We are anonymous, we are legion

Learning Forum: Transparency and Human Rights in the Digital Age

praskrishna — 2014-12-04T16:14:38Z

Pranesh Prakash spoke at this event organized by Global Network Initiative on November 6, 2014 in California.

Pranesh Prakash spoke on transparency reports and their use and abuse in India; the Intermediary Liability Rules in India (and its non-provision of any transparency mechanism); and the need for transparency in private speech regulation, not just governmental speech regulation.

The Global Network Initiative and the Telecommunications Industry Dialogue on Freedom of Expression and Privacy present:

2014 Learning Forum - Silicon Valley
Transparency and Human Rights in the Digital Age

Hosted by LinkedIn

Agenda

1:30PM - Registration

2:00PM - Opening Remarks

Mark Stephens, Independent Chair, Global Network Initiative

Jeffrey Dygert, Executive Director of Public Policy, AT&T

Pablo Chavez, Vice President, Global Public Policy and Government Affairs, LinkedIn

2:15PM - Why does transparency matter for protecting and respecting rights online?

Arvind Ganesan, Director of Business and Human Rights, Human Rights Watch

Deirdre Mulligan, Associate Professor, UC Berkeley School of Information

Michael Samway, School of Foreign Service, Georgetown University

3:00PM - What is the state of transparency reporting by companies and governments, and what's missing?

Steve Crown, Vice President and Deputy General Counsel, Microsoft

Jeffrey Dygert, Executive Director of Public Policy, AT&T

Jason Pielemeier, Bureau of Democracy, Human Rights, and Labor, U.S. Department of State

Pranesh Prakash, Policy Director, Centre for Internet & Society, Bangalore

Moderated by Bennett Freeman, Senior Vice President, Sustainability Research and Policy, Calvert Investments

4:00PM - Break

4:30PM - How do companies communicate with users in response to live events?

Ben Blink, Senior Policy Analyst, Free Expression and International Relations, Google

Patrik Hiselius, Senior Advisor, Digital Rights, TeliaSonera

Rebecca MacKinnon, Director, Ranking Digital Rights Project, New America Foundation

Hemanshu Nigam, CEO, SSP Blue

Sana Saleem, Director, Bolo Bhi

Moderated by Cynthia Wong, Senior Internet Researcher, Human Rights Watch

The program will be followed by a reception from 5:30 to 6:30pm.

By invitation only, non-transferrable.

Have questions about Learning Forum: Transparency and Human Rights in the Digital Age? Contact Global Network Initiative

The original was published here.

For more details visit https://cis-india.org/internet-governance/news/learning-forum-transparency-and-human-rights-in-the-digital-age

Learn It Yourself

praskrishna — 2011-12-23T05:01:14Z

The peer-to-peer world of online learning encourages conversations and reciprocal learning, writes Nishant Shah in an article published in the Indian Express on 30 October 2011.

Technologies and learning have always had a close link. In the past, distance learning programmes of higher education through the postal service, remote education programmes using satellite TV and interactive learning projects using information and communication infrastructure, have all been deployed with varied results in promoting literacy and higher education. In the last two decades, the internet has also joined this technology ecology in trying to provide quality and affordable education to remotely located areas through “citizen service centres” envisioned to reach 6,40,000 Indian villages in the future.

These technology-based information outreach programmes expand the ability of traditional formal learning centres like universities, to cater to the needs of those who might not have access to learning resources. This vision of networked education relies on existing systems of centralised syllabus making, teacher-to-student information transfer, grade-based evaluation and accreditation systems, and a degree-centred approach to learning.

I was in New York last week, at an international summit on the future of learning, Mobility Shifts, organised by the New School, where more than 260 speakers from 21 countries discussed the possibility of learning beyond the bounds of the school and university system. Many discussions were around the declining public education system (with huge disinvestment moves from the government), privatisation of education, increasing tuition and fees, and the non-relevance of current education. However, along with this digital expansion of the traditional education system is an emerging trend that challenges the ways in which we understand education and learning – DIY Learning or Do It Yourself Learning.

DIY Learning is a product of the networked condition. It recognises that as more people get onto digital information networks, there is a possibility of producing peer-to-peer learning conditions, which do not have to follow our accepted models of learning and education.

We have seen the rise of various decentralised and democratised knowledge repositories like Wikipedia. The search based algorithms of search engines also take into consideration the idea that knowledge is personal. User generated content sites like eHow.com show that the individual learner is not merely a recipient of information and knowledge. Information seeking spaces like Quora have shown that knowledge-sharing communities can incite new conditions of learning. Our contexts, experiences, everyday practices, aspirations etc. equip us with valuable information, which not only shape how we learn but also what we find relevant to learn for ourselves. DIY Learning picks up on the idea that the infrastructure of education is not necessarily designed towards learning. Learning often happens outside the classrooms, in informal conversations.

Thus DIY Learning offers a new model of learning. It destabilises the established hierarchy of knowledge production and pedagogy and creates an each-one-teach-one model with a twist. Instead of a centralised board of curriculum designer who shape syllabi for the “average” student, you have the possibility of customised, highly individual, interest-based learning curricula where the student is a part of deciding what s/he wants to learn. DIY Learning doesn’t recognise the distinctions between teachers and students, but recognises them as “peers” within a network, encouraging conversations and reciprocal learning rather than information transfer based classroom models. Instead of mass-produced education that caters only to an imagined average, the DIY Learning model recognises that within the same student group, there are different rates and scales of learning, thus offering environments suited to the aptitude of the students.

Within the DIY Learning model, aspects of education, from the design of curriculum and learning methods, to grading and evaluation are geared towards individual preferences and aspirations.

Many people think of DIY Learning as an alternative to mainstream learning processes and structures. However, it is perhaps more fruitful to think of DIY Learning as a way of figuring out the problems that beset our traditional educational system. It allows us to rethink the relationships between learning, education, teaching and technologies. It recalibrates the space of the classroom and reconfigures the role of the teacher and the student.

DIY Learning emphasises that merely building schools and universities is not enough to assure that learning happens. Learning happens through experiences, practice, conversations, internalisations and through making mistakes. DIY Learning offers these possibilities in an education universe that is constantly refusing to take risks, innovate and adapt to the needs of the present. By itself it might not be able to take on the roles and functions of the existing education systems. But it does warn us that we are preparing our students for our pasts rather than their futures. And the time to change is now.

The original story was published in the Indian Express, it can be read here

For more details visit https://cis-india.org/news/learn-yourself

Leaked Privacy Bill: 2014 vs. 2011

elonnai — 2014-04-01T10:52:41Z

The Centre for Internet and Society has recently received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India has drafted.

Note: After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post.

This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in April 2011 and September 2011.

When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions. Below is an outline of significant changes from the September 2011 Privacy Bill to the 2014 Privacy Bill:

Scope: The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India. The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.
Definitions: The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.

Terms that have been added in the 2014 Bill and the definitions

Personal identifier: Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.
Legitimate purpose: A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.
Competent authority : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.
Notification: Notification issued under this Act and published in the Official Gazette
Control : And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.
Telecommunications system: Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.
Privacy standards: The privacy standards or protocols or codes of practice. developed by industry associations.

Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions

Communication data:The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications
Data subject : Any living individual, whose personal data is controlled by any person
Interception: In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication.
Person: Any natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban local body, or any other officer, agency or instrumentality of the state.
Sensitive personal data: Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation. Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.
Individual: a resident of Indian
Covert surveillance: covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual
Re-identify: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;
Process: “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;
Direct marketing: Direct Marketing means sending of a commercial communication to any individual
Data controller: any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;
Government: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;

Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:

Consent: Includes implied consent
Maintain: Includes maintain, collect, use, or disseminate.
Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller.
Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund.
Prescribed: Prescribed by rules made under this Act.
Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)
DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual.

Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):

Authority: The Data Protection Authority of India
Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.
Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject.
Member: Member of the Authority
Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data.
Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller.

Exceptions to the Right to Privacy: According to the 2011 Bill, the exceptions to the Right to Privacy included:

Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state
Preventing incitement to the commission of any offence
Prevention of public disorder or the detection of crime
Protection of rights and freedoms of others
In the interest of friendly relations with foreign state
Any other purpose specifically mentioned in the Act.

The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.

Acts not to be considered deprivations of privacy: The 2011 Bill lists five instances that will not be considered a deprivation of privacy - namely

For journalistic purposes unless it is proven that there is a reasonable expectation of privacy,
Processing data for personal or household purposes,
Installation of surveillance equipment for the security of private premises,
Disclosure of information via the Right to Information Act 2005,
And any other activity exempted under the Act.

The 2014 limits these instances to:

The processing of data purely for personal or household purposes,
Disclosure of information under the Right to Information Act 2005,
And any other action specifically exempted under the Act.

Privacy Principles: Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices.

Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:

Collection of personal data,
Processing of personal data,
Data quality,
Provisions relating to sensitive personal data,
Retention of personal data,
Sharing (disclosure) of personal data,
Security of personal data,
Notification of breach of security,
Access to personal data by data subject,
Updation of personal data by data subject
Mandatory processing of data,
Trans border flows of personal data.

Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:

Collection of personal data,
Processing of personal data,
Access to personal data,
Updating personal data
Retention of personal data
Data quality,

The 2014 Bill has further includes provisions addressing:

Openness and accountability,
Choice,
Consent,
Exceptions for personal identifiers.

The 2014 Bill has made changes to the provisions addressing:

Provisions relating to sensitive personal data,
Sharing (disclosure of personal data),
Notification of breach of security,
Mandatory processing of data
Security of personal data
Trans border flows of personal data.

The changes that have been made have been mapped out below:

Provisions Relating to Sensitive Personal Data: The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:

For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.
Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

Notification of Breach of Security: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach.

Notice: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:

The documented purposes for which such personal data is being collected
Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service
The consequences of the failure to provide the personal data
The recipient or category of recipients of the personal data
The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller
If such personal data is intended to be transferred out of the country, details of such transfer.

In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:

What data is being collected and
The legitimate purpose for the collection.

If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:

The use to which the personal data will be put
Whether or not the personal data will be disclosed to a third party and if so the identity of such person
If the personal data being collected is intended to be transferred outside India and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data.
The security and safeguards established by the data controller in relation to the personal data
The processes available to a data subject to access and correct his personal data
The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto
The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller.

Disclosure of personal data: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing. In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. As a safeguard, the 2014 Bill requires that any person to whom personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.

Transborder flow of information: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

Mandatory Processing of Data: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.

Security of Personal Data: The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of security.

Conditions on which provisions do not apply: Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy will not apply to personal data. Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill carves out an exception for Government Intelligence Agencies - stating that the provisions of updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.
Privacy Officers: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.
Power of Authority to Exempt: Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .

The Data Protection Authority: The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority. For example, new functions of the Authority include:

Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act,
Suggesting international instruments relevant to the administration of the Act,
Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.

The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.

At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement, if for the objectives of (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.

This power is instead vested with a court of competent jurisdiction.

The National Data Controller Registry: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.
Direct Marketing: Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’ and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.
Interception of Communications: Though maintaining some of the safeguards defined in the 2011 Bill for interception, 2014 Bill changes the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees, removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.
Video Recording Equipment in public places: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed.

The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.

Privacy Standards and Self Regulation: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them. For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.
Settlement of Disputes and Appellate Tribunal: The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish. If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court.

In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.

Offences and Penalties: The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section.

Offences: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:

Unauthorized interception of communications
Disclosure of intercepted communications
Undertaking unauthorized Covert Surveillance
Unauthorized use of disclosure of communication data

The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.

Penalties: The 2014 Bill provides a list of penalties including:

Penalty for obtaining personal data on false pretext
Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers
Penalty for disclosure of other personal information
Penalties for contravention of directions of the Authority
Penalties for data theft
Penalties for unauthorised collection, processing, and disclosure of personal data
Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines

Adjudicating Officer: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default

Civil Remedies and compensation: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense.

The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.

Exceptions for intelligence agencies: Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.

The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.

In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.

For more details visit https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011

Law yet to catch up with tech-enabled peeping toms

praskrishna — 2012-11-08T08:06:07Z

Devices that give sharp images are the order of the day. But this clarity is lacking when it comes to regulating use of cameras and camera phones in public places, say policy makers.

The article by Sandhya Soman & Pratiksha Ramkumar was published in the Times of India on November 7, 2012.

If there is one thing that sends more clients harried by blackmailers to detectives like A M Malathy of Malathy Detective Agency, it is the pervasive presence of the camera, most often inside modest cell phones. "One girl had to leave a town as her ex-boyfriend uploaded her photo on the internet and referred to her as a call girl. We got the web page removed," says Malathy.

But tracing culprits is difficult if they are strangers on the road. Absence of a privacy law makes it difficult for police to book culprits. "If someone photographs a woman on a bus, we can ask the person to delete it. But we can't book the person s there is no law," says Jegabar Sali, assistant commissioner, cyber crime cell.

The Information Technology (IT) Act, 2000 talks of punishment only in cases where a person's private areas have been photographed. However, things are looking up with the government trying to draw up the Right to Privacy Bill.

"The problems posed by digital technology are complex and we need to define what these new crimes are," says Rajeev Chandrasekhar, independent Member of Parliament, who introduced the Right to Privacy Bill,2010 in Parliament. "I did it because I got representations from parents and women about how MMS clips were being used to blackmail them," says Chandrasekhar.

There have been attempts at legislation earlier. The Mobile Camera Phone Users (Code of Conduct) Bill, 2006 attempted to regulate the use of camera phones in public places. It proposed that manufactures build camera phones that flash a light or emit a 'click' sound, and that users should get consent of the person being photographed.

"The sound and light are for informing people that they are being filmed," says Sunil Abraham, executive director, Centre for Internet and Society, a Bangalore-based organisation that was part of the committee. These provisions are part of South Korea's privacy law, which sought to bring down cases of technology-enabled 'upskirt' photography, where photos of women were taken without their permission, he says.

For more details visit https://cis-india.org/news/times-of-india-sandhya-soman-and-pratiksha-ramkumar-nov-7-2012-law-yet-to-catch-up-with-tech-enabled-peeping-toms

Launching CIS’s Flagship Report on Private Crypto-Assets

Admin — 2021-12-03T15:16:27Z

The Centre for Internet & Society is launching its flagship report on regulating private crypto-assets in India, as part of its newly formed Financial Technology (or Fintech) research agenda. This event will serve as a venue to bring together the various stakeholders involved in the crypto-asset space to discuss the state of crypto-asset regulation in India from a multitude of perspectives.

About the private crypto-assets report

The first output under this agenda is our report on regulating private cryptocurrencies in India. This report aims to act as an introductory resource for policymakers who are looking to implement a regulatory framework for private crypto-assets. The report covers the technical elements of crypto-assets, their history, proposed use cases as well as its benefits and limitations. It also examines how crypto-assets fit within India’s current regulatory and legislative frameworks and makes clear recommendations for the same.

About the Event

The launch event will feature an initial presentation by researchers at CIS on the various findings and recommendations of its flagship report. This will be followed by a moderated discussion with 5 panelists who represent the space in policy, academia and industry. The discussion will be centered around the current status of crypto-assets in India, the government’s new proposed regulations and what the future holds for the Indian crypto market.

The confirmed panelists are as follows:

Tanvi Ratna - Founder, Policy 4.0 and expert on blockchain and cryptocurrencies
Shehnaz Ahmed - Senior Resident Fellow and Fintech Lead at Vidhi Centre for Legal Policy
Nithya R. - Chief Executive Officer, Unos.Finace
Prashanth Irudayaraj - Head of R&D, Zebpay
Vipul Kharbanda - Non resident Fellow specialising in Fintech at CIS
Aman Nair - Policy Offer, CIS (Moderator)

Registration link: https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw

Agenda

17.30 - 17.35

Welcome Note

17.35 - 18.35

The status of private crypto-assets in India

Presentation on CIS’ flagship Report on regulating private crypto-assets in India
Moderated discussion with panelists across industry, government, journalism and academia providing their insight as to the current and future state of private crypto-assets, and their regulation, in India.

18.35 - 19.00

Audience questions and discussion

For more details visit https://cis-india.org/internet-governance/events/launching-cis-flagship-report-on-private-crypto-assets

Launching CIS’s Flagship Report on Private Crypto-Assets

Aman Nair — 2021-12-13T09:11:18Z

This event will serve as a venue to bring together the various stakeholders involved in the crypto-asset space to discuss the state of crypto-asset regulation in India from a multitude of perspectives.

About the private crypto-assets report

About the Event

The confirmed panelists are as follows:

Tanvi Ratna - Founder, Policy 4.0 and expert on blockchain and cryptocurrencies
Shehnaz Ahmed - Senior Resident Fellow and Fintech Lead at Vidhi Centre for Legal Policy
Nithya R. - Chief Executive Officer, Unos.Finace
Prashanth Irudayaraj - Head of R&D, Zebpay
Vipul Kharbanda - Non resident Fellow specialising in Fintech at CIS
Aman Nair - Policy Offer, CIS (Moderator)

Registration link: https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw

Agenda

17.30 - 17.35	Welcome Note
17.35 - 18.35	The status of private crypto assets in India Presentation on CIS’ flagship Report on regulating private crypto-assets in India Moderated discussion with panelists across industry, government, journalism and academia providing their insight as to the current and future state of private crypto-assets, and their regulation, in India.
18.35 - 19.00	Audience questions and discussion

For more details visit https://cis-india.org/internet-governance/blog/launching-flagship-cis-report-on-private-crypto-assets

Lack of clarity about cashless and online transactions makes digital payments more worrisome

praskrishna — 2016-12-02T16:20:39Z

Even as demonetisation pushes for more and more cashless and online transactions through, e-wallets, banks and other such apps, there is a serious lack of clarity on how these companies handle customer data, and how it is shared with other entities. "Data is the new oil," is an oft repeated phrase in nearly every technology related conversation that comes up anywhere in India today.

The article by Neha Alawadhi was published in the Economic Times on December 1, 2016. Sunil Abraham was quoted.

However, the handling of this data, most of which carries some of our most personal information, has little protection if it is misused by a private or government entity.

Sample this: at an industry event, a Bengaluru-based startup claimed to solve the problem of credit worthiness of individuals for small loans by using some unusual means. To determine credit worthiness, the company maps everything in your phone — right from how many SMSes you receive for non-payment of dues, to how you fill out your loan application form. The company also claims that it can map, using your phone data, the area of your residence and office.

There are several other companies, especially those in the financial technology (fintech) space, doing similar mapping. The Wall Street Journal on Monday reported that more than three dozen local governments across China are compiling digital records of social and financial behaviour to rate credit worthiness. A person gets a score deduction for violations such as fare cheating, jaywalking and violating family-planning rules.

India may be some distance away from such a credit scoring system, but the increased use of online transactions — financial or otherwise — is sure to lead to similar business models.

"You have no clue what data you are sharing with fintech companies. They are collecting data from other sources and combining it to assess your credit score," said Sunil Abraham, executive director of the Centre for Internet Society.

For example, there is no clarity on what an e-wallet company does with your details and transaction history even after you delete the app. "If there is large level of customer migration of users from an app company, they will just become a data analytics company. The bigger danger in future is the growth of large data intermediaries which are similar to Visa and Mastercard networks, which purchase big databases and further sell this data and build their services or product on top of that. There are large privacy concerns there," said Apar Gupta, advocate and Internet policy expert. While lack of a privacy law or controller has been a long standing concern, the existing law for data protection — Section 43(A) of the Information Technology Act— also offers only very basic protection and is "grossly inadequate", according to Abraham.

To make matters worse, they also lack a strict enforcement mechanism. "We don’t know what are the data practices (adopted by apps). There is no privacy controller or some other body, so it is very difficult for a user to know what are the actual ways their data is being implemented," said Gupta.

There have also been cases of government entities making sensitive and personal information public. Earlier this year, DataMeet, a community of data science enthusiasts, found that Bengaluru Police released 13,000 call data records (CDR) of potential on-going investigations during a hackathon with focus on solving problems of cities.

"There has been very little talk about data ethics and data practices in India. But cases of misuse of data are frequent," noted DataMeet member Srinivas Kodali in a blogpost.

For more details visit https://cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome

Konkan Corridor Project — A Lecture by Vasant Gangavane

praskrishna — 2012-04-13T13:49:32Z

Well known social worker Vasant Gangavane will be giving a public lecture on the Konkan Corridor Project at Ashoka Innovators for the Public in Bangalore on April 16, 2012. The lecture will focus on the role of Information & Communication Technology for total rural transformation by inclusive integrated development with no change of land ownerships. The event is co-organized by Ashoka Innovators for the Public and the Centre for Internet and Society.

Citing examples from the 117 village clusters in the regions of Ratnagiri and Sindhudurga districts of Maharashtra the lecture hopes to throw light on questions like what is a village cluster, what does it mean to urbanize one village cluster and what do we need to do to urbanize one village cluster, how will we organize and coordinate the project. This apart the vision, status and action plans of the Konkan Corridor Project, the skills development in each cluster, intensive agriculture in each cluster, farm produce processing, water conservation in the project area, rivers in the project area, energy, transportation, industry, science communication, and self administration in each clusters will also be discussed.

Vasant Gangavane

In the 1970s Vasant Gangavane, a management graduate from Indian Institute of Management and Wharton, returned to his village in Konkan, Maharashtra, to give his people what he felt they needed most — the knowledge to manage their natural resources. In the process, he set up several models of rural development. Gangavane found that the rate at which people migrated out of the Konkan was very high, despite the fact that the area was rich in natural resources. He studied the area and realised that land improvement and watershed development were key issues. He conducted a series of experiments in agriculture, dairy and poultry farming before setting up the Gokul Prakalp Pratishthan (GPP) in 1978. With the Maharashtra government's comprehensive watershed management programme (COWDEP), Gangavane's Pratishthan afforested 400 hectares of land in Vilye village with mango and cashew trees. Gangavane then acquired 40 acres of wasteland in the village and built water conservation structures called Gokul bandharas. This resulted in the wells in the area being recharged and ensured enough drinking water for 25 families.This model was later adopted by the Indo-German Watershed Programme.

When Gangavane's project began, the village of Vilye was bereft of young people. Its young had migrated. Now there is reverse migration and 3,000 people have benefited from the programme. The village has been transformed — water runoff has been arrested and afforestation has changed the look of the village.

After the watershed programme, Gangavane formulated a theoretical plan for model villages called the Gokul project. The aim was communication and knowledgesharing. A participatory rural appraisal is also done to explore natural resource availability, potential and use. The awareness is meant to empower people and convince them that watershed programmes can address problems of poverty and inequity. Gangavane believes that with this knowledge, and with the resources available, a small family in the area can live sustainably.

Gangavane's Pratishthan has set up an Ashramshaala at Laanja, Ratnagiri district, which is a tribal residential school, where 300 children are provided free boarding and lodging up to the secondary level. GPP has also introduced computer education in schools. For his work Gangavane was awarded the Vanashree award, Vasantrao Naik Pratisthan award and the Indira Priyadarshini Vrikshamitra award.

Download the presentation here [PDF, 228 KB]

For more details visit https://cis-india.org/internet-governance/talk-by-vasant-gangavane

Know thy selfie

praskrishna — 2015-08-05T01:23:12Z

The trend of clicking selfies is not a mere self-indulgent fad. It's a modern form of peer validation that helps in building a social bond, say Prasun Chaudhuri and Sharmistha Ghosal

The article was published in the Telegraph on November 27, 2014. Nishant Shah and Rohini Lakshane were quoted.

Ever since her father gifted her an expensive smartphone, Anwesha Ray, a third year student at a Calcutta college, can't stop clicking selfies. First, she started uploading selfies on her Facebook page once a week. But the growing number of 'likes' inspired her to capture more images. Now she clicks at least five pictures a day and changes her profile picture at least twice a week. She deletes a picture within hours if it fails to garner at least 200 'likes' from over 4,000 friends.

Rohit Chattopadhyay, a third year student at an engineering college in south Calcutta, mastered the art of taking selfies and editing them courtesy Instagram. He uploads at least a couple of self-portraits a day. Sometimes he works well past midnight chasing that "perfect" shot.

Aliah Shamim, a second year student at a top Calcutta college, loves to click selfies with friends and family. However, she shares them only with her close contacts on Facebook and WhatsApp.

Welcome to the world of selfie-engrossed teenagers ready to do anything to get that perfect self-portrait. In every college you'll find students who are mad about selfies. Anwesha knows her obsession leads to her "wasting a lot of time", but she can't kick her habit of clicking selfies.

"I simply love those 'likes' on Facebook. It gives me a feeling of deja vu. I feel as if I'm a celebrity," she says a tad sheepishly. "Just imagine how many admirers I have," says Rohit proudly showing a particular top shot of his face which has garnered 602 'likes'.

Are these students really being too self indulgent? Or is it just their way of getting endorsement of their self worth? Dr Shefali Batra, founder, Mind Frames, a psychiatric clinic in Mumbai, feels the act of taking selfies is a way of feeling "empowered" as students attempt to compensate for their lack of self worth in the real world. According to her, the selfie obsession borders on narcissism — an excessive interest in or admiration of oneself and one's physical appearance — and clouds their judgement; they fail to see the real world.

She is worried because she's been getting quite a few teen patients who are obsessed with selfies. Although not as extreme as a 15-year-old girl from Philippines who died after falling down the stairs while taking a selfie or a Russian teen who plunged to his death after trying to take a selfie atop a railway bridge, she is scared the trend might catch on in India.

Calcutta-based psychiatrist J.R. Ram too is concerned about the increasing number of selfie-obsessed teens in his clinic. He says, "Last week, I met a 13-year-old girl who stole money to get a haircut like pop singer Rihanna. Her parents were worried but she was nonchalant as her portrait got 167 'likes' on a social networking site."

According to Ram, selfies are the modern day equivalent of a reflection in a pool which led mythological Greek hunter Narcissus to drown in a stream as he was enamoured of his own image. "The virtual image is more important to these teenagers than the real one," he avers.

Agrees Rima Mukherjee, a psychiatrist based in Calcutta. "Virtual appreciation means a lot to these kids and it doesn't matter if most of the 'likes' they get on social networking sites are fake," she says. According to her, the trend is pushing some youths to compete with their friends to garner more 'likes'. "If a friend's picture gets more 'likes' students feel compelled to go on an overdrive to shoot and upload more selfies," she notes.

Take the case of Ashmita Dasgupta. "I make it a point to score quality 'likes,' unlike Anwesha [her classmate]. I don't go on adding random friends to maximise the 'likes'," she says.

As an associate dean at Praxis B-school, Calcutta, Charanpreet Singh has a ringside view of student behaviour and activities. He says, "These kids do have a large network of friends but the relationships are very superficial. The so-called 'likes' don't come from the heart and mean nothing." He's also observes that those students who don't have many real world friends are more active on social networking sites. "They vie for appreciation out of emotional insecurity."

Some argue that this trend of clicking and uploading selfies has been fuelled by the celebrity culture. Says Aroona Broota, a former professor of psychology in Delhi University, "Some teenagers are inspired by celebs who frequently click selfies to promote themselves. The kids fail to understand that for the celebrities it's a shrewd way of marketing themselves or advertising a product." Also, for some, clicking selfies has become an escape route from the daily drudgery and frustrations that one face in real life such as scoring low marks in exams, having no job or other personal problems.

But not all psychiatrists or psychologists feel that the trend is scary. Zena Deb, a Calcutta-based clinical psychologist, finds nothing wrong with students clicking selfies unless their obsession leads them to taking risks such as shooting from the top of a building or a cliff.

Deb, a mother of an 18-year-old girl says, "Most do this to seek attention and get some validation from peers. It doesn't matter if one is ugly or pretty — you can seek a certificate for your self-worth and you get it so easily on a social network." For a teenager such 'peer review' is of utmost importance and it must not be confused with narcissism.

Ali Khwaja, founder of counselling centre Banjara Academy, Bangalore, too feels narcissism is too strong a word to describe the trend. "With a strong medium at their disposal they want to spread the message that they want to be different, creative and adventurous. They hope to expand their contacts and create an identity," he says.

Nishant Shah, co-founder of the Centre for Internet and Society, Bangalore, feels the act of taking selfies is a networking phenomena. He says, "These are meant for creating interesting routes of connectivity with a photographic object that goes beyond individualistic relationships. It forms social and cultural capital for youths."

Rohini Lakshané, a researcher at the CIS, believes we are living in times where users of social media, especially "digital natives" find it rewarding to constantly promote themselves in their chosen ways and forms through these channels. She says, "The selfie often circumvents the artistic pursuit of making a self portrait. Instead it tries to make a spectacle or testimony that the selfie-taker was indeed present at a certain place, at a certain time, in a certain attire or mood, and (perhaps) in the company of certain people." According to her, selfie-takers enjoy control over how the photos turn out to be, how they look in the photo, and the time and social network in which such a photo is published — all of which are 'advantages' over having someone else take their photos or being shot candidly. She adds, "While I would consider the act of taking several selfies self-indulgent, I am not sure if it qualifies as narcissistic."

They have the tools of self-expression which their parents didn't have, says Kaustuv Sengupta, a youth trend analyst and an associate professor at NIFT, Bangalore. "This is a more expressive generation which wants to become more visible," he says. As a panel member of a youth survey — called Millennial Paradox — conducted by Titan Industries last year, he found that despite the unprecedented levels of self-obsession and independence, India's millennnials (21-35 year old) do not operate in isolation — they have a strong desire to share and belong to a community. "Sharing has become the principle form of validation....everything requires endorsement — whether that takes the form of a 'friend' a 'like' or even a 'retweet", concludes the survey, describing the new trend as "collective individualism".

For the current generation of digital natives, endorsements in the virtual world matter more than the feedback they get from the real world, says Dr Subhrangshu Aditya, a student counsellor at Jadavpur University. "The real world — parents, guardians and other authorities — doesn't approve of the 'Kiss of Protest' movement against moral policing, but it is appreciated by their virtual friends," he observes.

Nishant Shah of CIS points out that social media are a potent tool for today's youngsters. These can be used as a political weapon when they identify crises in their immediate environment. And all the recent movements across the world — anti-corruption or the post-gangrape protests in India, occupy Wall Street in the US or Shahbag protests — have originated in the digital world. More power to the social media, we say.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-november-27-2014-know-thy-selfie

Killing the Internet Softly with Its Rules

pranesh — 2011-08-20T12:51:42Z

While regulation of the Internet is a necessity, the Department of IT, through recent Rules under the IT Act, is guilty of over-regulation. This over-regulation is not only a bad idea, but is unconstitutional, and gravely endangers freedom of speech and privacy online.

A slightly modified version of this blog entry was published as an op-ed in the Indian Express on May 9, 2011.

Over-regulation of the Internet

Regulation of the Internet, as with regulation of any medium of speech and commerce, is a balancing act. Too little regulation and you ensure that criminal activities are carried on with impunity; too much regulation and you curb the utility of the medium. This is especially so with the Internet, as it has managed to be the impressively vibrant space it is due to a careful choice in most countries of eschewing over-regulation. India, however, seems to be taking a different turn with a three sets of new rules under the Information Technology Act.

These rules deal with the liability of intermediaries (i.e., a large, inclusive, group of entities and individuals, that transmit and allow access to third-party content), the safeguards that cybercafes need to follow if they are not to be held liable for their users' activities, and the practices that intermediaries need to follow to ensure security and privacy of customer data.

Effect of not following the rules

By not observing any of the provisions of these Rules, the intermediary opens itself up for liability for actions of its users. Thus, if a third-party defames someone, then the intermediary can be held liable if he/she/it does not follow the stringent requirements of the Rules.

The problem, however is that, many of the provisions of the Rules have no rational nexus with the due diligence to be observed by the intermediary to absolve itself from liability.

What does the Act require?

Section 79 of the IT Act states that intermediaries are generally not liable for third party information, data, or communication link made available or hosted. It qualifies that by stating that they are not liable if they follow certain precautions (basically, to show that they are real intermediaries). They observe 'due diligence' and don't exercise an editorial role; they don't help or induce commission of the unlawful act; and upon receiving 'actual knowledge', or on being duly notified by the appropriate authority, the intermediary takes steps towards some kind of action.

So, rules were needed to clarify what 'due diligence' involves (i.e., to state that no active monitoring is required of ISPs), what 'actual knowledge' means, and to clarify what happens in happens in case of conflicts between this provision and other parts of IT Act and other Acts.

Impact on freedom of speech and privacy

However, that is not what the rules do. The rules instead propose standard terms of service to be notified by all intermediaries. This means everyone from Airtel to Hotmail to Facebook to Rediff Blogs to Youtube to organizations and people that allow others to post comments on their website. What kinds of terms of service? It will require intermediaries to bar users from engaging in speech that is disparaging', It doesn't cover only intermediaries that are public-facing. So this means that your forwarding a joke via e-mail, which "belongs to another person and to which the user does not have any right" will be deemed to be in violation of the new rules. While gambling (such as betting on horses) isn’t banned in India and casino gambling is legal in Goa, for example, under these Rules, all speech ‘promoting gambling’ is prohibited.

The rules are very onerous on intermediaries, since they require them to act within 36 hours to disable access to any information that they receive a complaint about. Any 'affected person' can complain. Intermediaries will now play the role that judges have traditionally played. Any affected person can bring forth a complaint about issues as diverse as defamation, blasphemy, trademark infringement, threatening of integrity of India, 'disparaging speech', or the blanket 'in violation of any law'. It is not made mandatory to give the actual violator an opportunity to be heard, thus violating the cardinal principle of natural justice of 'hearing the other party' before denying them a fundamental right. Many parts of the Internet are in fact public spaces and constitute an online public sphere. A law requiring private parties to curb speech in such a public sphere is unconstitutional insofar as it doesn't fall within Art.19(2) of the Constitution.

Since intermediaries would lose protection from the law if they don't take down content, they have no incentives to uphold freedom of speech of their users. They instead have been provided incentives to take down all content about which they receive complaints without bothering to apply their minds and coming to an actual conclusion that the content violates the rules.

Cybercafe rules

The cybercafe rules require all cybercafe customers be identified with supporting documents, their photographs taken, all their website visit history logged, and these logs maintained for a year. Compare this to the usage of public pay-phones. Anyone can use a pay-phone without their details being logged. Indeed, such logging allows for cybercafe owners to blackmail their users if they find some embarrassing websites in the history logs—which could be anything from medical diseases to sexual orientation to the fact that you're a whistleblower.

The cybercafe rules also require that all of them install "commercially available safety or filtering software" to prevent access to pornography. In two cases along these lines in the Madras High Court (Karthikeyan R. v. Union of India) and the Bombay High Court (Janhit Manch v. Union of India), the High Courts refused to direct the government to take proactive steps to curb access to Internet pornography stating that such matters require case-by-case analysis to be constitutionally valid under Art.19(1)(a) [Right to freedom of speech and expression].

Such software tends to be very ineffective—non-pornographic websites also get wrongly filtered, and not all pornographic websites get filtered—and the High Courts were right in being wary of any blanket ban. They preferred for individual cases to be registered. If the worry is that our children are getting corrupted, it is up to parents to provide supervision, and not for the government to insist that software do the parenting instead.

Given that all of these were pointed out by both civil society organizations, news media, and industry bodies, when the draft rules were released, it smacks of governmental high-handedness that almost none of the changes suggested by the public have been incorporated in the final rules.

For more details visit https://cis-india.org/internet-governance/blog/killing-the-internet-oped

Kick Off Meeting for the Politics of Data Project

praskrishna — 2016-01-12T16:42:29Z

Tactical Technology Collective (TTC) on December 7 and 8, 2015 organized this event in Phnom Penh. Amber Sinha participated in it.

The areas TTC is planning to focus on in the Politics of Data project include:

Politics of Data: exploring questions about what it means to live in a data society and how it impacts our autonomy and privacy. Me and My Shadow is one of the projects under Politics of Data that looks at the digital traces that we leave behind and how these pieces of information are created, stored and collected. It provides people with resources to learn about how these digital traces can create stories or profiles about you, and how to minimise your digital traces online.
Digital Security and Privacy: through this programme, they intend to work with rights advocates, journalists, activists and others to build their digital security skills.
Exposing and Shaping Issues: this part of the programme will explore new forms of finding, creating and representing evidence by advocacy and activist groups and individuals.

The meetings saw participation from a host of organisations in Asia including Bytes for All, Cambodian Center for Human Rights, OpenNet, Community Legal Education Center, Engage Media, iPlural and Mido.

For more details visit https://cis-india.org/internet-governance/news/kick-off-meeting-for-the-politics-of-data-project

Keeping it Private

nishant — 2012-01-27T03:50:51Z

As we disclose more information online, we must ask who might access it and why. This article by Nishant Shah was published in the Indian Express on Sunday, 15 January 2012.

As a researcher of the blink-and-change cyberspaces, I am often asked about the future of all things digital. I generally refuse to answer such questions because researchers are happier talking about things past than things present. Also, when people ask questions of the future, they are more interested in gadgets and platforms. Will Facebook survive the next year? Will more people use Twitter? Is the mobile the new weapon of protest? Shall we all soon talk only on FaceTime? I shrug my shoulders at these questions. However private information and privacy ties all these questions.

I pronounce that 2012 is going to be the year of Personal Information Management and the need for increased privacy, where more than anything else, people will realise that what they do online is not only significant to their present, but that it might bite them in their digital futures. We have heard stories that have hinted at management of information and reputations online. Young people put compromising pictures and videos online, severely damaging their social and professional relationships; people express opinions on public forums, which might not necessarily reflect them well; users reveal personal information, which can be abused by those with malice. These instances should remind us that unlike in the physical worlds, where our foot-in-the-mouth moments, youthful indiscretions or embarrassing behaviour quickly runs through the grapevine and is forgotten, in the digital worlds, the things that we say and do, stay long after we have forgotten them.

And this is where privacy kicks in. Many people in India, when they encounter the idea of “privacy”, raise their eyebrows. Culturally, we are not very private people. We celebrate our triumphs and sorrows in public, freely part with information to strangers on train rides, and don’t have qualms asking about age, marital status or salary. In the age of ubiquitous computing, we must remember that once something has been committed to the online world, it will be etched somewhere and will be available for somebody else to look at. The internet, specially with increasing bandwidth, expanded spectrum and cloud-based distributed data storage, is an unforgiving space that never lets go.

Privacy, in this brave new world, is not about disclosure. It is becoming increasingly clear that we will need to disclose more and more of our private information if we want services — from government public delivery systems to private credit and education — online. However, once we have disclosed our private information, then what? Who uses it? Who reads it? Who stores it for what purpose? What are the implications of having that private information out there?

In the digital world, privacy is about having more control over the personal information that we have disclosed, the right to know who, where, when, how and for what purposes information that we have willingly disclosed is used. And as the country finalises privacy bills, this right of the individual, whose private information is going to feed government and business ecologies, is at stake.

There is a need to institute better regulation around data protection, data mining, data retention and data retrieval that is still in the limbo in our country, at the mercy of privately crafted terms of service that we blindly accept while signing into the digital world.

It is time to move away from understanding privacy as disclosure to privacy as control of information — to know who is doing what with your private information and how you should have a say in it. And it is time to realise that just because you don’t have anything to hide, does not mean that you need to be in a state of disclosure. There is a reason why you have curtains in your house, or do not allow strangers to look into your bags.

The article was originally published in the Indian Express

For more details visit https://cis-india.org/internet-governance/keeping-it-private

Kashmir: Telecom firms struggle to block 22 banned social media sites

praskrishna — 2017-05-04T02:29:04Z

A BSNL official says engineers are still working on shutting down the 22 social media sites but so far had been unable to do so without freezing the Internet across Kashmir.

The article by Aijaz Hussain was published in Livemint on May 4, 2017. Pranesh Prakash was quoted.

The government has banned 22 social media sites in an effort to calm tensions in parts of the disputed region of Kashmir, after several viral videos depicting the alleged abuse of Kashmiris by Indian law enforcement fuelled protests. But the sites remained online Thursday morning as the local telecom company struggled to block them.

The government said on Wednesday that the restrictions, to be in effect for one month, were necessary for public safety. “It’s being felt that continued misuse of social networking sites and instant messaging services is likely to be detrimental to the interests of peace and tranquillity in the state,” the public order reads.

Pranesh Prakash, policy director for the Indian advocacy group the Centre for Internet and Society, called the ban a “blow to freedom of speech” and “legally unprecedented in India.”

An official with Kashmir’s state-owned telecom company, Bharat Sanchar Nigam Ltd (BSNL), said engineers were still working on shutting down the 22 sites, including Facebook and Twitter, but so far had been unable to do so without freezing the internet across the Himalayan region. The official spoke on condition of anonymity, because he was not authorized to give technical details of the effort to the media.

Meanwhile, 3G and 4G cellphone service has been suspended for more than a week, but the slower 2G service was still running.

Residents in Srinagar, the region’s main city, were busily downloading documents, software and applications onto their smartphones, which would likely be able to circumvent the social media block once it goes into effect. Many expressed relief to still have internet access Thursday morning.

“It was a welcome surprise,” said Tariq Ahmed, a 24-year-old university student. “It appears they’ve hit a technical glitch to block social media en mass.”

While the government has halted internet service in Kashmir in previous attempts to prevent anti-India demonstrations, this is the first time they have done so in response to the circulation of videos and photos showing alleged military abuse.

Others mocked the government. One Facebook post by Kashmiri writer Arif Ayaz Parrey said that the ban showed “the Indian government has decided to take on the collective subversive wisdom of cyberspace humanity.”

Kashmiris have been uploading videos and photos of alleged abuse for some years, but several recently posted clips, captured in the days surrounding a violence-plagued local election 9 April, have proven to be especially powerful and have helped to intensify anti-India protests.

One video shows a stone-throwing teenage boy being shot by a soldier from a few metres (yards) away. Another shows soldiers making a group of young men, held inside an armoured vehicle, shout profanities against Pakistan while a soldier kicks and slaps them with a stick. The video pans to a young boy’s bleeding face as he cries. Yet another clip shows three soldiers holding a teenage boy down with their boots and beating him on his back.

The video that drew the most outrage was of young shawl weaver Farooq Ahmed Dar tied to the hood of an army jeep as it patrolled villages on voting day. A soldier can be heard saying in Hindi over a loudspeaker, “Stone throwers will meet a similar fate,” as residents look on aghast.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-4-2017-aijaz-hussain-kashmir-telecom-firms-struggle-to-block-22-banned-social-media-sites

Kashmir’s information vacuum

Aayush Rathi and Akriti Bopanna — 2019-09-02T04:34:29Z

Legislative backing is being appropriated to normalise communication shutdowns.

The article by Aayush Rathi and Akriti Bopanna was published in the Hindu on August 29, 2019.

On August 4, around midnight, Jammu and Kashmir was thrust into a near total communication shutdown. In the continuing aftermath of the dilution of Article 370, cable television, cellular services, landline and Internet and even the postal services have been rendered inoperational. Even hospitals and fire stations have not been spared. While law enforcement personnel have been provided satellite phones, locals are having to queue up outside designated government offices and register the numbers they want to call. The blackout is all encompassing.

The erstwhile State of Jammu and Kashmir is accustomed to the flicking on of the “Internet killswitch”, but this indiscriminate embargo is unprecedented. The blocking of multi-point/two-way communication is quite frequent in Kashmir, with close to 55 instances of partial or complete Internet shutdowns being recorded just this year. Of the 347 cases of shutdown that have been imposed in India since 2012, 51% have been in Kashmir. The blocking of one-way communication media, such as cable television, however, is new. Even the measures adopted during the Kargil war in 1999 stopped short of blocking telephone lines.

Appearing for the incumbent government on a petition challenging the communications shutdown in Kashmir, the Attorney General of India, K.K. Venugopal, made the necessary-for-law-and-order argument.

However, recent research by Jan Rydzak looking exclusively at network shutdowns in India has shown no evidence backing this claim. On the contrary, network shutdowns have been shown to compel actors wanting to engage in collective action to substitute non-violent mobilisation for more violent means as the latter requires less coordination.

In dubious company

Network shutdowns have a limited and inconsistent effect on even structured, non-violent protests. Cross-country comparative research indicates that the shutdown of communication for achieving objectives of social control is usually the riposte of authoritarian regimes. The shroud of secrecy it creates allows for further controversial measures to be effected away from public scrutiny. Authoritarian regimes masquerading as liberal democracies are following suit. In 2016, the Turkish government had ordered the shutdown of over 100 media companies in the aftermath of a failed military coup. Earlier this year, Joseph Kabila’s government in the Democratic Republic of Congo had shut down Internet and SMS services for three weeks under the pretext of preventing the circulation of fake election results.

Mr. Venugopal further reassured the Supreme Court that the residents of Kashmir would experience the least amount of inconvenience. This line assumes that the primary use of telecommunication networks is for supposedly banal interpersonal interaction. What is forgotten is that these networks function both as an “infrastructure” and as medium of communication. Impacting either function has dire and simultaneous consequences on its use as the other. As an infrastructure, they are akin to a public utility and are foundational to the operation of critical systems such as water supply and finance.

In the Kashmir Valley, over half the business transactions are said to happen online. The payment of wages for the government-run employment guarantee scheme for unskilled manual labour is almost entirely made electronically — 99.56% in Jammu and Kashmir. The reliance on the Internet for bank-related transactions has meant that automated teller machines and banks are inoperative. What is telling is that the increasing recourse to network shutdowns as a law and order tool in India is also happening simultaneously with the government’s digitisation drive. Information flows are being simultaneously facilitated and throttled.

Ambiguous backing

Moreover, communication shutdowns have ambiguous legal backing. One approach imposes them as an order passed under Section 144 of the Code of Criminal Procedure. A colonial relic, Section 144 is frequently used for the imposition of curfew in ‘sensitive’ areas as a preventive measure against public demonstrations. This approach lacks procedural accountability and transparency. Orders are not mandated to be publicly notified; they do not identify the duration of the lockdown or envision an appeal mechanism.

Perhaps realising these challenges, the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017, notified under the Telegraph Act, do incorporate a review mechanism. However, reviewing officials do not have the authority to revoke a shutdown order even if it is deemed illegal. The grounds for effectuating any shutdown also have not been elaborated other than for ‘public emergency’ or ‘public safety’ — both these terms are undefined. Legislative backing, then, is being appropriated to normalise, not curb, communication shutdowns. Tellingly, the owner of an Internet service provider in Kashmir pointed out that with Internet shutdowns becoming so common, often the shape that an order takes is of a call from a government official, while the procedural documentation follows much later.

Treated as collateral damage in imposing communication blackouts are the fundamental freedoms of speech and expression, trade, and also of association. The imposition of Section 144 along with the virtual curfew is designed to restrict the freedom to assemble peacefully. Such preemptive measures assume that any assembly will be violent along with negating the potential utility of technological means in maintaining social order (such as responsible digital journalism checking the spread of rumours).

Most critically, this enables a complete information vacuum, the only salve from which is information supplied by the suppressor. Of the days leading up to August 5 and the days since, sparse information is publicly available. Local newspaper outlets in Kashmir are inoperational. This lack of information necessarily precludes effective democratic participation. Beneath the national security sentiments, a key motivation for network shutdown presents itself: that of political censorship through the criminalisation of dissent.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-august-29-2019-aayush-rathi-and-akriti-bopanna-kashmirs-information-vacuum

Karthikeyan R v Union of India

praskrishna — 2012-01-18T11:51:59Z

The court refused to direct the government to take proactive steps to curb access to Internet pornography stating that such matters require case-by-case analysis to be constitutionally valid under Article 19(1)(a) (Right to Freedom of Speech and Expression).

IN THE HIGH COURT OF JUDICATURE AT MADRAS

DATED :01-04-2010
CORAM

THE HONOURABLE MR. JUSTICE ELIPE DHARMA RAO
AND
THE HONOURABLE MR. JUSTICE K.K. SASIDHARAN
WRIT PETITION NO.20344 OF 2009 and M.P.No.l of 2009

Karthikeyan. R.
Advocate .. Petitioner
Vs.

Union of India,
Rep. by its Secretary,
Department of Telecommunications,
Sanchar Bhavan,
20, Ashoka Road,
New Delhi 110 001.
The Secretary,
Department of Information Technology,
Electronics Niketan,No.6, CGO Complex,
Lodhi Road, New Delhi 110 003.
The Secretary,
Department of Legal Affairs,
4th Floor, A-Wing, Shastri Bhavan,
New Delhi 110 001.
The Telecom Regulatory Authority of India,
Rep. by its Secretary,
Mahanagar Doorsanchar Bhawan,
Jawaharlal Nehru Marg, New Delhi 110 002.
The Secretary,
Department of Women and Child Development,
New Delhi.
State of Tamil Nadu,
Rep. by its Secretary,
Ministry of Information Technology,
Secretariat, Chennai 9.
The Asst. Commissioner of Police,
Cyber Crime Wing, Central Crime Branch,
Egmore, Chennai 8.
The Central Bureau of Investigation,
Rep. by its Director,
Block No.3, CGO Complex, Lodhi Road,
New Delhi 110 003.
Internet Service Provider's Association of India,
612-A, Chiranjiv Tower,
43, Nehru Place,
New Delhi 110 019.
Google India Private Limited,
No.3, RM2 Infinity Tower-E,
Old Madras Road,
Bangalore 560 016.
Yahoo Web Services India Private Limited,
801, Nicholas Piramal Towers,
Peninsula Corporate Park,
Lower Prel, Mumbai 400 013.
Microsoft Corporation India Private Ltd.,
Tower-A, DLF Cyber Greens,
DLF Cyber Citi, Sector 25A,
Gurgaon 122 002.
Rediff.com India Limited,
Mahalaxmi Engineering Estate,
L.J. Road No.1, Mahim (West),
Mumbai 400 016. .. Respondents

Petition filed under Article 226 of the Constitution of India for the issuance of Writ of Mandamus directing the respondents 1 to 4 to forthwith formulate censor rules and regulations and appoint a regulatory body to strictly enforce those rules monitoring online publications in internet, prohibiting obscene and pornographic publications and penalising the Internet Service Providers (ISPs) and search engine companies for offences and violations of licence conditions committed by them.

For Petitioner: Mr.P.T. Perumal

For Respondents 1 to 5: Mr.J. Ravindran, Asst.Solicitor General of India

For Respondents 6 & 7 : Mr. G. Desingu, Special Govt. Pleader

For Respondent 8: Mr. N. Chandrasekaran, Special Govt. Pleader

For Respondent 10: Mr. G. Balasubramanian for M/s. Poovayya & Co.

Respondents 9,11 to l3: No Appearance

ORDER

(Order of the Court was made by ELIPE DHARMA RAO, J)

Heard the learned counsel appearing for the parties.
The present writ petition has been filed in public interest for the issuance of Writ of Mandamus directing the respondents 1 to 4 to forthwith formulate censor rules and regulations and appoint a regulatory body to strictly enforce those rules monitoring online publications in internet, prohibiting obscene and pornographic publications and penalising the Internet Service Providers (ISPs) and search engine companies for offences and violations of licence conditions committed by them.
Though no counter affidavit has been filed on behalf of Respondents 1 to 5, the learned Assistant Solicitor General by placing reliance upon a recent unreported decision of the Mumbai High Court in Janhit Manch and Others v. Union of India IPI1 No. 155 of 2009), disposed of on 3.3.2010, submitted that the prayer in the writ petition before the Mumbai High Court is very much similar to the present writ petition and, as has been observed in the said decision, the present writ petition may also be disposed of.
We have carefully gone through the aforesaid decision relied on by the learned Assistant Solicitor General of India. In the said decision, the prayer made by the petitioners therein was to direct the respondents therein to make co-ordinated and sustained efforts, to have a blanket ban on websites which according to them are displaying material pertaining to sex and harmful to the youth of the country. The Division Bench, after hearing the contentions made on either side, observed as follows :

"By the present petition what the petitioner seeks is that this court which is a protector of free speech to the citizens of this country, should interfere and direct the respondents to make a coordinated and sustained efforts to close down the websites as aforestated. Once Parliament, in its wisdom has enacted a law and has provided for the punishment for breach of that law any citizen of this country including the Petitioner who is aggrieved against any action on the part of any other person which may amount to an offence has a right to approach the appropriate forum and lodge a complaint upon which the action can be taken if an offence is disclosed. Courts in such matters, the guardian of the freedom of free speech, and more so a constitutional court should not embark on an exercise to direct State Authorities to monitor websites. If such an exercise is done, then a party aggrieved depending on the sensibilities of persons whose views may differ on what is morally degrading or prurient will be sitting in judgment, even before the aggrieved person can lead his evidence and a competent court decides the issue. The Legislature having enacted the law a person aggrieved may file a complaint.

In the light of that we are not inclined to interfere in the exercise of our extra-ordinary jurisdiction. If the petitioner comes across any website/s which according to him publishes or transmits any act which amounts to offence under section 67 or 67A of the Information Technology Act, 2000, it is upto him to file a complaint.

With the above observations, Petition disposed of."
From the facts of the Janhit Manch case and the observations made therein, we are of the considered opinion that the ratio of the said decision squarely applicable to the facts of the present case inasmuch as in the present writ petition the relief sought for by the petitioner is to strictly enforce the rules monitoring online publications in internet and punish the persons violating such rules, which is indirectly made in the Janhit Manch case. Therefore, applying the ratio of the aforesaid decision, the present writ petition is disposed of. Moreover, we make it clear that if any complaint is made against the publishing or transmitting any obscene or pornographic publications, necessary steps should be taken by the respondents in accordance with law.
The writ petition is disposed of with the above observations. No costs. Consequently, the connected miscellaneous petition is closed.

With the above observations, Petition disposed of."
Sd/
Asst.Registrar
/true copy/
Sub Asst.Registrar

The Secretary,
Union of India,
Department of Telecommunications,
Sanchar Bhavan, 20, Ashoka Road,
New Delhi 110 001.
The Secretary,
Department of Information Technology,
Electronics Niketan,
No.6, CGO Complex, Lodhi Road,
New Delhi 110 003
The Secretary,
Department of Legal Affairs,
4th Floor, A-Wing, Shastri Bhavan,
New Delhi 110 001.
The Secretary,
The Telecom Regulatory Authority of Indie,
Mahanagar Doorsanchar Bhawan,
Jawaharlal Nehru Marg,New Delhi 110 002.
The Secretary,
Department of Women and Child Development,
New Delhi.
The Secretary,
State of Tamil Nadu,
Ministry of Information Technology,
Secretariat, Chennai 9.
The Asst. Commissioner of Police,
Cyber Crime Wing, Central Crime Branch, Egmore, Chennai 8.
The Director
Central Bureau of Investigation,
Block No.3, CGO Complex, Lodhi Road, New Delhi 110 003.

1 cc To M/s.P.T.Perumal i E.Bdwing, Advocates, SR.22010

1 cc To Mr.J.Ravindran, Asst.Solicitor, SR.22034

1 cc To M/s.Poovayya & Co., Advocates, SR.22221

1 cc To The Government Pleader, SR.21929

W.P.No.20344/2009
GR(CO)

srs 15/04/2010

For more details visit https://cis-india.org/internet-governance/resources/r-karthikeyan-v-union-of-india