supersession of the existing intermediary liability rules under the Information Technology (IT) Act, made back in 2011.

These IL rules would have a significant impact on our relationships with internet ‘intermediaries’, i.e. gatekeepers and getaways to the internet, including social media platforms, communication and messaging channels.

The rules also make a bid to include entities that have not traditionally been considered ‘intermediaries’ within the law, including curated-content platforms such as Netflix and Amazon Prime as well as digital news publications.

These rules are a significant step-up from the draft version of the amendments floated by the Union government two years ago; in this period, the relationship between the government around the world and major intermediaries changed significantly.

The insistence of these entities in the past, that they are not ‘arbiters of truth’, for instance, has not always held water in their own decision-makings.

Both Twitter and Facebook, for instance, have locked the former United States president Donald Trump out of their platforms. Twitter has also resisted to fully comply with government censorship requests in India, spilling into an interesting policy tussle between the two entities. It is in the context of these changes, therefore, that we must we consider the new rules.

What changed for the good?

One of the immediate standouts of these rules is in the more granular way in which it aims to approach the problem of intermediary regulation. The previous draft — and in general the entirety of the law — had continued to treat ‘intermediaries’ as a monolithic entity, entirely definable by section 2(w) of the IT Act, which in turn derived much of its legal language from the EU E-commerce Directive of 2000.

Intermediaries in the directive were treated more like ‘simple conduits’ or dumb, passive carriers who did not play any active role in the content. While that might have been the truth of the internet when these laws and rules were first enacted, the internet today looks much different.

Not only is there a diversification of services offered by these intermediaries, there’s also a significant issue of scale, wielded by a few select players, either by centralisation or by the sheer number of user bases. A broad, general mandate would, therefore, miss out on many of these nuances, leading to imperfect regulatory outcomes.

The new rules, therefore, envisage three types of entities:

There are the ‘intermediaries’ within the traditional, section 2(w) meaning of the IT Act. This would be the broad umbrella term for all entities that would fall within the ambit of the rules.
There are the ‘social media intermediaries’ (SMI), as entities, which enable online interaction between two or more users.
The rules identify ‘significant social media intermediaries’ (SSMI), which would mean entities with user-thresholds as notified by the Central Government.

The levels of obligations vary based on these hierarchies of classification. For instance, an SSMI would be obligated with a much higher standard of transparency and accountability towards their users. They would have to fulfill by publishing six-monthly transparency reports, where they have to outline how they dealt with requests for content removal, how they deployed automated tools to filter content, and so on.

I have previously argued how transparency reports, when done well, are an excellent way of understanding the breadth of government and social media censorships. Legally mandating this is then perhaps a step in the right direction.

Some other requirements under this transparency principle include giving notice to users whose content has been disabled, allowing them to contest such removal, etc.

One of the other rules from the older draft that had raised a significant amount of concern was the proactive filtering mandate, where intermediaries were liable to basically filter for all unlawful content. This was problematic on two counts:

Developments in machine learning technologies are simply not up there to make this a possibility, which would mean that there would always be a chance that legitimate and legal content would get censored, leading to general chilling effect on digital expression
The technical and financial burden this would impose on intermediaries would have impacted the competition in the market.

The new rules seemed to have lessened this burden, by first, reducing it from being mandatory to being best endeavour-basis; and second, by reducing the ambit of ‘unlawful content’ to only include content depicting sexual abuse, child sexual abuse imagery (CSAM) and duplicating to already disabled / removed content.

This specificity would be useful for better deployment of such technologies, since previous research has shown that it’s considerably easier to train a machine learning tool on corpus of CSAM or abuse, rather than on more contextual, subjective matters such as hate speech.

What should go?

That being said, it is concerning that the new rules choose to bring online curated content platforms (OCCPs) within the ambit of the law by proposals of a three-tiered self-regulatory body and schedules outlining guidelines about the rating system these entities should deploy.

In the last two years, several attempts have been made by the Internet and Mobile Association of India (IAMAI), an industry body consisting of representatives of these OCCPs, to bring about a self-regulatory code that fills in the supposed regulatory gap in the Indian law.

It is not known if these stakeholders were consulted before the enactment of these provisions. Some of this framework would also apply to publishers of digital news portals.

Noticeably, this entire chapter was also missing from the old draft, and introducing it in the final form of the law without due public consultations is problematic.

Part III and onwards of the rules, which broadly deal with the regulation of these entities, therefore, should be put on hold and opened up for a period of public and stakeholder consultations to adhere to the true spirit of democratic participation.

The author would like to thank Gurshabad Grover for his editorial suggestions.

For more details visit https://cis-india.org/internet-governance/blog/new-intermediary-guidelines-the-good-and-the-bad

New Indian Rules May Make Online Censorship Easier

praskrishna — 2011-04-01T15:57:20Z

Draft rules proposed by the Indian government for intermediaries such as telecommunications companies, Internet service providers and blogging sites could in effect aid censorship, according to experts. The article by John Ribeiro was published in Yahoo News on March 7, 2011.

Under the draft rules, intermediaries will have to notify users of their services not to use, display, upload, publish, share or store a variety of content, for which the definition is very vague, and liable to misuse.

Content that is prohibited under these guidelines ranges from information that may "harm minors in any way" to content that is "harmful, threatening, abusive."

Some of the terms are so vague that to stay on the right side of the law, intermediaries may in effect remove third-party content that is even mildly controversial, said Pavan Duggal, a cyberlaw consultant and advocate in India's Supreme Court.

While the definition of some of the terms like obscenity have been ruled on by India's Supreme Court, some of the other terms do not have a precise legal definition, said Pranesh Prakash, program manager at the Centre for Internet and Society, a research and advocacy group focused on consumer and citizen rights on the Internet.

"Would creating a Facebook profile for a minor, for example be considered as harming a minor ?" Duggal said.

The draft rules are secondary legislation framed by the government under the country's Information Technology (Amendment) Act of 2008. Under the IT Act, an intermediary is not liable for any third-party information, data, or communication link made available or hosted by him, if among other things, he has observed due diligence under the draft rules.

The new rules will give rise to subjective interpretations, thus giving a lot of discretion to non-judicial authorities in the country to decide whether the intermediary has observed due diligence or not, Duggal said.

According to the draft rules, an intermediary has to inform users that in case of non-compliance of its terms of use of the services and privacy policy, it has the right to immediately terminate the access rights of the users to its site. After finding out about infringing content, either on its own or through the authorities, the intermediary has to work with the user or owner of the information to remove access to the information.

Rather than recognizing the diversity of the businesses of intermediaries, the draft rules use a "one-size, fits all" set of rules across a variety of intermediaries including telecom service providers, online payment sites, e-mail service providers, and Web hosting companies, Duggal said.

An intermediary such as a site with user-generated content, like Wikipedia, would need different terms of use from an intermediary such as an e-mail provider, because the kind of liability they accrue are different, Prakash wrote in his blog.

The draft rules also add new provisions that appear designed to give the government easier access to content from intermediaries. Intermediaries will be required to provide information to authorized government agencies for investigative, protective, cybersecurity or intelligence activity, according to the rules.

Information will have to be provided for the purpose of verification of identity, or for prevention, detection, prosecution and punishment of offenses, on a written request stating clearly the purpose of seeking such information, the rules add.

The IT Act already has specific procedures in this connection for very specific information requirements, but the draft rules have broadened this to a general requirement for intermediaries to provide information, Prakash said. The new rule could in fact be a way of circumventing the earlier laws, he added.

The draft rules assume significance in the context of recent moves by the Indian government to get Research In Motion to provide access to information on BlackBerry services in India. While providing lawful access to its consumer services like BlackBerry Messenger, RIM has declined to provide access to its corporate service, BlackBerry Enterprise Server, claiming that it does not have access to customers' encryption keys.

The Indian government has previously also said it would demand lawful access from Google's Gmail and Skype, but has not taken any action so far in this direction.

The draft rules will require compliance from a number of entities who until now had thought they were outside the ambit of compliance, Duggal said.

Google did not immediately respond to e-mailed requests for its comments on the new rules. Microsoft said that the government should set the policy objectives and provide directional framework, and still allow flexibility to intermediaries to set the data protection measures as they deem fit for different situations and services.

"We believe that the intermediary should be obliged to take down non-compliant content on being notified of the same as well as terminate access rights for those who use these platforms for dissemination of non-compliant content," Microsoft said in an e-mailed statement. Non-compliance include, but is not limited to, copyrights, it added.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service.

Read the original in Yahoo News here

For more details visit https://cis-india.org/news/online-censorship

New Document on India's Central Monitoring System (CMS) - 2

maria — 2014-01-30T12:40:31Z

For more details visit https://cis-india.org/internet-governance/blog/new-cms-doc-2

New Delhi Expands Curbs on Web Content

praskrishna — 2012-08-24T13:16:22Z

India on Thursday broadened recent efforts to regulate the Internet with moves to block Twitter accounts of some prominent journalists and content from mainstream news organizations, sparking a backlash across social media in the country.

This article by R Jai Krishna and Rumman Ahmed was published in the Wall Street Journal on August 23, 2012. Sunil Abraham is quoted.

Since last week, the government has blocked content that it claims has fueled continuing communal violence in the northeast of the country. That fighting, between Muslim settlers and members of an indigenous group in the state of Assam, has left more than 80 people dead and sent ripples of tension across India.

The government confirms it has blocked around 250 Web pages it says were inciting Muslims to attack northeasterners, including sites carrying doctored photos purporting to show Muslim victims of fighting in Assam. Officials say these images on the sites, coupled with mass SMS phone messages threatening reprisals, have caused panicked northeasterners to flee their homes in a number of large Indian cities.

In recent days, though, the government has quietly widened its offensive, drawing up lists of journalists' Twitter accounts and news stories by local and foreign media organizations to be blocked. The lists, some of which were reviewed by The Wall Street Journal and confirmed by two telecom operators, include Twitter handles of journalists who have been critical of the government and some who have parodied Prime Minister Manmohan Singh.

The government didn't respond to requests for comment.

The government's actions caused an uproar on Twitter, where hashtags such as #GOIBlocks and #Emergency2012 were trending Thursday. "The Emergency" refers to a period in the 1970s when Prime Minister Indira Gandhi cracked down on media freedoms and civil liberties.

"The government's move to block several Twitter handles is a clear case of administrative overreach," said Sunil Abraham, executive director at the Bangalore-based Centre for Internet and Society. "This action means citizens are less likely to believe that the government can use its powers responsibly."

Government officials said Internet curbs are necessary to maintain harmony in a multicultural nation of 1.2 billion people.

Pankaj Pachauri, a spokesman for Mr. Singh, acknowledged the government had asked for Twitter's help to block six accounts that impersonate the prime minister. One of those accounts appeared on the government's lists. Twitter, based in San Francisco, has agreed to review the requests, he said. A Twitter spokeswoman declined to comment. Mr. Pachauri said earlier this week that Indian cyber authorities unilaterally blocked those six accounts.

Those six Twitter accounts faced government scrutiny because they made remarks that could have increased tensions, not because they poked fun at the prime minister, Mr. Pachauri said. "We're all for media freedom and encourage criticism by the media," he added. "But when it comes to inciting trouble between communities then we have to take firm action."

U.S. State Department spokeswoman Victoria Nuland said on Tuesday that "we are always on the side of full freedom of the Internet." She added that "we also always urge the government to maintain its own commitment to human rights, fundamental freedoms, rule of law."

India's Constitution allows restrictions on free speech for a number of reasons, including defense of "the sovereignty and integrity" of the country and in order to maintain "public order, decency or morality." Critics say the government has used the vague framing of the Constitution to clamp down on a widening array of Internet material, threatening India's democratic traditions.

Last year, the government framed new rules that require Internet companies to remove within 36 hours material that falls into a range of subjective categories—for instance, anything "ethnically objectionable," "grossly harmful," "defamatory" or "blasphemous."

India's telecoms minister, Kapil Sibal, in December urged Google Inc., and other Internet companies to screen derogatory material from their sites. The requests came amid anger over content that parodied Mr. Singh and Sonia Gandhi, president of the ruling Congress party, as well as other leading politicians.

"One always wonders if the government is using the garb of hate speech and communalism to…limit political criticism online," said Apar Gupta, a cyberlaw expert at Advani & Co., a Delhi-based law firm.

Google and Facebook executives are facing criminal charges in a New Delhi court for allegedly hosting objectionable material on their sites. If found guilty, the executives could face jail time or fines. The companies have petitioned to have the charges dropped, arguing that they shouldn't be held liable for material posted by users. Both firms have said they will remove material that contravenes their own standards or local laws.

Google, Facebook and Twitter again came under fire from India this week amid violence in Assam. Google and Facebook said Tuesday that they were complying with Indian government requests to remove content. Twitter hasn't commented.

Kanchan Gupta, a columnist who has been a fierce critic of the Congress party-led government, said his Twitter account had been temporarily blocked Wednesday night and Thursday. His name was on the government lists. "They thought they could do this slyly," he said. "They didn't anticipate the backlash on Twitter."

Raghavan Jagannathan, editor in chief of FirstPost.com, an Indian news portal that was on the lists, said some of its stories had been blocked.

"We understand that the government wants to stop the circulation of incendiary material that may inflame passions, but should it be blocking news and opinions on the subject?" he said. "I am not sure the decisions are well-thought-out."

Doha, Qatar-based Al Jazeera, an international cable-news organization, was also on the list. An Al Jazeera spokesman said the company was seeking a response from the government on reports of media restrictions affecting it and other outlets.

The government appeared unmoved. "Every company whether it's a construction company or an entertainment company or a social media company, it has to operate within the laws of the given country," Junior Minister for Communications Sachin Pilot told reporters on Wednesday.

For more details visit https://cis-india.org/news/wsj-com-jai-krishna-and-rumman-ahmed-aug-23-2012-new-delhi-expands-curbs-on-web-content

New Bill to decide on individual’s right to privacy

praskrishna — 2012-02-07T07:19:07Z

A group of experts would identify issues relating to privacy and prepare a report to facilitate authoring the Privacy Bill. Vishwajoy Mukherjee's article was published in Tehelka on 6 February 2012.

American jurist William J Brennan once famously remarked, “If the right to privacy means anything, it is the right of the individual to be free from unwarranted governmental intrusion.” Now the Government of India is on the verge of formulating, for the first time, a Privacy Bill that will lay down a specific framework to adjudicate an individual’s right to privacy.

The Planning Commission has constituted a small group of experts under the chairmanship of Justice A P Shah, former Chief Justice of the Delhi High Court, to identify issues relating to privacy and prepare a paper to facilitate authoring the Privacy Bill. The group will be studying the privacy laws and related bills promulgated by other countries and will also be analysing the impact of various programmes being implemented by the government, from the perspective of their impact on privacy. A detailed report with suggestions and remarks will then be handed to the Planning Commission by 31 March.

In the run-up to the formulation of a new Privacy Bill in India, an All India Privacy Symposium was held on 4 February to discuss aspects of privacy in the context of transparency, national security and internet banking. One of the most vociferous oppositions to the idea of privacy becoming an enshrined right for individuals, has come from those who believe that national security is of paramount importance. “The notion that one has to choose between privacy and national security is a false dichotomy of choice… When the judiciary adjudicates between privacy and surveillance, privacy in almost all cases loses. Especially when the word terrorism is invoked,” said Oxblood Ruffin, a member of the Cult of the Dead Cow, an information security and publishing collective. Speaking at the conference Ruffin stressed on the idea that the State shouldn’t act as a “peeping Tom” but instead respect the “sovereignty of its people.”

One of the more stark examples, in recent years, of the State clamping down on individual rights, such as the right to privacy, on the pretext of national security, is the Patriot Act in America. The Patriot Act was passed in the United States of America in the immediate aftermath of the September 2001 attacks on the twin towers, and allowed the government to scrutinise everything from “suspicious” bank accounts to wire-tapping lines of communication. Menaka Guruswamy, a lawyer at the Supreme Court of India, believes that unlike America, India does not yet have a codified view on privacy. “Privacy is a vast, fragile, and an open space in the Indian justice system,” she told Tehelka.

Though India doesn’t have clearly defined laws dealing with the issue of privacy, it does have certain directives under which surveillance methods such as wire-tapping can be done. Wire-tapping, which is regulated under the Telegraph Act of 1885, saw a major overhaul in a 1996 Supreme Court judgment, which ruled that wire-taps are a "serious invasion of an individual's privacy." The Supreme Court (SC) recognised the fact that the right to privacy is an integral part of the fundamental right to life enshrined under Article 21 of the Constitution, and therefore laid down guidelines defining who can tap phones and under what circumstances. Only the Union Home Secretary, or his counterpart in the states, can issue an order for a tap, and the government is also required to show that the information sought cannot to be obtained through any other means. The SC mandated the development of a high-level committee to review the legality of each wire-tap.

“Interceptions and intrusions by the state have often gone on to help exonerate people who have been falsely accused, so I think it would be unfair to demonise wire-tapping in general. One does have to ensure though, that those who intercept exchanges do not exceed limits,” said a former chief of the Research and Analysis Wing (RAW).

Besides the dimension of privacy versus surveillance, another important aspect which comes under the scanner when privacy laws are discussed is Internet banking. Details of personal bank accounts and other highly sensitive information of individuals have been whizzing around the cyber space with the advent of E-banking. Everything from booking tickets for movies and flights, to transferring money between accounts is happening via computers, and is happening fast. This growing trend has sparked a major debate on how safe is our information on the web, and what can the government do to secure it? In May 2000, the government passed the Information Technology Act, which laid down a set of laws intended to provide a comprehensive regulatory environment for electronic commerce.

The Act also addressed computer crimes such as hacking, damage to computer source code, breach of confidentiality and viewing of pornography and created a Cyber Appellate Tribunal to oversee and adjudicate cyber crimes. However, at the same time, the legislation gave broad discretion to law enforcement authorities through several provisions, such as Section 69, allowing the interception of any information transmitted through a computer resource and mandates that users disclose encryption keys or face a jail sentence up to seven years. Section 80 of the Act allows deputy superintendents of police to conduct searches and seize suspects in public spaces without a warrant.

“Confidentiality between banker and customer is the golden rule of traditional banking, but with the coming of E-banking, banks are using confidentiality as an excuse for not putting out data that shows how vulnerable they are to cyber crimes like hacking,” said N Vijayashankar, an E-business consultant, and a front runner in raising awareness about cyber laws in India. He said, “When framing privacy laws one has to ensure that banks are mandated to disclose data on breach of Internet security. That is the only way to ensure that banks take the necessary steps to secure customer information.” Malavika Jairam, a lawyer who focuses on technology and intellectual property, believes that allowing private participation in what should essentially be a sovereign State function is a dangerous path to tread on. “Tesco, a major retail chain in England, is now into E-banking… There are numerous examples of such private banking entities sharing customer information with insurance policy firms. These details are often used as markers for the kind of premium that will be set for a person,” Jairam said.

With the current pace of technological advancements fast thinning the line between individual privacy and public content, it remains to be seen what kind of privacy laws India will frame to keep up.

The original was published by Tehelka, Malavika Jayaram, a Fellow at CIS is quoted in it.

For more details visit https://cis-india.org/news/new-bill-to-decide-on-individual2019s-right-to-privacy

New Approaches to Information Privacy – Revisiting the Purpose Limitation Principle

amber — 2016-11-09T13:54:28Z

Article on Aadhaar throwing light on privacy and data protection.

This was published in Digital Policy Portal on July 13, 2016.

Introduction

Last year, Mukul Rohatgi, the Attorney General of India, called into question existing jurisprudence of the last 50 years on the constitutional validity of the right to privacy.¹ Mohatgi was rebutting the arguments on privacy made against Aadhaar, the unique identity project initiated and implemented in the country without any legislative mandate.² The question of the right to privacy becomes all the more relevant in the context of events over the last few years—among them, the significant rise in data collection by the state through various e-governance schemes,³ systematic access to personal data by various wings of the state through a host of surveillance and law enforcement initiatives launched in the last decade,⁴ the multifold increase in the number of Indians online, and the ubiquitous collection of personal data by private parties.⁵

These developments have led to a call for a comprehensive privacy legislation in India and the adoption of the National Privacy Principles as laid down by the Expert Committee led by Justice AP Shah.⁶ There are privacy-protection legislation currently in place such as the Information Technology Act, 2000 (IT Act), which was enacted to govern digital content and communication and provide legal recognition to electronic transactions. This legislation has provisions that can safeguard—and dilute—online privacy. At the heart of the data protection provisions in the IT Act lies section 43A and the rules framed under it, i.e., Reasonable security practices and procedures and sensitive personal data information.⁷Section 43A mandates that body corporates who receive, possess, store, deal, or handle any personal data to implement and maintain ‘reasonable security practices’, failing which, they are held liable to compensate those affected. Rules drafted under this provision also mandated a number of data protection obligations on corporations such the need to seek consent before collection, specifying the purposes of data collection, and restricting the use of data to such purposes only. There have been questions raised about the validity of the Section 43A Rules as they seek to do much more than mandate in the parent provisions, Section 43A— requiring entities to maintain reasonable security practices.

Privacy as control?

Even setting aside the issue of legal validity, the kind of data protection framework envisioned by Section 43A rules is proving to be outdated in the context of how data is now being collected and processed. The focus of Section 43 A Rules—as well as that of draft privacy legislations in India⁸—is based on the idea of individual control. Most apt is Alan Westin’s definition of privacy: “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.”⁹ Westin and his followers rely on the normative idea of “informational self- determination”, the notion of a pure, disembodied, and atomistic self, capable of making rational and isolated choices in order to assert complete control over personal information. More and more this has proved to be a fiction especially in a networked society.

Much before the need for governance of information technologies had reached a critical mass in India, Western countries were already dealing with the implications of the use of these technologies on personal data. In 1973, the US Department of Health, Education and Welfare appointed a committee to address this issue, leading to a report called ‘Records, Computers and Rights of Citizens.’¹⁰ The Committee’s mandate was to “explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number.” The Report articulated five principles which were to be the basis of fair information practices: transparency; use limitation; access and correction; data quality; and security. Building upon these principles, the Committee of Ministers of the Organization for Economic Cooperation and Development (OECD) arrived at the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980.¹¹ These principles— Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability—are what inform most data protection regulations today including the APEC Framework, the EU Data Protection Directive, and the Section 43A Rules and Justice AP Shah Principles in India.

Fred Cate describes the import of these privacy regimes as such:

“All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals’ expressed preferences”¹²

This is in line with Alan Westin’s idea of privacy exercised through individual control. Therefore the focus of these principles is on empowering the individuals to exercise choice, but not on protecting individuals from harmful or unnecessary practices of data collection and processing. The author of this article has earlier written¹³ about the sheer inefficacy of this framework which places the responsibility on individuals. Other scholars like Daniel Solove,¹⁴ Jonathan Obar¹⁵ and Fred Cate¹⁶ have also written about the failure of traditional data protection practices of notice and consent. While these essays dealt with the privacy principles of choice and informed consent, this paper will focus on the principles of purpose limitation.

Purpose Limitation and Impact of Big Data

The principles of purpose limitation or purpose specification seeks to ensure the following four objectives:

Personal information collected and processed should be adequate and relevant to the purposes for which they are processed.
The entities collect, process, disclose, make available, or otherwise use personal information only for the stated purposes.
In case of change in purpose, the data’s subject needs to be informed and their consent has to be obtained.
After personal information has been used in accordance with the identified purpose, it has to be destroyed as per the identified procedures.

The purpose limitation along with the data minimisation principle—which requires that no more data may be processed than is necessary for the stated purpose—aim to limit the use of data to what is agreed to by the data subject. These principles are in direct conflict with new technology which relies on ubiquitous collection and indiscriminate uses of data. The main import of Big Data technologies on the inherent value in data which can be harvested not by the primary purposes of data collection but through various secondary purposes which involve processing of the data repeatedly.¹⁷Further, instead to destroying the data when its purpose has been achieved, the intent is to retain as much data as possible for secondary uses. Importantly, as these secondary uses are of an inherently unanticipated nature, it becomes impossible to account for it at the stage of collection and providing the choice to the data subject.

Followers of the discourse on Big Data would be well aware of its potential impacts on privacy. De-identification techniques to protect the identities of individuals in dataset face a threat from an increase in the amount of data available either publicly or otherwise to a party seeking to reverse-engineer an anonymised dataset to re-identify individuals. ¹⁸ Further, Big Data analytics promise to find patterns and connections that can contribute to the knowledge available to the public to make decisions. What is also likely is that it will lead to revealing insights about people that they would have preferred to keep private.¹⁹In turn, as people become more aware of being constantly profiled by their actions, they will self-regulate and ‘discipline’ their behaviour. This can lead to a chilling effect.²⁰ Meanwhile, Big Data is also fuelling an industry that incentivises businesses to collect more data, as it has a high and growing monetary value. However, Big Data also promises a completely new kind of knowledge that can prove to be revolutionary in fields as diverse as medicine, disaster-management, governance, agriculture, transport, service delivery, and decision-making.²¹ As long as there is a sufficiently large and diverse amount of data, there could be invaluable insights locked in it, accessing which can provide solutions to a number of problems. In light of this, it is important to consider what kind of regulatory framework is most suitable which could facilitate some of the promised benefits of Big Data and at the same time mitigate its potential harm. This, coupled with the fact that the existing data protection principles have, by most accounts, run their course, makes the examination of alternative frameworks even more important. This article will examine some alternate proposals made to the existing framework of purpose limitation below.

Harms-based approach

Some scholars like Fred Cate²² and Daniel Solove²³ have argued that there is a need for the primary focus of data protection law to move from control at the stage of data collection to actual use cases. In his article on the failure of Fair Information Practice Principles,²⁴Cate puts forth a proposal for ‘Consumer Privacy Protection Principles.’ Cate envisions a more interventionist role of the data protection authorities by regulating information flows when required, in order to protect individuals from risky or harmful uses of information. Cate’s attempt is to extend the principles of consumer protection law of prevention and remedy of harms.

In a re-examination of the OECD Privacy Principles, Cate and Viktor Mayer Schöemberger attempt to discard the use of personal data to only purposes specified. They felt that restricting the use of personal to only specified purposes could significantly threaten various research and beneficial uses of Big Data. Instead of articulating a positive obligations of what personal data collected could be used for, they attempt to arrive at a negative obligation of use-cases prevented by law. Their working definition of the Use specification principle broaden the scope of use cases by only preventing use of data “if the use is fraudulent, unlawful, deceptive or discriminatory; society has deemed the use inappropriate through a standard of unfairness; the use is likely to cause unjustified harm to the individual; or the use is over the well-founded objection of the individual, unless necessary to serve an over-riding public interest, or unless required by law.”²⁵

While most standards in the above definition have established understanding in jurisprudence, the concept of unjustifiable harm is what we are interested in. Any theory of harms-based approach goes back to John Stuart Mill’s dictum that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. Therefore, any regulation that seeks to control or prevent autonomy of individuals (in this case, the ability of individuals to allow data collectors to use their personal data, and the ability of data collectors to do so, without any limitation) must clearly demonstrate the harm to the individuals in question.

Fred Cate articulates the following steps to identify tangible harm and respond to its presence:²⁶

Focus on Use — Actual use of the data should be considered, not mere possession. The assumption is that the collection, possession, or transfer of information do not significantly harm people, rather it is the use of information following such collection, possession, or transfer.
Proportionality — Any regulatory measure must be proportional to the likelihood and severity of the harm identified.
Per se Harmful Uses — Uses which are always harmful must be prohibited by law
Per se not Harmful Uses — If uses can be considered inherently not harmful, they should not be regulated.
Sensitive Uses — In case where the uses are not per se harmful or not harmful, individual consent must be sought for using that data for those purposes.

The proposal by Cate argues for what is called a ‘use based system’, which is extremely popular with American scholars. Under this system, data collection itself is not subject to restrictions; rather, only the use of data is regulated. This argument has great appeal for both businesses who can reduce their overheads significantly if consent obligations are done away with as long as they use the data in ways which are not harmful, as well as critics of the current data protection framework which relies on informed consent. Lokke Moerel explains the philosophy of ‘harms based approach’ or ‘use based system’ in United States by juxtaposing it against the ‘rights based approach’ in Europe.²⁷ In Europe, rights of individuals with regard to processing of their personal data is a fundamental human right and therefore, a precautionary principle is followed with much greater top-down control upon data collection. However, in the United States, there is a far greater reliance on market mechanisms and self-regulating organisations to check inappropriate processing activities, and government intervention is limited to cases where a clear harm is demonstrable.²⁸

Continuing research by the Centre for Information Policy Leadership under its Privacy Risk Framework Project looks at a system of articulating what harms and risks arising from use of collected data. They have arrived a matrix of threats and harms. Threats are categorised as —a) inappropriate use of personal information and b) personal information in the wrong hands. More importantly for our purposes, harms are divided into: a) tangible harms which are physical or economic in nature (bodily harm, loss of liberty, damage to earning power and economic interests); b) intangible harms which can be demonstrated (chilling effects, reputational harm, detriment from surveillance, discrimination and intrusion into private life); and c) societal harm (damage to democratic institutions and loss of social trust).²⁹For any harms-based system, a matrix like above needs to emerge clearly so that regulation can focus on mitigating practices leading to the harms.

Legitimate interests

Lokke Moerel and Corien Prins, in their article “Privacy for Homo Digitalis – Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”³⁰ use the ideal of responsive regulation which considers empirically observable practices and institutions while determining the regulation and enforcement required. They state that current data protection frameworks—which rely on mandating some principles of how data has to be processed—is exercised through merely procedural notification and consent requirements. Further, Moerel and Prins feel that data protection law cannot only involve a consideration of individual interest but also needs to take into account collective interest. Therefore, the test must be a broader assessment than merely the purpose limitation articulating the interests of the parties directly involved, but whether a legitimate interest is achieved.

Legitimate interest has been put forth as an alternative to the purpose limitation. Legitimate is not a new concept and has been a part of the EU Data Protection Directive and also finds a place in the new General Data Protection Regulation. Article 7 (f) of the EU Directive³¹ provided for legitimate interest balanced against the interests or fundamental rights and freedoms of the data subject as the last justifiable reason for use of data. Due to confusion in its interpretation, the Article 29 Working Party, in 2014,³²looked into the role of legitimate interest and arrived at the following factors to determine the presence of a legitimate interest— a) the status of the individual (employee, consumer, patient) and the controller (employer, company in a dominant position, healthcare service); b) the circumstances surrounding the data processing (contract relationship of data subject and processor); c) the legitimate expectations of the individual.

Federico Ferretti has criticised the legitimate interest principle as vague and ambiguous. The balancing of legitimate interest in using the data against fundamental rights and freedoms of the data subject gives the data controllers some degree of flexibility in determining whether data may be processed; however, this also reduces the legal certainty that data subject have of their data not being used for purposes they have not agreed to.³³However, it is this paper’s contention that it is not the intent of the legitimate interest criteria but the lack of consensus on its application which creates an ambiguity. Moerel and Prins articulate a test for using legitimate interest which is cognizant of the need to use data for the purpose of Big Data processing, as well as ensuring that the rights of data subjects are not harmed.

As demonstrated earlier, the processing of data and its underlying purposes have become exceedingly complex and the conventional tool to describe these processes ‘privacy notices’ are too lengthy, too complex and too profuse in numbers to have any meaningful impact.³⁴The idea of information self-determination, as contemplated by Westin in American jurisprudence, is not achieved under the current framework. Moerel and Prins recommend five factors³⁵ as relevant in determining the legitimate interest. Of the five, the following three are relevant to the present discussion:

Collective Interest — A cost-benefit analysis should be conducted, which examines the implications for privacy for the data subjects as well as the society, as a whole.
The nature of the data — Rather than having specific categories of data, the nature of data needs to be assessed contextually to determine legitimate interest.
Contractual relationship and consent not independent grounds — This test has two parts. First, in case of contractual relationship between data subject and data controller: the more specific the contractual relationship, the more restrictions apply to the use of the data. Second, consent does not function as a separate principle which, once satisfied, need not be revisited. The nature of the consent (opportunities made available to data subject, opt in/opt out, and others) will continue to play a role in determining legitimate interest.

Conclusion

Replacing the purpose limitation principles with a use-based system as articulated above poses the danger of allowing governments and the private sector to carry out indiscriminate data collection under the blanket guise that any and all data may be of some use in the future. The harms-based approach has many merits and there is a stark need for more use of risk assessments techniques and privacy impact assessments in data governance. However, it is important that it merely adds to the existing controls imposed at data collection, and not replace them in their entirety. On the other hand, the legitimate interests principle, especially as put forth by Moerel and Prins, is more cognizant of the different factors at play — the inefficacy of existing purpose limitation principles, the need for businesses to use data for purposes unidentified at the stage of collection, and the need to ensure that it is not misused for indiscriminate collection and purposes. However, it also poses a much heavier burden on data controllers to take into account various factors before determining legitimate interest. If legitimate interest has to emerge as a realistic alternative to purpose limitation, there needs to be greater clarity on how data controllers must apply this principle.

Endnotes

Prachi Shrivastava, “Privacy not a fundamental right, argues Mukul Rohatgi for Govt as Govt affidavit says otherwise,” Legally India, Jyly 23, 2015, http://www.legallyindia.com/Constitutional-law/privacy-not-a-fundamental-right-argues-mukul-rohatgi-for-govt-as-govt-affidavit-says-otherwise.
Rebecca Bowe, “Growing Mistrust of India’s Biometric ID Scheme,” Electronic Frontier Foundation, May 4, 2012, https://www.eff.org/deeplinks/2012/05/growing-mistrust-india-biometric-id-scheme.
Lisa Hayes, “Digital India’s Impact on Privacy: Aadhaar numbers, biometrics, and more,” Centre for Democracy and Technology, January 20, 2015, https://cdt.org/blog/digital-indias-impact-on-privacy-aadhaar-numbers-biometrics-and-more/.
“India’s Surveillance State,” Software Freedom Law Centre, http://sflc.in/indias-surveillance-state-our-report-on-communications-surveillance-in-india/.
“Internet Privacy in India,” Centre for Internet and Society, http://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india.
Vivek Pai, “Indian Government says it is still drafting privacy law, but doesn’t give timelines,” Medianama, May 4, 2016, http://www.medianama.com/2016/05/223-government-privacy-draft-policy/.
Information Technology (Intermediaries Guidelines) Rules, 2011,
http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.
Discussion Points for the Meeting to be taken by Home Secretary at 2:30 pm on 7-10-11 to discuss the drat Privacy Bill, http://cis-india.org/internet-governance/draft-bill-on-right-to-privacy.
Alan Westin, Privacy and Freedom (New York: Atheneum, 2015).
US Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, http://www.justice.gov/opcl/docs/rec-com-rights.pdf.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
Fred Cate, “The Failure of Information Practice Principles,” in Consumer Protection in the Age of the Information Economy, ed. Jane K. Winn (Burlington: Aldershot, Hants, England, 2006) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972.
Amber Sinha and Scott Mason, “A Critique of Consent in Informational Privacy,” Centre for Internet and Society, January 11, 2016, http://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy.
Daniel Solove, “Privacy self-management and consent dilemma,” Harvard Law Review 126, (2013): 1880.
Jonathan Obar, “Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management,” Big Data and Society 2(2), (2015), doi: 10.1177/2053951715608876.
Supra Note 12.
Supra Note 14.
Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006; Arvind Narayanan and Vitaly Shmatikov, “Robust De-anonymization of Large Sparse Datasets” available at https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
D. Hirsch, “That’s Unfair! Or is it? Big Data, Discrimination and the FTC’s Unfairness Authority,” Kentucky Law Journal, Vol. 103, available at: http://www.kentuckylawjournal.org/wp-content/uploads/2015/02/103KyLJ345.pdf
A Marthews and C Tucker, “Government Surveillance and Internet Search Behavior”, available at http://ssrn.com/abstract=2412564; Danah Boyd and Kate Crawford, “Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon”, Information, Communication & Society, Vol. 15, Issue 5, (2012).
Scott Mason, “Benefits and Harms of Big Data”, Centre for Internet and Society, available at http://cis-india.org/internet-governance/blog/benefits-and-harms-of-big-data#_ftn37.
Cate, “The Failure of Information Practice Principles.”
Solove, “Privacy self-management and consent dilemma,” 1882.
Cate, “The Failure of Information Practice Principles.”
Fred Cate and Viktor Schoenberger, “Notice and Consent in a world of Big Data,” International Data Privacy Law 3(2), (2013): 69.
Solove, “Privacy self-management and consent dilemma,” 1883.
Lokke Moerel, “Netherlands: Big Data Protection: How To Make The Draft EU Regulation On Data Protection Future Proof”, Mondaq, March 11. 2014, http://www.mondaq.com/x/298416/data+protection/Big+Data+Protection+How+To+Make+The+Dra%20ft+EU+Regulation+On+Data+Protection+Future+Proof%20al%20Lecture.
Moerel, “Netherlands: Big Data Protection.”
Centre for Information Policy Leadership, “A Risk-based Approach to Privacy: Improving Effectiveness in Practice,” Hunton and Williams LLP, June 19, 2014, https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf.
Lokke Moerel and Corien Prins, “Privacy for Homo Digitalis: Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”, Social Science Research Network, May 25, 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123.
EU Directive 95/46/EC – The Data Protection Directive, https://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm.
Article 29 Data Protection Working Party, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,” http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.
Frederico Ferretti, “Data protection and the legitimate interest of data controllers: Much ado about nothing or the winter of rights?,” Common Market Law Review 51(2014): 1-26. http://bura.brunel.ac.uk/bitstream/2438/9724/1/Fulltext.pdf.
Sinha and Mason, “A Critique of Consent in Informational Privacy.”
Moerel and Prins, “Privacy for Homo Digitalis.”

For more details visit https://cis-india.org/internet-governance/blog/digital-policy-portal-july-13-2016-new-approaches-to-information-privacy-revisiting-the-purpose-limitation-principle

New $1 Billion RIC Project Casts Doubts on Aadhaar

praskrishna — 2013-04-04T08:28:51Z

The Indian Government is going ahead with a new project dubbed RIC that will effectively undermine the existing UIDAI – Unique Identification Authority of India project and will cost a whopping $1 billion.

This was published in AEG India on March 16, 2013. Sunil Abraham is quoted.

The National Population Register and the Unique Identification Authority of India (UIDAI) are the two organizations which will capture the biometric details of the citizens and will develop the resident identity card (RIC) and create the unique identifier number (UID) popularly known as Aadhar number respectively.

Both the RIC and UID projects are designed to unify the distribution of social and welfare services to the citizens. Sunil Abraham, Executive Director of Centre for Internet and Society India, said that the ID number and the ID smartcard are both different and are not at all complementary as declared by the Indian Government previously.

The ID number and the ID smart card are two completely separate visions. They cannot be mixed up together to make some kind of salad which can be consumed partly, added Abraham.

He said that it was easy for the Indian government to proceed simultaneously with both the projects rather than cancelling the much criticized Aadhaar project.

Minister P. Karunakaran, on March 12 in the Lok Sabha, asked R.P.N. Singh, the Minister of State, to clarify the confusion over the proposed biometric identity card and the UID (Aadhaar number). The government has planned to spend more than US$1 billion to issue the Indian citizens a resident identity card (RIC) which will also feature the Aadhaar number as well.

For more details visit https://cis-india.org/news/aeg-india-march-16-2013-new-dollar-one-billion-ric-project-casts-doubts-on-aadhar