We are anonymous, we are legion

DIDP Request #14: Keeping track of ICANN’s contracted parties: Registrars

asvatha — 2016-07-28T16:34:27Z

In September 2016, we filed two separate DIDP requests regarding ICANN’s Contractual Compliance Goals.

The first one which we have written about here,[1] was regarding ICANN contracts with registries while the second one about registrars is briefed below. In our second request, we specifically asked for the following information:

Copies of the registrar contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (2014-2015).
A generic template of the notice served by ICANN before conducting such an audit.
A list of the registrars to whom such notices were served in the last year.
An account of the expenditure incurred by ICANN in carrying out the audit process.
A list of the registrars that did not respond to the notice within a reasonable period of time.
Reports of the site visits conducted by ICANN to ascertain compliance.
Documents which identify the registrars who had committed material discrepancies in the terms of the contract.
Documents pertaining to the actions taken in the event that there was found to be some form of contractual non-compliance.
A copy of the registrar self-assessment form which is to be submitted to ICANN.

The DIDP request filed by Padmini Baruah can be viewed here.

What ICANN said

Information pertinent to item 1 and 3 can be found in the 2014 Contractual Compliance Annual Report here:https://www.icann.org/en/system/files/files/annual-2014-13feb15-en.pdf. While this report contains detailed information regarding the audit, individual audit reports are subject to the DIDP Defined Conditions for Nondisclosure.

ICANN provided a link to all the communication templates used during the audit process, including the notice served by ICANN prior to conducting audits. (Item 2) It can be found here: https://www.icann.org/en/system/files/files/audit-communication-template-04dec15-en.pdf. As mentioned in an earlier blog post, ICANN set aside USD 0.6 million for the Three Year Audit plan.[2] (item 4)

According to the Audit FAQ on ICANN website,[3] “If a contracted party reaches the enforcement phase per process, ICANN will issue a notice of breach in which the outstanding issues are noted. The response links us to the ICANN webpage where these breach notices are listed: https://www.icann.org/compliance/notices#notices-2014. (Item 5) According to the link, 61 registrars received breach notices in 2014; a full explanation has been provided for each notice. (Item 7 and 8) Since no site visits were conducted, ICANN does not possess any document regarding this.

According to the ICANN website, “The 2013 Registrar Accreditation Agreement (RAA) requires ICANN-accredited registrars to complete an annual self-assessment and provide ICANN with a compliance certification by 20 January.”[4] The form for the same can be found here: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#compliance

ICANN’s response to our request can be found here.

[1] To be linked to the first post

[2] See FY15 budget (pg72): https://www.icann.org/en/system/files/files/adopted-opplan-budget-fy15-01dec14-en.pdf

[3] See Audit FAQ: https://www.icann.org/resources/pages/faqs-2012-10-31-en

[4] See CEO certification: https://www.icann.org/resources/pages/ceo-certification-2014-01-29-en

For more details visit https://cis-india.org/internet-governance/blog/didp-request-14-keeping-track-of-icann2019s-contracted-parties-registrars

DIDP Request #13: Keeping track of ICANN’s contracted parties: Registries

asvatha — 2016-07-28T15:40:01Z

On multiple occasions, Fadi Chehade, then President and CEO of ICANN has emphasized the importance of conducting audits (internal and external) to ensure compliance of ICANN’s contracted parties. At a US congressional hearing, he spoke about the contract monitoring function of ICANN.

In September 2015, we filed two separate DIDP requests regarding ICANN’s Contractual Compliance Goals. The first one, briefed below, is regarding the contracts with registries and the second one is regarding ICANN contracts with registrars. This post contains some additional background information on the Contractual Compliance Goals at ICANN. In our first request, we specifically asked for the following information:

Copies of the registry contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (2014-2015).
A generic template of the notice served by ICANN before conducting such an audit.
A list of the registries to whom such notices were served in the last year.
An account of the expenditure incurred by ICANN in carrying out the audit process.
A list of the registries that did not respond to the notice within a reasonable period of time.
Reports of the site visits conducted by ICANN to ascertain compliance.
Documents which identifies the registry operators who had committed material discrepancies in the terms of the contract.
Documents pertaining to the actions taken in the event that there was found to be some form of contractual non-compliance.

The DIDP request filed by Padmini Baruah can be viewed here.

What ICANN said

ICANN’s Contractual Compliance Goal is to ensure that all the parties that ICANN has entered into a contract with complies with the stipulations of the contract. This is done in several ways, including Contractual Compliance complaints and Audits.[1]

In 2012, ICANN initiated the Three Year Audit plan where one-third of registries were selected each year for an audit. In 2014, the third set of registries were audited. In response to Item 1, information about the audit for 2014 can be found here: https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2014-03feb15-en.pdf. At this link, we can also find the list of registries that went through the audit process in 2014 (item 3). Monthly updates on overall contractual compliance can be found here: https://www.icann.org/resources/pages/update-2013-03-15-en.

ICANN linked us to all the communication templates used during the audit process, including the notice served by ICANN prior to conducting audits. (Item 2) It can be found here: https://www.icann.org/en/system/files/files/audit-communication-template-04dec15-en.pdf

In the operating plan and budget for FY15, ICANN sets aside USD 0.2 million for the New Registry Agreement Audit and USD 0.6 million for the Three Year Audit plan.[2]

Other documents to answer this question such as invoices from the external auditing firm are subject to non-disclosure under DIDP policies. Since all registries responded in a timely manner and no site visits were conducted, there are no documents to answer items 5 and 6.

The audit report linked above contains information on deficiencies identified during the audit. ICANN states that registries addressed these deficiencies during the remediation process. However, there is a caveat to this discussion. The names of the registries that are associated with these discrepancies remains confidential, subject to the DIDP Defined Conditions for Nondisclosure. (Item 7) ICANN goes on to state that it is not required to confirm if the registries have taken appropriate action and thus does not have any documents in response to item 8. While ICANN’s audit process seems thorough, does this last statement indicate a lack of enforcement mechanisms on ICANN’s part?

ICANN’s response to our request can be found here.

[1]. See Contractual Compliance website: https://www.icann.org/resources/pages/compliance-2012-02-25-en

[2]. See FY15 budget (pg72): https://www.icann.org/en/system/files/files/adopted-opplan-budget-fy15-01dec14-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-13-keeping-track-of-icann2019s-contracted-parties-registries

Facebook is censoring some posts on Indian Kashmir

praskrishna — 2016-07-28T03:03:53Z

Film makers, activists and journalists accused Facebook of blocking their accounts this week after they posted messages and images related to the violence in the trouble-torn province of Kashmir. In recent weeks, the India administered, Muslim-majority Kashmir state has been facing violence and curfews after protests erupted against the killing of a popular leader of a terrorist group.

The article by Rama Lakshmi was published by Washington Post on July 27. Sunil Abraham was quoted.

As people posted images, videos and stories about police violence and people injured by pellet wounds on Facebook, some discovered their accounts were disabled. On Monday, the account of Arif Ayaz Parrey, an editor with an environmental magazine in New Delhi, was disabled for more than a day. He administers the Facebook account of a discussion group called the Kashmir Solidarity Network, whose page was also removed.

“The Kashmir Solidarity page was started by a Kashmiri anthropology student in New York. This is not a hate forum, we share stories,” Parrey said. More than 47 people have died and hundreds injured in angry clashes between the police and protesters in Kashmir this month, the worst outbreak of bloody violence in six years in the region claimed by both India and neighboring Pakistan.

“Our Community Standards prohibit content that praises or supports terrorists, terrorist organizations or terrorism, and we remove it as soon as we’re made aware of it,” said a Facebook spokesman in India. “We welcome discussion on these subjects but any terrorist content has to be clearly put in a context which condemns these organizations or their violent activities.”India and the United States topped the list of governments that requestFacebook for details of accounts in the second half of 2015.

India has more than 340 million mobile Internet users and has the second largest number of Facebook users after the United States. The company is seeking to expand its footprint here by introducing a pared down version called “Free Basics.” But earlier this year, New Delhi shot it down, saying service providers cannot charge discriminatory prices for Internet users.

A journalist in Kashmir said that many who shared stories about a new band of militants and videos of police brutality have been blocked. “It looks more like Facebook censorship rather than something initiated by the government. Maybe they are trying to please the government proactively,” said Sunil Abraham, executive director of Center for Internet and Society. “Nevertheless it will have a chilling effect. You will think twice before exercising free speech on Facebook now.”

Ather Zia, a political commentator from Kashmir who teaches anthropology at the University of Northern Colorado, said after her account was disabled on Tuesday: "It is safe to assume creating awareness for Kashmir using social media or writing about the ground reality is under severe threat." Meanwhile, users struggled to restore their accounts on Wednesday as they uploaded new documents requested by the company.

“I use my Facebook account not as a personal page to tell people about my last haircut or last holiday. I use it for work, I share media stories about whatever bothers me in the universe,” said Sanjay Kak, a documentary film maker whose account was disabled Tuesday. “Nothing I shared can be considered inflammatory or incendiary.”

For more details visit https://cis-india.org/internet-governance/news/washington-post-july-27-2016-rama-lakshmi-facebook-is-censoring-some-posts-on-indian-kashmir

DIDP Request #9 - Exactly how involved is ICANN in the NETmundial Initiative?

asvatha — 2016-07-27T15:53:22Z

The importance and relevance of knowing ICANN’s involvement in the NETmundial Initiative cannot be overstated.

It was reported recently that ICANN contributed US$200,000 to the Initiative.[1] Following this report, we requested the details of all expenses incurred by ICANN for NMI till date. This includes formal contributions to NMI as well as costs incurred towards travel and accommodation of ICANN board and staff to meetings relevant to the NMI discussion.

Apart from these financial details, we also requested information regarding the number of staff working on NMI from ICANN and the hours clocked by them for the same. We further specified that we would like this information to gauge ICANN’s involvement beyond its technical mandate. The request filed by Geetha Hariharan can be found here.

What ICANN said

In its response, ICANN separated the questions in the request into two categories: a) Expenses incurred by ICANN towards the NETmundial Initiative and b) Other resources (personnel and hours) allocated to the Initiative by ICANN. The first category in the request includes: formal contribution to the NETmundial Initiative; travel costs of ICANN board and staff; and costs of maintenance of other sponsored parties. The second includes the number of staff involved in the NETmundial Initiative from ICANN and the number of hours spent working on it.

To answer both, the response directs us to the Memorandum of Collaboration (MOC)[2]signed by the Brazilian Internet Steering Committee (CGI.br), ICANN and the World Economic Forum (WEF) to set up the NETmundial Initiative according to the outcome document from the initial NETmundial meeting in Sao Paulo, Brazil.

Some of the important takeaways from the MOC that are relevant to our request are the following:

Each party to the MOC agrees to pay $201,667 towards operational expenses on signature of the agreement.
Total anticipated cost of the NETmundial Initiative is $605,000 (also mentioned in the response).
Each party will assign 1 staff member to the NETmundial Initiative secretariat during the inaugural period to smoothen the process. This staff member will commit at least 50% of their time towards Secretariat work.

This information is important but it does not provide a comprehensive answer to our query. It does not, for example, answer if ICANN contributed anything more than the $201,667 the MOC specifies. It also does not tell us if ICANN allotted any staff apart from the designated secretariat member to work on NETmundial Initiative.

Further, the response states that ICANN does not keep track of costs according to the number of hours or the topic but rather according to strategic objectives. Since ICANN is not required to create a document that does not already exist to answer a DIDP enquiry,[3] we have no way of knowing the specific amount of time or money spent on the NETmundial Initiative by ICANN. The response instead directs us to the financial presentation at ICANN50 where the costs of attending the NETmundial Meeting at Sao Paulo is detailed. While this is interesting (ICANN spent $1.5 million)[4] it is not a satisfactory answer to our question.

ICANN justifies its lack of direct answers by expressing that not only is the request “overbroad", it is also “subject to the following DIDP Condition of Nondisclosure: Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; and (iii) complying with which is not feasible.”[5]

ICANN's response to our DIDP request may be found here.

[1] See McCarthy, ‘I’m Begging You To Join’ – ICANN’s NETmundial Initiative gets desperate, THE REGISTER (12 December 2014), http://www.theregister.co.uk/2014/12/12/im begging you to join netmundial initiative gets d esperate/

[2] See MOC: https://www.netmundial.org/sites/default/files/MOC-%20CGI.br,%20ICANN%20&%20WEF.pdf

[3] See Disclosure Policy: https://www.icann.org/resources/pages/didp-2012-02-25-en

[4] See ICANN50 Finance Presentation (Pg 4): https://london50.icann.org/en/schedule/thu-finance/presentation-finance-26jun14-en

[5] See ICANN conditions for non-disclosure: https://www.icann.org/resources/pages/didp-2012-02-25-en

For more details visit https://cis-india.org/internet-governance/blog/didp-request-9-exactly-how-involved-is-icann-in-the-netmundial-initiative

DIDP Request #10 - ICANN does not know how much each RIR contributes to its Budget

asvatha — 2016-07-27T14:57:00Z

In an effort to understand the relationship between the Regional Internet Registries (RIRs) and ICANN, we requested current and historical information on the contract fees paid by the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) to ICANN annually.

We acknowledged that the independently audited financial reports on ICANN’s website list the total amount from all RIRs as a lump sum.[1] However, we specifically sought a breakdown of these fees detailing contributions made by each RIR from 1999 to 2014. Not only will this information help understand the RIR-ICANN relationship, it will also be relevant to the IANA transition.

The request filed by Protyush Choudhury can be found here.

What ICANN said

According to ICANN’s response to our request, the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) make a voluntary annual contribution to ICANN’s budget through the Number Resource Organization (NRO). [2] Since Financial Year 2000, this contribution has been made to ICANN as an aggregate amount without the kind of breakdown requested by us with the exception of FY03, FY04 and FY05. The breakdown of the contribution for those years is as below:

FY03: APNIC - $129,400; ARIN - $159,345; RIPE - $206,255
FY04: APNIC - $160,500; ARIN - $144,450; RIPE - $224,700; LACNIC - $5,350
FY05: APNIC - $220,976; ARIN - $218,507; RIPE - $358,086; LACNIC - $25,431

The response links back to the independent financial reports mentioned by us in the request. These reports can be found on the ICANN website here.

On closer examination of the audit reports of FY03, 04 and 05, it is clear that the information provided in their response is either incomplete or incorrect. According to KPMG’s audit report of FY03, the total contribution from Address Registries is US$535,000. The breakdown in the response adds up only to $494,600. The response does not account for the extra $40,400. If only APNIC, ARIN and RIPE contributed to ICANN in 2003, where did the other $40,400 come from? Moreover, why is it listed as an Address Registry Fee in the audit report if it was a voluntary contribution?[3]

The “Address Registry Fees” in the audit reports for FY04 and FY05 match the amounts in the response: $535,000 and $823,00 respectively. ICANN's response to our DIDP request may be found here.

For the reader’s reference, the audit reports for FY00 - FY14 are linked below:

[1] See audited financial reports: https://www.icann.org/resources/pages/governance/current-en

[2] See letter from NRO to ICANN: https://www.icann.org/en/system/files/files/akplogan-to-twomey-23mar09-en.pdf

[3]. See report for FY03 (pg 4): https://www.icann.org/en/system/files/files/financial-report-fye-30jun03-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-10-icann-does-not-know-how-much-each-rir-contributes-to-its-budget

Stand up for Digital Rights

praskrishna — 2016-07-25T15:29:41Z

The Centre for Internet & Society (CIS) invites you to a discussion on a set of Recommendations for Ethical Research, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The discussion is on coming Friday, July 29, 2016 at the Centre for Internet & Society's Delhi office from 3.00 p.m. to 5.00 p.m.

The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of Recommendations for Ethical Tech. This work is the culmination of a year-long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:

General Human Rights Responsibilities and Private Online Intermediaries
Expanding Access
Net Neutrality
Content Moderation
Privacy
Transparency and Informed Consent
Responding to State Interferences

We look forward to meeting you and making this a forum for knowledge exchange a success.

For more details visit https://cis-india.org/internet-governance/events/stand-up-for-digital-rights-1

One Pokémon to Rule Them All

nishant — 2016-07-25T01:16:04Z

America’s head start on the augmented reality game Pokémon Go shows that the interweb is not an egalitarian space.

The article was published in the Indian Express on July 17, 2016

I was busy, writing, when a Telegram message trickled in. It was a friend who asked me if I had looked at the new Pokémon Go game which has been getting more attention than national elections and global warfare in the USA lately. A location-based augmented reality game that involves the users moving around their physical environments “collecting” pokemon characters that appear hiding in different locations has a large part of the American population in a frenzy, leading to aching soles, traffic accidents, and involuntary bumping into things and people as the players move around, their eyes glued to their screens. The global release of the game is still in the pipeline, and so the rest of us will have to make do with the videos and screen grabs of the game.

While a big Pikachu fan myself, I don’t see myself going crazy over this game as and when my geography allows me for it, but the friend who had written to me about it is perturbed. An avid gamer and a self-proclaimed Pokémon fan, he is devastated that the users in privileged geography are going to get a head start in the global leader boards that he can never catch up with. The interwebz is already abuzz with players sharing hacks, cracks, bugs, cheat codes, and tips to collect more Pokémon, discover hidden powers, and rise quickly in the ranks as they drive, walk, run and jog around their neighbourhoods, in the quest of catching those delightful monsters on their phones. While my friend is aware that this cloud-based game will have multiple servers for different geographies, and so there will be relative rankings and customised interfaces for each community of players, he was feeling cheated about living in India and not having access to the first release of the game that has all the attention on the social web right now.

‘It almost makes me want to leave India and move to the USA,’ he said in mock frustration. It made me think about the privilege of geography when it comes to the presumed flatness of the digital world. One of the imaginations of the peer-to-peer architectures of the internet is its promise of flatness. With a series of non-discriminatory principles like #NetNeutrality and #ZeroRating enshrined as the fundamental attributes of the digital internet, we are often led to believe that when we are online, we are equal. This idea is so prevalent that in most of our technology-based development practices and policies, we think of access as the “be all”, if not the “end all”, of our activities. The rhetoric promises that if we get everybody online, we will have an egalitarian society where everybody will have equal access to resources, and equity by participating in the decision-making processes.

Despite overwhelming evidence that the digital world is anecdotally and systemically a space of exclusion, contestation, and intimidation, we continue to propagate the idea that these are “human” problems. Humans, fragile, frail and foolish in their being, contaminate the digital space. Humans, mired in the analogue systems of hatred and abuse, appropriate technologies to perpetuate these older forms of discrimination. The technological structures are imagined as pure, sterile, and committed to constructing parameters of equality through their neutral promises of universal access and seamless connectivity. Technology is clean, the human being is impure. Technology is robust, the human frail. Technology is flat, human hierarchical. These narratives of a neutral and egalitarian technology consequently lead us to put more importance and faith in algorithmic decisions and data-driven governance and policing. We have come to believe that because technologies are neutral, they will do a better job of regulating us than we do ourselves.

Pokémon Go, and its obvious geographical privilege reminds us that the digital is not flat. It is oriented towards a very obvious logic of geopolitical, economic, racial, and identity privileging that continues to promote some parts of the world as favoured standards of first access. The exclusive release of Pokémon Go reminds us that the digital is as subject to Euro-American centrism which treat these erstwhile imperial geographies as the beginning points of all digital activities, slowly expanding their fold to other regions through a trickle-down politics and economics. Whether you are waiting impatiently to join the global bandwagon of Pokémon collection, or are ready to shrug this off as another thing that people do on the web, this differential, preferential, and variable access of the internet is something we definitely want to consider as we continue to push for the digital as the solution to human problems.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-july-17-2016-one-pokemon-to-rule-them-all

The Gay Pride Charade

nishant — 2016-07-25T01:10:28Z

For most of the milllenials, news is formed by trends, what goes viral, and often open to speculation, projection, manipulation and deceit.

The article was published in Indian Express on July 3, 2016.

The world of social media can be a minefield of misinformation, and it does get difficult to verify facts and ensure the veracity of the information that comes to us on the winged notifications of our apps. This becomes starkly clear in times of crises. Hence, when the historic and heinous shootout at a gay night club in Orlando, USA, shook the world with horror and grief a couple of weeks ago, when the first tweets appeared on my timeline, my initial reaction was denial. Instead of believing those first responders, I was already searching for more credible news lines that could confirm — or hopefully deny — the massacre. It took only a few minutes, though, to realise that #StandWithOrlando was a reality that we will have to accommodate in the story of continued violence and abuse of sexual minorities around the world.

However, not all deception is bad. One of the most fantastic responses to the shoot-out was from a Quebec-based satirical website called JournalDemourreal.com that published a photoshopped image showing the Canadian PM Justin Trudeau kissing the leader of the Canadian opposition party Tom Mulcair, with a headline that the two, despite their differences, are “united against homophobia”. I know that I liked this fake story four times on different newsfeeds, half-believing, half-wishing that it was true, before I realised that it is a hoax. Morphed as it might be, the doctored image enabled people to talk about the tragedy as demanding a personal and a policy-level action, ranging from acceptance and freedom, to control of guns and protecting the rights of life and dignity for the sexual minorities who continue to remain persecuted in the world.

The image also allowed many queer people in different parts of the world — especially in the countries where homosexuality continues to be criminalised and severely punished — to participate not only in the global grief but also to demand that their governments take more responsibility towards its queer population.

While this photoshopped picture was making the rounds, another tweet showed up on my timeline. This time it was a tweet from our media-savvy PM, Narendra Modi, who claimed that he was “shocked at the shootout in Orlando.”And further added that his “thoughts and prayers are with the bereaved families and the injured”. When I saw this tweet, my reaction again, was that this must be another joke. Because even as queer rights activists in the country struggle to fight for the decriminalisation of homosexuality, through their curative petitions in the Supreme Court in India, PM Modi’s government has continued its hateful diatribe against queer people in the country. His party has called homosexuality “anti-Indian” and “anti-family”. The party’s favourite, Baba Ramdev, continues his hate speech, offering to cure homosexuality through yoga.

Ever since the current government took power, documented hate crimes against queer people have more than doubled in the country. So when the PM decided to offer his condolences to those in Orlando, I figured that either it was a fake Twitter account masquerading as the PM or it was some kind of a hacker troll — maybe Anonymous, the online guerrilla activists, who recently took over ISIS- friendly websites and filled them up with information about male homosexuality as a response to the shoot-out — had taken control of the Twitter account. But it turned out that this piece of information was not photoshopped or hacked. It was actually true, and we were to believe in earnest that while the government doesn’t care about the millions of queer people being denied their rights to live and love in their country, it is heartbroken about what happened in the USA.

It does make you wonder about the world we live in, where a photoshopped image sounded more plausible than an undoctored tweet. It emphasises why Orlando cannot be treated as one isolated instance in another country, but that #WeAreOrlando. For right now, Orlando is also in India. It is a reminder that while we have been fortunate not to have such an instance of dramatic violence, there are millions of people in the country who are forced to live and die in deception for their sexual orientation.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-july-3-2016-gay-pride-charade

Belling the trolls

praskrishna — 2016-07-24T16:44:18Z

Online abuse - specially against women - is like one of those rapidly-mutating viruses that resists all antibodies.

The article by Bishakha Datta was published in India Today on July 13, 2016. Rohini Lakshane was quoted.

We have always known that the proof of the pudding lies in the eating. And the pleasure with which it is savoured. This month, we saw its online avatar. Barely had Maneka Gandhi launched the Twitter hashtag #IAmTrolledHelp than the trolls were all over it. Trolling with all their might. Abusing both Gandhi and textile minister Smriti Irani, thereby proving her point: that something needs to be done about the unending stream of online abuse that women face every day.

Online abuse - specially against women - is like one of those rapidly-mutating viruses that resists all antibodies. It's everywhere, in many different forms. I'm not talking about the everyday sexism that's our daily bread. That we deal with. I'm not talking about androcentrism, or the assumption that men, and male experience, are at the centre of the universe. That we live with, constantly rolling our eyes in our heads.

I'm talking rape threats. Gang rape threats. Graphic gang rape threats with vivid descriptions of postures. Death threats. Those, in my view, are not free speech. They are a call to arms, incitement to violence. Especially when it's an invisible cyber-army behind the threats, backing each other up, preying on a woman. Wilding. Trying to break her. Trying to humiliate her. Trying to get her to shut up, out of the misplaced notion that only men have the right to air their thoughts and opinions online. In a public space.

In one of her essays, Egyptian writer Fatima Mernissi introduces the concept of 'trespassing in the nude' to explain how men in Morocco think of public spaces-as a men-only zone. Social norms dictate that Moroccan women not seek to be part of public space; women who break that rule are seen to be trespassing. But women who dare to step into public spaces without their veils-that's even worse. That's trespassing in the nude. And trespassing, of course, demands punishment.

On the internet, women who speak out are seen as trespassers. And women who speak about things men consider their preserve are seen to doubly trespass. Or trespass in the nude. As British writer Laurie Penny famously said, "A woman's opinion is the short skirt of the internet." It is an excuse to harass.

The women on Morocco's streets were punished by stoning, as are the women who loiter on the streets of the internet. Online abuse is as good as stoning someone who has an opinion with words. When journalist Swati Chaturvedi got massively harassed last year, she wrote about her experience: "Journalists, specially women, are hunted for sport, abused, slandered and hounded by trolls who hunt in hyena-like packs. The problem is that you have an opinion and are behaving like a journalist, not a cheerleader."

Little wonder than that Chaturvedi, like many other women online, have welcomed Gandhi's initiative to curb online abuse. As do I. I'm writing this in the middle of conducting a digital security workshop. At lunch, one of the participants described how she can't bear to be on her company's social media feed for more than an hour each morning. It's just an endless stream of filth. And something needs to be done about this filth if we want a #SwachhBharat.

Many women have tried ignoring online abuse. It continues. Others have tried fighting back. It continues. Some have tried humour, including the Peng Collective's brilliant Zero Trollerance campaign. The trolls march on, undeterred, like Tolkien's orcs. Of course, it's important to distinguish between trolling and abuse, but sometimes when you're facing the shitstream, there's just so much semantic jugglery you can take. No matter what you call it, you just want it off.

And that's where Gandhi's initiative makes sense, as one more pathway to a #SwachhBharat, since we now live both on and offline. But one that'll work only if she can take on her party's trolls. Who are now trolling her too. Yes, cybercells and cops do exist, but that route doesn't always work. Social media platforms make promises to their users, but they are rarely kept. "Not a single tweet that I've ever reported has been taken down," says Rohini Lakshane of the Centre for Internet and Society, who's helping us with our digital security workshop.

This is not only about safety. It's about digital citizenship. Women are neither interlopers nor outsiders online. We belong there just as we belong here. We intend to loiter online full-throated. We're not content with a purely offline #SwachhBharat that cleans rivers and ponds. We want online #SwachhStreams too.

For more details visit https://cis-india.org/internet-governance/news/india-today-july-13-2016-bisakha-datta-belling-the-trolls

Perumal Murugan and the Law on Obscenity

Japreet Grewal — 2016-08-09T13:01:03Z

On July 5, 2016, the Madras High Court saved Perumal Murugan’s novel, Mathorubhagan from oblivion when it dismissed the claims against Murugan on the grounds of obscenity, spreading disharmony between communities, blasphemy, and defamation and upheld his freedom of expression in S. Tamilselvan & Perumal Murugan versus Government of Tamil Nadu. This judgment has received wide appreciation for its support for freedom of expression. What made it applause-worthy? Do we have reservations with the view of the High Court?

Murugan’s book is about a married couple, Kali and Ponna, who fail to have a child despite decades of their marriage. They succumb to social and familial pressures to allow Ponna (the wife) to participate in a sexual orgy (unrestrained sexual encounter involving many people) at a religious festival (the Vaikasi Car Festival) that takes place in Arthanareeswarar Temple, for begetting a child. The local community claimed that in the book, Murugan denigrated the Arthanareeswarar Temple, the deity, Lord Arthanareeswarar, festivities relating to Vaikasi Car Festival and the women of the Kongu Vellala Gounder community. Some sections of the community believed that the facts in the story were not true and found that the sexual mores associated with the community in the book were offensive.

The Court was required to evaluate, whether the novel was obscene (Section 292 of Indian Penal Code, 1860 (IPC)), offensive to the community (Section 153A of IPC) and the religion (Section 295 of IPC); and whether the State had the responsibility to protect the writer from mob violence on account of his controversial book. The Court held that the book was neither offensive nor did it hurt community or religious sentiments. The Court also held that the State had a positive obligation to protect Murugan against the mob. It would be useful to look at the analysis of the Court in drawing these conclusions and see if we completely agree with it.

The Court relied on the standard for determining obscenity in Aveek Sarkar v. State of West Bengal wherein, it was held that what is lascivious/appealing to the prurient interest/depraved or corrupt has to be tested using the contemporary ‘community standards. The Court was of the view that the novel was not offensive by the current mores (para 150 and 151). The Court further relied on MF Hussain v. Rajkumar Pandey, (also decided by Justice Sanjay Kishan Kaul) wherein it was held, that while evaluating obscenity in a work, “the judge has to place himself in the position of the author in order to appreciate what the author really wishes to convey and thereafter, placing himself in the position of the reader in every age group in whose hand the book is likely to fall, arrive at a dispassionate conclusion.”It is necessary to mention here that the community standards test has been criticised by scholars, worldwide, as it is difficult to divorce subjective morality of an individual and ascertain what those standards are. This indeterminacy interferes with the ability of judges to apply these standards. There is established scholarship that says that judges cannot divorce themselves from their subjectivities while evaluating obscenity in work of art or literature and may often reinforce the moral norms of the majority in the society thus crushing the moral standards of the minority. In India, we have a mixed bag of judgments that address the issue of obscenity. Seeing the difficulty in application of the community standards test, it is noteworthy that the ultimate fate of a book, painting or a film is dependent on the morality of an individual judge. In fact, the Court had asked a pertinent question in the judgment, “Would it be desirable for the Courts to intervene or should it be left to the readers to learn for themselves what they think and feel of the issue in question?” (para 136) However, it eventually reinforced these standards by applying the existing precedents on obscenity. The Court added thatunder Section 292, it was required to first prove whether the novel was obscene at all and only if it was found to be obscene it should be tested within the parameters of exceptionsit would fall under. The Court found that the novel was not obscene. There was no need to evaluate its social character to save it from a ban. While drawing this conclusion, the Court stated that, “sex, per se, was not treated as undesirable, but was an integral part right from the existence of civilization” (para 149) and that “in our society, we seem to be more bogged down by conservative Victorian philosophy rather than draw inspiration from our own literature and scriptures.”The Court also said, “there are different kinds of books available on the shelves of book stores to be read by different age groups from different strata. If you do not like a book, simply close it.”(para 148) While this reflects a progressive view of the judges on sexual morality, we have reservations on court’s reliance on ancient literature to justify why sex and its depiction in art or literature is not obscene.
We appreciate the observations that the Court has made while determining whether the novel hurt community or religious sentiments. The Court has acknowledged the declining tolerance level of the society (para 154) and stated that “any contra view or social thinking is met at times with threats or violent behaviour” (para 142).
The Court addressed the issue of harassment of writers and artists at the hands of a mob and held that there should “be a presumption in favour of free speech and expression as envisaged under Article 19(1)(a) of the Constitution of India” and emphasized the need for the State to protect those who suffer from hostility of several sections of a society as a consequence of holding a different view (para 175).Citing MF Hussain v. Rajkumar Pandey, the Court said “freedom of speech has no meaning if there is no freedom after speech.”The Court has identified the problematic sphere of mob violence and how it affects freedom of expression. However, we do not agree with what the Court held subsequently.

Reproducing an extract of the judgment here, “There is bound to be a presumption in favour of free speech and expression as envisaged under Article 19(1)(a) of the Constitution of India unless a court of law finds it otherwise as falling within the domain of a reasonable restriction under Article 19(2) of the Constitution of India.” (para 184) The words, “unless a court of law finds it otherwise as falling within the domain of a reasonable restriction under Article 19(2) of the Constitution of India.” indicate that the judiciary has the power to determine whether a certain type of speech could be restricted under Article 19 (2) of the Constitution of India. This understanding is incorrect. The language of Article 19 (2) makes it clear that speech could only be restricted by ‘law’ and judiciary cannot assume the authority to restrict speech. It has the authority to decide the applicability and the constitutionality of the law that restricts speech. The relevant part of Article 19 (2) is reproduced below for reference. “(2) Nothing in sub clause (a) of clause ( 1 ) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right….” The Court further acknowledged that “the State and the police authorities would not be the best ones to judge such literary and cultural issues, which are best left to the wisdom of the specialists in the field and thereafter, if need be, the Courts” (para 181). The Court thus issued directions to the Government to constitute an expert body to deal with situations arising from such conflicts of views so that an independent opinion is forthcoming, keeping in mind the law evolved by the judiciary(para 181). There are concerns with this mandate of the Court; firstly, constituting an expert body to resolve conflict of views will not serve any purpose unless there are guidelines to evaluate work. It is difficult to dissociate subjectivity and ascertain objective standards for evaluating offensiveness of literary or artistic work. Secondly, reliance on expert opinion and then courts completely disregards existing law. Under Section 95 of the Code of Criminal Procedure,1973, the Government has the power to declare forfeiture of works which, it considers in violation of section 153A or section 153B or section 292 or section 293 or section 295A of the Indian Penal Code, 1860. The power to evaluate a piece of writing or other work has already been given to the government. The Court has created a parallel mechanism for evaluation by giving directions to constitute an expert panel. In the event this mechanism fails to resolve the conflict, it is suggested that courts would then be approached to address the matter. This is in complete disregard of the powers of the Government under Section 95.

In the Murugan judgment, the Court has attempted to provide a narrow interpretation of what is considered obscene, emphasized the need for the society to be more tolerant and for State to protect those members of the society who, on account of their views, suffer at the hands of an intolerant society. It is for these reasons, the judgment is, undoubtedly a sound precedent for protection of speech in India. However, it is concerning to see that in drawing these conclusions, the Court has reinforced vague legal standards of obscenity and in that regard, it remains yet another addition to the mixed bag of judgments.

For more details visit https://cis-india.org/internet-governance/perumal-murugan-and-the-law-on-obscenity

Meeting on Net Neutrality and Related Issues

praskrishna — 2016-08-02T15:56:10Z

A meeting was convened by the Telecom Regulatory Authority of India on July 15, 2016 in New Delhi to discuss Net Neutrality and related issues. Sunil Abraham attended this meeting.

Click to view the Invitation Letter sent by the Telecom Regulatory Authority of India.

For more details visit https://cis-india.org/internet-governance/news/meeting-on-net-neutrality-and-related-issues

New Approaches to Information Privacy – Revisiting the Purpose Limitation Principle

amber — 2016-11-09T13:54:28Z

Article on Aadhaar throwing light on privacy and data protection.

This was published in Digital Policy Portal on July 13, 2016.

Introduction

Last year, Mukul Rohatgi, the Attorney General of India, called into question existing jurisprudence of the last 50 years on the constitutional validity of the right to privacy.¹ Mohatgi was rebutting the arguments on privacy made against Aadhaar, the unique identity project initiated and implemented in the country without any legislative mandate.² The question of the right to privacy becomes all the more relevant in the context of events over the last few years—among them, the significant rise in data collection by the state through various e-governance schemes,³ systematic access to personal data by various wings of the state through a host of surveillance and law enforcement initiatives launched in the last decade,⁴ the multifold increase in the number of Indians online, and the ubiquitous collection of personal data by private parties.⁵

These developments have led to a call for a comprehensive privacy legislation in India and the adoption of the National Privacy Principles as laid down by the Expert Committee led by Justice AP Shah.⁶ There are privacy-protection legislation currently in place such as the Information Technology Act, 2000 (IT Act), which was enacted to govern digital content and communication and provide legal recognition to electronic transactions. This legislation has provisions that can safeguard—and dilute—online privacy. At the heart of the data protection provisions in the IT Act lies section 43A and the rules framed under it, i.e., Reasonable security practices and procedures and sensitive personal data information.⁷Section 43A mandates that body corporates who receive, possess, store, deal, or handle any personal data to implement and maintain ‘reasonable security practices’, failing which, they are held liable to compensate those affected. Rules drafted under this provision also mandated a number of data protection obligations on corporations such the need to seek consent before collection, specifying the purposes of data collection, and restricting the use of data to such purposes only. There have been questions raised about the validity of the Section 43A Rules as they seek to do much more than mandate in the parent provisions, Section 43A— requiring entities to maintain reasonable security practices.

Privacy as control?

Even setting aside the issue of legal validity, the kind of data protection framework envisioned by Section 43A rules is proving to be outdated in the context of how data is now being collected and processed. The focus of Section 43 A Rules—as well as that of draft privacy legislations in India⁸—is based on the idea of individual control. Most apt is Alan Westin’s definition of privacy: “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.”⁹ Westin and his followers rely on the normative idea of “informational self- determination”, the notion of a pure, disembodied, and atomistic self, capable of making rational and isolated choices in order to assert complete control over personal information. More and more this has proved to be a fiction especially in a networked society.

Much before the need for governance of information technologies had reached a critical mass in India, Western countries were already dealing with the implications of the use of these technologies on personal data. In 1973, the US Department of Health, Education and Welfare appointed a committee to address this issue, leading to a report called ‘Records, Computers and Rights of Citizens.’¹⁰ The Committee’s mandate was to “explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number.” The Report articulated five principles which were to be the basis of fair information practices: transparency; use limitation; access and correction; data quality; and security. Building upon these principles, the Committee of Ministers of the Organization for Economic Cooperation and Development (OECD) arrived at the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980.¹¹ These principles— Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability—are what inform most data protection regulations today including the APEC Framework, the EU Data Protection Directive, and the Section 43A Rules and Justice AP Shah Principles in India.

Fred Cate describes the import of these privacy regimes as such:

“All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals’ expressed preferences”¹²

This is in line with Alan Westin’s idea of privacy exercised through individual control. Therefore the focus of these principles is on empowering the individuals to exercise choice, but not on protecting individuals from harmful or unnecessary practices of data collection and processing. The author of this article has earlier written¹³ about the sheer inefficacy of this framework which places the responsibility on individuals. Other scholars like Daniel Solove,¹⁴ Jonathan Obar¹⁵ and Fred Cate¹⁶ have also written about the failure of traditional data protection practices of notice and consent. While these essays dealt with the privacy principles of choice and informed consent, this paper will focus on the principles of purpose limitation.

Purpose Limitation and Impact of Big Data

The principles of purpose limitation or purpose specification seeks to ensure the following four objectives:

Personal information collected and processed should be adequate and relevant to the purposes for which they are processed.
The entities collect, process, disclose, make available, or otherwise use personal information only for the stated purposes.
In case of change in purpose, the data’s subject needs to be informed and their consent has to be obtained.
After personal information has been used in accordance with the identified purpose, it has to be destroyed as per the identified procedures.

The purpose limitation along with the data minimisation principle—which requires that no more data may be processed than is necessary for the stated purpose—aim to limit the use of data to what is agreed to by the data subject. These principles are in direct conflict with new technology which relies on ubiquitous collection and indiscriminate uses of data. The main import of Big Data technologies on the inherent value in data which can be harvested not by the primary purposes of data collection but through various secondary purposes which involve processing of the data repeatedly.¹⁷Further, instead to destroying the data when its purpose has been achieved, the intent is to retain as much data as possible for secondary uses. Importantly, as these secondary uses are of an inherently unanticipated nature, it becomes impossible to account for it at the stage of collection and providing the choice to the data subject.

Followers of the discourse on Big Data would be well aware of its potential impacts on privacy. De-identification techniques to protect the identities of individuals in dataset face a threat from an increase in the amount of data available either publicly or otherwise to a party seeking to reverse-engineer an anonymised dataset to re-identify individuals. ¹⁸ Further, Big Data analytics promise to find patterns and connections that can contribute to the knowledge available to the public to make decisions. What is also likely is that it will lead to revealing insights about people that they would have preferred to keep private.¹⁹In turn, as people become more aware of being constantly profiled by their actions, they will self-regulate and ‘discipline’ their behaviour. This can lead to a chilling effect.²⁰ Meanwhile, Big Data is also fuelling an industry that incentivises businesses to collect more data, as it has a high and growing monetary value. However, Big Data also promises a completely new kind of knowledge that can prove to be revolutionary in fields as diverse as medicine, disaster-management, governance, agriculture, transport, service delivery, and decision-making.²¹ As long as there is a sufficiently large and diverse amount of data, there could be invaluable insights locked in it, accessing which can provide solutions to a number of problems. In light of this, it is important to consider what kind of regulatory framework is most suitable which could facilitate some of the promised benefits of Big Data and at the same time mitigate its potential harm. This, coupled with the fact that the existing data protection principles have, by most accounts, run their course, makes the examination of alternative frameworks even more important. This article will examine some alternate proposals made to the existing framework of purpose limitation below.

Harms-based approach

Some scholars like Fred Cate²² and Daniel Solove²³ have argued that there is a need for the primary focus of data protection law to move from control at the stage of data collection to actual use cases. In his article on the failure of Fair Information Practice Principles,²⁴Cate puts forth a proposal for ‘Consumer Privacy Protection Principles.’ Cate envisions a more interventionist role of the data protection authorities by regulating information flows when required, in order to protect individuals from risky or harmful uses of information. Cate’s attempt is to extend the principles of consumer protection law of prevention and remedy of harms.

In a re-examination of the OECD Privacy Principles, Cate and Viktor Mayer Schöemberger attempt to discard the use of personal data to only purposes specified. They felt that restricting the use of personal to only specified purposes could significantly threaten various research and beneficial uses of Big Data. Instead of articulating a positive obligations of what personal data collected could be used for, they attempt to arrive at a negative obligation of use-cases prevented by law. Their working definition of the Use specification principle broaden the scope of use cases by only preventing use of data “if the use is fraudulent, unlawful, deceptive or discriminatory; society has deemed the use inappropriate through a standard of unfairness; the use is likely to cause unjustified harm to the individual; or the use is over the well-founded objection of the individual, unless necessary to serve an over-riding public interest, or unless required by law.”²⁵

While most standards in the above definition have established understanding in jurisprudence, the concept of unjustifiable harm is what we are interested in. Any theory of harms-based approach goes back to John Stuart Mill’s dictum that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. Therefore, any regulation that seeks to control or prevent autonomy of individuals (in this case, the ability of individuals to allow data collectors to use their personal data, and the ability of data collectors to do so, without any limitation) must clearly demonstrate the harm to the individuals in question.

Fred Cate articulates the following steps to identify tangible harm and respond to its presence:²⁶

Focus on Use — Actual use of the data should be considered, not mere possession. The assumption is that the collection, possession, or transfer of information do not significantly harm people, rather it is the use of information following such collection, possession, or transfer.
Proportionality — Any regulatory measure must be proportional to the likelihood and severity of the harm identified.
Per se Harmful Uses — Uses which are always harmful must be prohibited by law
Per se not Harmful Uses — If uses can be considered inherently not harmful, they should not be regulated.
Sensitive Uses — In case where the uses are not per se harmful or not harmful, individual consent must be sought for using that data for those purposes.

The proposal by Cate argues for what is called a ‘use based system’, which is extremely popular with American scholars. Under this system, data collection itself is not subject to restrictions; rather, only the use of data is regulated. This argument has great appeal for both businesses who can reduce their overheads significantly if consent obligations are done away with as long as they use the data in ways which are not harmful, as well as critics of the current data protection framework which relies on informed consent. Lokke Moerel explains the philosophy of ‘harms based approach’ or ‘use based system’ in United States by juxtaposing it against the ‘rights based approach’ in Europe.²⁷ In Europe, rights of individuals with regard to processing of their personal data is a fundamental human right and therefore, a precautionary principle is followed with much greater top-down control upon data collection. However, in the United States, there is a far greater reliance on market mechanisms and self-regulating organisations to check inappropriate processing activities, and government intervention is limited to cases where a clear harm is demonstrable.²⁸

Continuing research by the Centre for Information Policy Leadership under its Privacy Risk Framework Project looks at a system of articulating what harms and risks arising from use of collected data. They have arrived a matrix of threats and harms. Threats are categorised as —a) inappropriate use of personal information and b) personal information in the wrong hands. More importantly for our purposes, harms are divided into: a) tangible harms which are physical or economic in nature (bodily harm, loss of liberty, damage to earning power and economic interests); b) intangible harms which can be demonstrated (chilling effects, reputational harm, detriment from surveillance, discrimination and intrusion into private life); and c) societal harm (damage to democratic institutions and loss of social trust).²⁹For any harms-based system, a matrix like above needs to emerge clearly so that regulation can focus on mitigating practices leading to the harms.

Legitimate interests

Lokke Moerel and Corien Prins, in their article “Privacy for Homo Digitalis – Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”³⁰ use the ideal of responsive regulation which considers empirically observable practices and institutions while determining the regulation and enforcement required. They state that current data protection frameworks—which rely on mandating some principles of how data has to be processed—is exercised through merely procedural notification and consent requirements. Further, Moerel and Prins feel that data protection law cannot only involve a consideration of individual interest but also needs to take into account collective interest. Therefore, the test must be a broader assessment than merely the purpose limitation articulating the interests of the parties directly involved, but whether a legitimate interest is achieved.

Legitimate interest has been put forth as an alternative to the purpose limitation. Legitimate is not a new concept and has been a part of the EU Data Protection Directive and also finds a place in the new General Data Protection Regulation. Article 7 (f) of the EU Directive³¹ provided for legitimate interest balanced against the interests or fundamental rights and freedoms of the data subject as the last justifiable reason for use of data. Due to confusion in its interpretation, the Article 29 Working Party, in 2014,³²looked into the role of legitimate interest and arrived at the following factors to determine the presence of a legitimate interest— a) the status of the individual (employee, consumer, patient) and the controller (employer, company in a dominant position, healthcare service); b) the circumstances surrounding the data processing (contract relationship of data subject and processor); c) the legitimate expectations of the individual.

Federico Ferretti has criticised the legitimate interest principle as vague and ambiguous. The balancing of legitimate interest in using the data against fundamental rights and freedoms of the data subject gives the data controllers some degree of flexibility in determining whether data may be processed; however, this also reduces the legal certainty that data subject have of their data not being used for purposes they have not agreed to.³³However, it is this paper’s contention that it is not the intent of the legitimate interest criteria but the lack of consensus on its application which creates an ambiguity. Moerel and Prins articulate a test for using legitimate interest which is cognizant of the need to use data for the purpose of Big Data processing, as well as ensuring that the rights of data subjects are not harmed.

As demonstrated earlier, the processing of data and its underlying purposes have become exceedingly complex and the conventional tool to describe these processes ‘privacy notices’ are too lengthy, too complex and too profuse in numbers to have any meaningful impact.³⁴The idea of information self-determination, as contemplated by Westin in American jurisprudence, is not achieved under the current framework. Moerel and Prins recommend five factors³⁵ as relevant in determining the legitimate interest. Of the five, the following three are relevant to the present discussion:

Collective Interest — A cost-benefit analysis should be conducted, which examines the implications for privacy for the data subjects as well as the society, as a whole.
The nature of the data — Rather than having specific categories of data, the nature of data needs to be assessed contextually to determine legitimate interest.
Contractual relationship and consent not independent grounds — This test has two parts. First, in case of contractual relationship between data subject and data controller: the more specific the contractual relationship, the more restrictions apply to the use of the data. Second, consent does not function as a separate principle which, once satisfied, need not be revisited. The nature of the consent (opportunities made available to data subject, opt in/opt out, and others) will continue to play a role in determining legitimate interest.

Conclusion

Replacing the purpose limitation principles with a use-based system as articulated above poses the danger of allowing governments and the private sector to carry out indiscriminate data collection under the blanket guise that any and all data may be of some use in the future. The harms-based approach has many merits and there is a stark need for more use of risk assessments techniques and privacy impact assessments in data governance. However, it is important that it merely adds to the existing controls imposed at data collection, and not replace them in their entirety. On the other hand, the legitimate interests principle, especially as put forth by Moerel and Prins, is more cognizant of the different factors at play — the inefficacy of existing purpose limitation principles, the need for businesses to use data for purposes unidentified at the stage of collection, and the need to ensure that it is not misused for indiscriminate collection and purposes. However, it also poses a much heavier burden on data controllers to take into account various factors before determining legitimate interest. If legitimate interest has to emerge as a realistic alternative to purpose limitation, there needs to be greater clarity on how data controllers must apply this principle.

Endnotes

Prachi Shrivastava, “Privacy not a fundamental right, argues Mukul Rohatgi for Govt as Govt affidavit says otherwise,” Legally India, Jyly 23, 2015, http://www.legallyindia.com/Constitutional-law/privacy-not-a-fundamental-right-argues-mukul-rohatgi-for-govt-as-govt-affidavit-says-otherwise.
Rebecca Bowe, “Growing Mistrust of India’s Biometric ID Scheme,” Electronic Frontier Foundation, May 4, 2012, https://www.eff.org/deeplinks/2012/05/growing-mistrust-india-biometric-id-scheme.
Lisa Hayes, “Digital India’s Impact on Privacy: Aadhaar numbers, biometrics, and more,” Centre for Democracy and Technology, January 20, 2015, https://cdt.org/blog/digital-indias-impact-on-privacy-aadhaar-numbers-biometrics-and-more/.
“India’s Surveillance State,” Software Freedom Law Centre, http://sflc.in/indias-surveillance-state-our-report-on-communications-surveillance-in-india/.
“Internet Privacy in India,” Centre for Internet and Society, http://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india.
Vivek Pai, “Indian Government says it is still drafting privacy law, but doesn’t give timelines,” Medianama, May 4, 2016, http://www.medianama.com/2016/05/223-government-privacy-draft-policy/.
Information Technology (Intermediaries Guidelines) Rules, 2011,
http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.
Discussion Points for the Meeting to be taken by Home Secretary at 2:30 pm on 7-10-11 to discuss the drat Privacy Bill, http://cis-india.org/internet-governance/draft-bill-on-right-to-privacy.
Alan Westin, Privacy and Freedom (New York: Atheneum, 2015).
US Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, http://www.justice.gov/opcl/docs/rec-com-rights.pdf.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
Fred Cate, “The Failure of Information Practice Principles,” in Consumer Protection in the Age of the Information Economy, ed. Jane K. Winn (Burlington: Aldershot, Hants, England, 2006) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972.
Amber Sinha and Scott Mason, “A Critique of Consent in Informational Privacy,” Centre for Internet and Society, January 11, 2016, http://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy.
Daniel Solove, “Privacy self-management and consent dilemma,” Harvard Law Review 126, (2013): 1880.
Jonathan Obar, “Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management,” Big Data and Society 2(2), (2015), doi: 10.1177/2053951715608876.
Supra Note 12.
Supra Note 14.
Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006; Arvind Narayanan and Vitaly Shmatikov, “Robust De-anonymization of Large Sparse Datasets” available at https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
D. Hirsch, “That’s Unfair! Or is it? Big Data, Discrimination and the FTC’s Unfairness Authority,” Kentucky Law Journal, Vol. 103, available at: http://www.kentuckylawjournal.org/wp-content/uploads/2015/02/103KyLJ345.pdf
A Marthews and C Tucker, “Government Surveillance and Internet Search Behavior”, available at http://ssrn.com/abstract=2412564; Danah Boyd and Kate Crawford, “Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon”, Information, Communication & Society, Vol. 15, Issue 5, (2012).
Scott Mason, “Benefits and Harms of Big Data”, Centre for Internet and Society, available at http://cis-india.org/internet-governance/blog/benefits-and-harms-of-big-data#_ftn37.
Cate, “The Failure of Information Practice Principles.”
Solove, “Privacy self-management and consent dilemma,” 1882.
Cate, “The Failure of Information Practice Principles.”
Fred Cate and Viktor Schoenberger, “Notice and Consent in a world of Big Data,” International Data Privacy Law 3(2), (2013): 69.
Solove, “Privacy self-management and consent dilemma,” 1883.
Lokke Moerel, “Netherlands: Big Data Protection: How To Make The Draft EU Regulation On Data Protection Future Proof”, Mondaq, March 11. 2014, http://www.mondaq.com/x/298416/data+protection/Big+Data+Protection+How+To+Make+The+Dra%20ft+EU+Regulation+On+Data+Protection+Future+Proof%20al%20Lecture.
Moerel, “Netherlands: Big Data Protection.”
Centre for Information Policy Leadership, “A Risk-based Approach to Privacy: Improving Effectiveness in Practice,” Hunton and Williams LLP, June 19, 2014, https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf.
Lokke Moerel and Corien Prins, “Privacy for Homo Digitalis: Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”, Social Science Research Network, May 25, 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123.
EU Directive 95/46/EC – The Data Protection Directive, https://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm.
Article 29 Data Protection Working Party, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,” http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.
Frederico Ferretti, “Data protection and the legitimate interest of data controllers: Much ado about nothing or the winter of rights?,” Common Market Law Review 51(2014): 1-26. http://bura.brunel.ac.uk/bitstream/2438/9724/1/Fulltext.pdf.
Sinha and Mason, “A Critique of Consent in Informational Privacy.”
Moerel and Prins, “Privacy for Homo Digitalis.”

For more details visit https://cis-india.org/internet-governance/blog/digital-policy-portal-july-13-2016-new-approaches-to-information-privacy-revisiting-the-purpose-limitation-principle

No, India did NOT oppose the United Nations move to “make internet access a human right”

Pranesh Prakash and Japreet Grewal — 2016-07-13T16:09:31Z

Last Friday, the United Nations Human Rights Council (UNHRC) passed a resolution titled “The promotion, protection and enjoyment of human rights on the Internet.”

The article by Pranesh Prakash and Japreet Grewal was published in Factordaily on July 13, 2016.

Several media outlets, including T he Verge, India Today, and BuzzFeed, reported that the resolution was ‘opposed’ by China, Russia, Saudi Arabia, South Africa and India. The Verge, for instance, reported that these countries “specifically opposed” a clause of the resolution that “condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online and calls for all countries to refrain from such measures”. This is pure bunkum. Some media organisations have also been reporting that the UNHRC resolution “declares that access to the Internet is a human right”. This too is fiction.

What’s the truth? The UNHRC resolution covers wide ground, including the reaffirmations of two previous resolutions, which stated that the same rights that people have offline must also be protected online as well. As ARTICLE19, an international free speech NGO, notes: “The draft resolution goes further than its predecessors, including by stressing the importance of an accessible and open Internet to the achievement of the Sustainable Development Goals, as well as in calling for accountability for extrajudicial killings, arbitrary detentions and other violations against people for expressing themselves online.” Importantly, the resolution “unequivocally condemns” internet shutdowns, such as the one that happened in Kashmir just last week after security forces killed guerrilla Burhan Wani.

This resolution was, in fact, adopted without any opposition. So why the brouhaha over countries like India?

Here are the facts

There were four separate amendments, two of which were proposed by Belarus, China and Russia (referred as L85, L86 in this article) and the other two were proposed by Belarus, China, Russia and Iran (referred as L87 and L88). None of these amendments comment on the paragraph in the resolution that condemns intentional disruption of access or dissemination of internet services. So the headlines in most of the reports are just plain wrong. Let’s examine each of these four amendments one by one

In L85, an amendment was suggested to a paragraph that refers to past resolutions by the UNHRC and the UN General Assembly relating to freedom of expression and the right to privacy online. The amendment, which proposed including a reference to a previous UNHRC resolution on the rights of children online, was later withdrawn.

In L86 the proposed amendments both added and removed some text, and was hotly opposed by organisations like ARTICLE19. The proposed amendment said that the same rights people have offline must also be protected online, in particular, freedom of expression and the right to privacy, in accordance with articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR), a multilateral treaty adopted by the United National General Assembly to respect civil and political rights of individuals. Major additions: Some text on right to privacy and a reference to Article 17 of the ICCPR, which is about privacy. Major deletions: a reference to the Universal Declaration on Human Rights, and language stating that that freedom of expression is “applicable regardless of frontiers and through any media of one’s choice”, which is present in article 19 of the ICCPR. However, article 19 of the ICCPR is incorporated by reference even in the proposed amendment! So is there a real loss in purely legal terms? Not really.

The amendments in L87 sought to replace the term “human rights based approach” that stressed on the need to provide and expand access to the internet, and to replace it with the term “comprehensive and integrated approach.” The problem is that there is no clarity about what a “human rights based approach” to providing and expanding access to the internet is. What does it even mean? Is there a “human rights based approach” to spectrum auctions and spectrum sharing? Or the laying of fibre optic cables? Or anything else associated with internet access? If there is, indeed, a human rights based approach to providing and expanding access to the internet, it should be spelt out, rather than simply calling it that. Similarly, the term “comprehensive and integrated approach” is equally vague.

Even if one harbours reservations about these amendments, none of these amendments could be reasonably be characterised as “opposing” the condemnation of Internet shutdowns or “opposing” online freedoms.

Finally, in L88, the amendments proposed that the UN resolution should acknowledge concerns about using the internet and information technology for spreading ideas about “racial superiority or hatred, incitement to racial discrimination, xenophobia and related intolerance.” In the light of this, it is difficult to understand how adding concerns relating to hate speech to the resolution is seen as “being opposed” to online freedoms, especially when there is no direct action contemplated in the proposed amendment.

Indeed, in Paragraph 9, gender violence is mentioned, and in Paragraph 11, incitement to hatred is mentioned. Adding an additional, more specific reference can hardly be construed as being opposed to online freedoms. After all, states have a positive obligation to enact laws to prohibit hate speech under Article 20 (2) of the ICCPR, which is a centrepiece of international human rights law.

Even if one harbours reservations about these amendments, none of these amendments could be reasonably be characterised as “opposing” the condemnation of Internet shutdowns or “opposing” online freedoms. And factually, no states (including India, China, South Africa, Russia, and more) voted against the resolution.

A game of Chinese whispers

So why did so many prominent news organisations around the world get it so wrong? My theory is that it happened because organisation like ARTICLE19 put out press releases on what they perceived as the ‘weakening’ of the resolutions by the amendments examined above, and their regret that even democratic states like India and South Africa voted for these amendments. This was wrongly portrayed in much of the media as opposition by these countries to the resolution itself, to online freedoms, and particularly as opposition to the idea of condemning internet shutdowns. Thanks to the Chinese whispers nature of news reporting, this mistaken idea spread far and wide without any of the reporters bothering to check the original UN documents.

It is shameful if India condemns internet shutdowns at the UNHRC while deploying them for purposes such as preventing cheating during an examinations, during Ganesha visarjan, during Eid, during wrestling matches, and during protests.

However, regardless of the faulty reportage, there is a real crisis in India, with organisations like Medianama and the Software Freedom Law Centre having counted at least nine internet shutdowns this year alone, and at least 30 since 2013. It is shameful if India condemns internet shutdowns at the UNHRC while deploying them for purposes such as preventing cheating during an examinations, during Ganesha visarjan, during Eid, during wrestling matches, and during protests.

We at the Centre for Internet and Society have previously explained why a Gujarat High Court order allowing for an internet shutdown during riots was wrong in law, and violated our Constitution as well as our international human rights obligations. That is something the India media ought to be focussing far more on, but aren’t.

Lastly, it would also be welcome for the individual civil society organisations that signed an open letter to UNHRC members to explain why they too believed that these amendments would have significantly harmed our freedoms online. We see it instead as a case of ‘human rights politics’ being played out, when none of the proposed amendments would have had much of a negative legal impact, but only a political impact.

Should civil society organisations really get worked up about these?

Edited by: Pranav Dixit

For more details visit https://cis-india.org/internet-governance/blog/factordaily-pranesh-prakash-and-japreet-grewal-july-13-2016-no-india-did-not-oppose-un-move-to-make-internet-access-a-human-right

Tamil Nadu likely to hold Facebook accountable for suicide case

praskrishna — 2016-07-13T13:44:58Z

The recent suicide of a 21-year-old woman from Salem district in Tamil Nadu over her morphed pictures being uploaded on Facebook could turn into a flash-point between the state police and the world's most-popular social networking site.

The article by V. Prem Shanker was published in the Economic Times on July 13, 2016.

"We are exploring the possibility of holding Facebook accountable for the delay in responding to our requests since that was one of the factors which led to the young lady committing suicide," Salem superintendent of police Amit Kumar Singh told ET in an exclusive interaction. On June 23, the Salem police had received a complaint from the father of the 21-year-old stating that someone had uploaded her morphed nude pictures on Facebook. The father had requested the police to get the photographs removed from the site and also find and warn the perpetrator.

The police recorded the complaint the same evening and later sent what is called a 'Law Enforcement Online Request' to Facebook asking for details of the IP address from which the morphed photographs were uploaded on the website. Officials also requested Facebook to take down the objectionable photographs of the young woman.

Five days after the request was sent, Facebook responded with the IP address on June 28 and within 12 hours after that the police cracked the case and nabbed the suspect.

However, all this was a bit too late because the previous day, on June 27, the young woman had ended her life. Her morphed nude photographs were taken down only on the day of her death, according to the police.

"Apart from addressing Facebook, we also investigated the case from other angles but couldn't make headway. Thus, there was nothing we could do about the pictures still being online apart from waiting for Facebook to act," Singh said, adding "enforcement of compliance is a matter of grave concern."

Officials are considering charging Facebook with abetment to suicide and including Facebook in the chargesheet if the site is found culpable after investigations. However, the state police is said to be discussing with legal experts on how this can be done as there is no precedent for a website having been charged in a crime.

Facebook did not reply to an email seeking comment. Earlier in a communique, responding to criticisms of police inaction in this case, Singh had pointed out that "Only Facebook can block a page and it exercises this discretion as per its Facebook Community Standards and not the law of the land it is being viewed in. Facebook does not provide the police with any special powers to take down a page even if the police receive a cognizable complaint of identity theft and uploading of obscene content. There is no tool available, at least as of now, with the police to coerce or goad Facebook to act expeditiously even if the matter is very urgent and there is a flagrant violation of Indian law."

Experts point out that the disparity with which Facebook treats child abuse laws and copyright infringements as opposed to violation of women's rights is stark.

"Look at the war against child pornography. In the United Kingdom there is an independent foundation that has immunity under UK child pornography law. They generate a database and circulate it across all platforms and ensure that it is kept absolutely squeaky clean," points out Sunil Abraham, executive director of Bengaluru based research organisation, Centre for Internet and Society.

"There definitely needs to be a law to ensure that such platforms do not violate the law of the land, especially when it comes to women's rights. But in interim, the government can create an information escrow or a platform where the victims can place on record their problems and it is there for these sites to see and take action," Abraham added.

For more details visit https://cis-india.org/internet-governance/news/economic-times-v-prem-shanker-july-13-2016-tamil-nadu-likely-to-hold-facebook-accountable-for-suicide-case

Place for a safety net

praskrishna — 2016-07-13T02:45:56Z

Vinupriya took her life last week, humiliated by the morphed images of her naked body posted on a social media site. Experts warn that the spike in Internet traffic brings with it an increase in online sexual crimes. Measures must be taken urgently to save lives, they tell T.V. Jayan.

The article was published in the Telegraph on July 10, 2016.

Sangeeta (not her name) was 25 and working for a private company in Mumbai when she suddenly told her family that she was going to quit her job and stay at home. Her parents were flummoxed, but questioning and coaxing yielded no answers. As the days rolled on, the management graduate slipped into depression. Her worried family took her to a counsellor. And it was only then that she came out with her story.

Soon after she joined the company, Sangeeta got romantically involved with her boss. By the time she learnt he was married, the involvement had taken a physical turn. And when she tried to put an end to it, the man, who had recorded their intimate moments, used the video clips to blackmail her for sexual favours. After Sangeeta's confession and a police complaint, the blackmailing boss was nabbed and put behind bars.

Vinupriya, an undergraduate student from Salem, Tamil Nadu, was not so lucky. She found that her morphed images had been uploaded on Facebook. She committed suicide last week after her parents refused to believe her story, and the police failed to act swiftly.

Cyber experts are alarmed by the increase in online crimes against women in India. According to them, what is more worrying is that though the risks are catastrophic, the issues are not being addressed at a larger level.

"Vinupriya's case is particularly frightening. I suspect this would be the first of many such tragedies. They might even result in honour killings, as such crimes can destroy the reputation of families," says American cyber lawyer Parry Aftab, executive director of the voluntary organisation, Wired Safety, which she founded 20 years ago, and which deals extensively with cyber stalking and other crimes.

Earlier this week, a man was arrested in Delhi for sending obscene messages to more than 1,500 women in the National Capital Region. According to the police, the miscreant would randomly dial any number and if the caller turned out to be a woman, he would save the number and later check out her WhatsApp profile picture. He would then send obscene clips to the woman. One news report said some of the marriages were in trouble because husbands had seen the messages and suspected that their wives were in a relationship with the man sending those explicit messages.

Aftab has been studying the dangers of online stalking for a while. There are no figures on this in India, but a top United Nations official, stationed in New Delhi and dealing with trafficking, told her that about 500 rape and sexual assault cases were recorded and shared over WhatsApp in India this year.

She referred to a study conducted in the US that said one in three girls and boys engaged in sexting. Children involved in sexting contemplated suicide three times more than others of the same age, she said.

According to her, Wired Safety volunteers come across five cases of sextortion and sexting every day from Asian countries, including India, and act upon them by red-flagging social media organisations where such images are posted.

Pavan Duggal, a cyber lawyer based in Delhi, feels that social media service providers are not doing enough to stop online sexual abuse. "They are hiding behind a 2015 Supreme Court judgment, which said content can be removed only on judicial orders or in response to government notifications," he says.

The verdict he refers to was delivered in a case filed by a student called Shreya Singhal. In 2012, two girls were arrested over their Facebook post questioning the Mumbai shutdown for Shiv Sena patriarch Bal Thackeray's funeral. The incident made an impression on Singhal, a student of astrophysics at the University of Bristol, who was in India at the time.

Upon research she discovered that Section 66(A) of India's IT Act was subjective and any seemingly offensive social media post could land anyone in jail. Singhal filed a writ petition in the Supreme Court protesting that the section violated the constitutional right to freedom of speech and expression, and in 2015, the apex court ruled in her favour.

This judgment, however, emboldened cyber miscreants. "All the cyber bullies and cyber stalkers now have a misplaced feeling that nothing can happen to them," says Duggal. He points out that while the delivery of justice takes time, the harassment happens 24x7.

"Who do the victims turn to for help? There are provisions in the 2011 IT rules that clearly say that social medial service providers should have rules and regulations in place to deal with objectionable content, but they do not act," he holds.

Aftab, however, believes that some efforts are in place. She cites the example of Microsoft's PhotoDNA technology, which is used by many social media and online search firms, including Facebook, Google and Twitter, to prevent child pornography on the Internet. PhotoDNA works by creating a number of mini hashes on a single image and combining them to have a full hash. If anything is changed, even a pixel, then the hash signature will not match.

But she holds that on a larger scale, it is difficult to technologically deal with revenge porn, sextortion (using a sexual or provocative image to blackmail people for sexual favours) and sexting (sharing sexually provocative images of people, especially women) with the intention of damaging reputation.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, hints at a lack of initiative on the part of the social media organisations. "When it comes to enforcing intellectual property, organisations like Facebook do an excellent job of keeping their platform free of copyright infringement," he says. "So, clearly these companies can police activities on their platform when it affects their bottom-line."

And while this debate continues, more and more Indians join the online experience, thereby increasing the chances of more such cases. Aftab, who plans to set up a voluntary organisation relating to cyber safety in India, says it is best to focus on proactive measures in the interim.

Last month, she addressed 1,200 teenage girls from a Bangalore college. "One of the first questions posed to me was from a young girl who said she was currently being blackmailed by someone who threatened to morph her pictures into sexually explicit images and send them to her family and others. Morphed image issue seems to be a lot more serious in India than in the West."

The problem, she stresses, is that such incidents can lead to self-harm. To counter this, the affected person needs to inform his or her family and enlist their support. Together, they should approach social media organisations to ensure that the objectionable content is removed in time. To prevent the offenders from doing further harm, they then need to take the help of law enforcement agencies.

"The government for its part must amplify the voices of women and hold these Internet corporations accountable for an information escrow. There should be an independent mechanism to monitor whether Internet platforms are taking complaints from women seriously," Abraham says. Only then can a young girl like Vinupriya pluck up the courage to fight online abuse.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net