We are anonymous, we are legion

What privacy? 13 crore Aadhaar numbers accessible on government portals

praskrishna — 2017-05-03T14:39:46Z

At least 13 crore Aadhaar numbers and 10 crore bank account numbers are readily accessible on government portals, a report claims.

The blog post by Anusha Ravi was published in Oneindia on May 2, 2017.

The centre for internet and society, in its report, has claimed that Aadhaar numbers with sensitive personal financial information were publicly available on four government portals built to oversee welfare schemes. The report said that the government portals made it easy to access sensitive details, despite it being illegal. "It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may be used for mischief," said Amber Sinha and Srinivas Kodali, the authors of the report.

Apart from accessing a person's details, the portals made it possible for anyone to get data on beneficiaries of welfare schemes. In many cases, it included bank account numbers of beneficiaries. The report suggests that close to 23 crore Aadhaar number could have been leaked if most of the government portals connected to direct benefit transfers used the 'same negligent standards for storing data as the ones examined'. "The document shows that the breaches are an indicator of potentially irreversible privacy harm and the data could be used for financial fraud," the authors said in the report. The report was documented after authors studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government's Chandranna Bima Scheme and Andhra Pradesh's Daily Online Payment Reports of NREGA.

The report said that sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information were easily available with a few clicks and suggested how poorly conceived these initiatives were. The report highlights that it was illegal to make personal data public and also refers to # #AadhaarLeaks, a campaign on twitter aimed at exposing the loopholes in the Aadhaar system.

For more details visit https://cis-india.org/internet-governance/news/one-india-may-2-2017-anusha-ravi-what-privacy-13-crore-aadhaar-numbers-accessible-on-governmental-portals

What lurks beneath the Network

nishant — 2012-08-25T07:10:38Z

There is a series of buzzwords that have become a naturalised part of discussions around digital social media—participation, collaboration, peer-2-peer, mobilisation, etc. Especially in the post Arab Spring world (and our own home-grown Anna Hazare spectacles), there is this increasing belief in the innate possibilities of social media as providing ways by which the world as we know it shall change for the better. Young people are getting on to the streets and demanding their rights to the future.

Nishant Shah's column on the North East exodus and digital networks was published in Down to Earth magazine on August 24, 2012

Citizens are mobilising themselves to overthrow authoritarian governments. Socio-economically disadvantaged people, who have always been an alternative to the mainstream, are finding ways of expressing themselves through collaborative practices. Older boundaries of nation, region and body are quickly collapsing as we all become avatars of our biological selves, occupying futures that were once available only to science fiction heroes.

To this list of very diverse phenomena, I want to add the recent tragic and alarming exodus of people from the north eastern states, from the city of Bengaluru, where I live. There might not be many connections between this state of fear which instigated thousands of people, fearing their safety and security, to leave Bengaluru and return home and the global spectacles of political change that I listed earlier. And yet, there is something about the digital networks, the social web and the ways in which they shape our information societies, that needs to be thought through. In the Arab Spring like events, which are events of global spectacle, there is a certain imagination of digital technologies and its circuits that gets overturned.

These events challenge the idea that digital networks are always outward looking—connecting us to somebody and someplace ‘out there’ in a world that is quickly getting flat—and show how these networks actually create new local and specific communities around information production, consumption and sharing. These networks that connect people in their information practices, often make themselves simultaneously ubiquitous and invisible. So that the interfaces that we operate through—laptops, cellphones and other portable computing devices—become such a part of our everyday life, that we stop noticing them. They are a natural element of our everyday mechanics of urban survival, and in their omnipresence, become invisible.

This invisibility or naturalisation of the digital technologies, often make us forget the intricate and inextricable way in which they are woven into our basic survival strategies. Especially with the younger generation that has ‘grown up digital’, the interface, the gadget and the network is the default space that they turn to for their everyday needs. We develop intimate relationships with these technologised circuits, making them such a part of our quotidian existence that we often forget that these technologies are external to us. Which is why we come across articulations like, “I love my computer because my friends live in it,” or “I feel amputated when you take away my cell-phone”. These are ways in which we naturalise and internalise the digital technologies that we live in and live with. However, in times of crises, we suddenly realise the separation, as the technologies make themselves present, unable to sustain the new conditions of crises. It would be fruitful to see then that the eruption in our seamless connection with the digital technologies is a sign of an external crisis –something that we have seen in the Arab Spring or the Anna Hazare campaign, where these networks became visible to signal towards an external crisis. The emergence of networks into public view is a symptom that there is something that has gone wrong and so we see the separation of the digital ecosystem from its external reality and context.

The unexpected visibility of the network indicates that the regular information ecologies have been disrupted, the contexts which support community interaction at the local level have been changed, and those changes need to be accounted for and addressed in order for the network to become the transparent infrastructure of new urban communities again. In many ways, it resonates with the science fiction logic of the Matrix Trilogy where, if you can see the matrix, it means that something has gone wrong in the fabric of reality and it needs to be fixed.

The exodus of the north eastern people also needs to be examined in this context. In an immigrant city like Bengaluru, the sense of belonging and community is often deeply mediated by the digital ecologies of information sharing. Beneath the veneer of a global city that is to connect with the external world, there is also a huge network of local, specific and invisible practices that do not become a part of the global spectacle of digital technologies, and operate in a condition of relative invisibility. However, when the logic of a migrant city gets disrupted because the conditions of its work force get threatened, these networks go into an overdrive. They become gossip and rumour mills. They become visible and suddenly create conditions of fear, danger and crisis that were unexpected. And so, without a warning, over-night, a huge number of people, who were a part of these networks, decided to abandon their lives and head home, because the larger social, cultural and political threats transmitted through these local networks before they could become global spectacles that we could consume.

A large part of the people fleeing the city had already crowded the trains and left their lives behind, before any attempt at regulation or control could be made. All kinds of post-facto theories about the real or perceived nature of the threat, the actual cases of violence, and the conditions of life in the IT City have emerged since then. However, in all these theories is a recognition that the crisis which led to this phenomenon lingers on and cannot be addressed. There is no particular person to hold responsible. The few scattered incidents of attacks, violence or intimidation have been recognised as strategic and opportunistic interventions by local regressive groups. All in all, we have a condition where something drastic and dramatic has happened and there is no real or material person or group of people who can be blamed for it. And so, instead of addressing the crisis and the conditions which led to the exodus, we have committed an ellipsis, where we have made technology the scape-goat of our problems.

And we have done this repeatedly in the history of technology and crises in India. In the early days, when the notorious Delhi Public School MMS clip that captured two under-age students in sexual activity, became hugely visible, instead of addressing the problem at hand, we eventually set up a committee to regulate the conditions of cultural production and distribution online. During the horrifying bomb-attacks in the trains in Mumbai, we tried to block Blogspot and curtail information online as if technology was the reason that these acts were made possible. Last year, Dr. Sibal’s attempts at establishing a pre-censorship regime on information on the social web, because he encountered material that was disrespectful to the Congress party leader Mrs. Gandhi, sought to regulate the web rather than look at the political discontent and dissent that was being established through those articulations. Because there was no way by which the local situation could be controlled or contained, technology became the only site of regulation, inspiring draconian measures that limit the volume of text messaging and try and censor the web for lingering traces of the information mill that catalysed and facilitated this exodus.

This is a remarkable ellipsis where the actual problem – the conditions of life and safety in our global cities – is hidden under a perceived problem, which is the sudden visibility of a digital information ecosystem which was not apparent to us hitherto. And while there is no denying that at the level of tactics, for immediate fire-fighting this kind of regulation is important, nay, necessary, we also need to realise that at the level of strategy, these kinds of knee-jerk regulatory mechanisms are not a resolution of the problem. These laws and attempts at censorship are neither going to correct what has happened, nor are they going to be potent enough to curb such networked information sharing in the future. They are symbolic tactics that are trying to correct the crisis – the feeling of fear and danger – and in that, they do their job well in establishing some sense of control over the quickly collapsing world. However, we need to look beyond the visibility of this network, and realise that the crisis is not its emergence or its functioning but at something else that lurks behind the facade of the network.

Nishant Shah is director (research), Centre for Internet and Society, Bengaluru

For more details visit https://cis-india.org/internet-governance/down-to-earth-org-nishant-shah-aug-24-2012-what-lurks-beneath-the-network

What is the problem with ‘Ethical AI’? An Indian Perspective

Arindrajit Basu and Pranav M.B. — 2019-07-21T14:57:08Z

On 22 May 2019, the OECD member countries adopted the OECD Council Recommendation on Artificial Intelligence. The Principles, meant to provide an “ethical framework” for governing Artificial Intelligence (AI), were the first set of guidelines signed by multiple governments, including non-OECD members: Argentina, Brazil, Colombia, Costa Rica, Peru, and Romania.

The article by Arindrajit Basu and Pranav M.B. was published by cyberBRICS on July 17, 2019.

This was followed by the G20 adopted human-centred AI Principles on June 9th. These are the latest in a slew of (at least 32!) public, and private ‘Ethical AI’ initiatives that seek to use ethics to guide the development, deployment and use of AI in a variety of use cases. They were conceived as a response to a range of concerns around algorithmic decision-making, including discrimination, privacy, and transparency in the decision-making process.

In India, a noteworthy recent document that attempts to address these concerns is the National Strategy for Artificial Intelligence published by the National Institution for Transforming India, also called NITI Aayog, in June 2018. As the NITI Aayog Discussion paper acknowledges, India is the fastest growing economy with the second largest population in the world and has a significant stake in understanding and taking advantage of the AI revolution. For these reasons the goal pursued by the strategy is to establish the National Program on AI, with a view to guiding the research and development in new and emerging technologies, while addressing questions on ethics, privacy and security.

While such initiatives and policy measures are critical to promulgating discourse and focussing awareness on the broad socio-economic impacts of AI, we fear that they are dangerously conflating tenets of existing legal principles and frameworks, such as human rights and constitutional law, with ethical principles – thereby diluting the scope of the former. While we agree that ethics and law can co-exist, ‘Ethical AI’ principles are often drafted in a manner that posits as voluntary positive obligations various actors have taken upon themselves as opposed to legal codes they necessarily have to comply with.

To have optimal impact, ‘Ethical AI’ should serve as a decision-making framework only in specific instances when human rights and constitutional law do not provide a ready and available answer.

Vague and unactionable

Conceptually, ‘Ethical AI’ is a vague set of principles that are often difficult to define objectively. In this perspective, academics like Brett Mittelstadt of the Oxford Internet Institute argues that unlike in the field of medicine – where ethics has been used to design a professional code, ethics in AI suffers from four core flaws. First, developers lack a common aim or fiduciary duty to a consumer, which in the case of medicine is the health and well-being of the patient. Their primary duty lies to the company or institution that pays their bills, which often prevents them from realizing the extent of the moral obligation they owe to the consumer.

The second is a lack of professional history which can help clarify the contours of well-defined norms of ‘good behaviour.’ In medicine, ethical principles can be applied to specific contexts by considering what similarly placed medical practitioners did in analogous past scenarios. Given the relative nascent emergence of AI solutions, similar professional codes are yet to develop.

Third is the absence of workable methods or sustained discourse on how these principles may be translated into practice. Fourth, and we believe most importantly, in addition to ethical codes, medicine is governed by a robust and stringent legal framework and strict legal and accountability mechanisms, which are absent in the case of ‘Ethical AI’. This absence gives both developers and policy-makers large room for manoeuvre.

However, such focus on ethics may be a means of avoiding government regulation and the arm of the law. Indeed, due to its inherent flexibility and non-binding nature, ethics can be exploited as a piecemeal red herring solution to the problems posed by AI. Controllers of AI development are often profit-driven private entities, that gain reputational mileage by using the opportunity to extensively deliberate on broad ethical notions.

Under the guise of meaningful ‘self-regulation’, several organisations publish internal ‘Ethical AI’ guidelines and principles, and fund ethics research across the globe. In doing so, they occlude the shackles of binding obligation and deflect from attempts at tangible regulation.

Comparing Law to Ethics

This is in contrast to the well-defined jurisprudence that human rights and constitutional law offer, which should serve as the edifice of data-driven decision making in any context.

In the table below, we try to explain this point by looking at how three core fundamental rights enshrined both in our constitution and human rights instruments across the globe-right to privacy, right to equality/right against discrimination and due process-find themselves captured in three different sets of ‘Ethical AI frameworks.’ One of these inter-governmental (OECD), one devised by a private sector actor (‘Google AI’) and one by our very own, NITI AAYOG.

With the exception of certain principles,most ‘Ethical AI’ principles are loosely worded as ‘‘seek to avoid’, ‘give opportunity for’, or ‘encourage’. A notable exception is the NITI AAYOG’s approach to protecting privacy in the context of AI. The document explicitly recommends the establishment of a national data protection framework for data protection, sectoral regulations that apply to specific contexts with the consideration of international standards such as GDPR as benchmarks. However, it fails to reference available constitutional standards when it discusses bias or explainability.

Several similar legal rules that have been enshrined in legal provisions -outlined and elucidated through years of case law and academic discourse – can be utilised to underscore and guide AI principles. However, existing AI principles do not adequately articulate how the legal rule can actually be applied to various scenarios by multiple organisations.

We do not need a new “Law of Artificial Intelligence” to regulate this space. Judge Frank Easterbrook’s famous 1996 proclamation on the ‘Law of the Horse’ through which he opposed the creation of a niche field of ‘cyberspace law’ comes to mind. He argued that a multitude of legal rules deal with ‘horses’, including the sale of horses, individuals kicked by horses, and with the licensing and racing of horses. Like with cyberspace, any attempt to arrive at a corpus of specialised ‘law of the horse’ would be shallow and ineffective.

Instead of fidgeting around for the next shiny regulatory tool, industry, practitioners, civil society and policy makers need to get back to the drawing board and think about applying the rich corpus of existing jurisprudence to AI governance.

What is the role for ‘Ethical AI?’

What role can ‘ethical AI’ then play in forging robust and equitable governance of Artificial Intelligence? As it does in all other societal avenues, ‘ethical AI’ should serve as a framework for making legitimate algorithmic decisions in instances where law might not have an answer. An example of such a scenario is the Project Maven saga – where 3,000 Google employees signed a petition opposing Google’s involvement with a US Department of Defense project by claiming that Google should not be involved in “the business of war.” There is no law-international or domestic that suggests that Project Maven-which was designed to study battlefield imagery using AI, was illegal. However, the debate at Google proceeded on ethical grounds and on the application of the ‘Ethical AI’ principles to this present context.

We realise the importance of social norms and mores in carving out any regulatory space. We also appreciate the role of ethics in framing these norms for responsible behaviour. However, discourse across civil society, academic, industry and government circles all across the globe needs to bring law back into the discussion as a framing device. Not doing so risks diluting the debate and potential progress to a set of broad, unactionable principles that can easily be manipulated for private gain at the cost of public welfare.

For more details visit https://cis-india.org/internet-governance/blog/what-is-the-problem-with-2018ethical-ai2019-an-indian-perspective

What is net neutrality and why it is important

praskrishna — 2014-02-03T08:24:34Z

Internet is built around the idea of openness. It allows people to connect and exchange information freely, if the information or service is not illegal.

The article was published in the Times of India on January 20, 2014. Sunil Abraham is quoted.

Much of this is because of the idea of net neutrality. If you like the current state of the internet, you should know about net neutrality. Many web users are aware of it. But if you are not, don't worry. We explain it here:

What is net neutrality?
Net neutrality is an idea derived from how telephone lines have worked since the beginning of the 20th century. In case of a telephone line, you can dial any number and connect to it. It does not matter if you are calling from operator A to operator B. It doesn't matter if you are calling a restaurant or a drug dealer. The operators neither block the access to a number nor deliberately delay connection to a particular number, unless forced by the law. Most of the countries have rules that ask telecom operators to provide an unfiltered and unrestricted phone service.

When the internet started to take off in 1980s and 1990s, there were no specific rules that asked that internet service providers (ISPs) should follow the same principle. But, mostly because telecom operators were also ISPs, they adhered to the same principle. This principle is known as net neutrality. An ISP does not control the traffic that passes its servers. When a web user connects to a website or web service, he or she gets the same speed. Data rate for Youtube videos and Facebook photos is theoretically same. Users can access any legal website or web service without any interference from an ISP.

Some countries have rules that enforce net neutrality but most don't. Instead, the principle is followed because that is how it has always been. It is more of a norm than a law.

How did net neutrality shape the internet?
Net neutrality has shaped the internet in two fundamental ways.

One, web users are free to connect to whatever website or service they want. ISPs do not bother with what kind of content is flowing from their servers. This has allowed the internet to grow into a truly global network and has allowed people to freely express themselves. For example, you can criticize your ISP on a blog post and the ISP will not restrict access to that post for its other subscribers even though the post may harm its business.

But more importantly, net neutrality has enabled a level playing field on the internet. To start a website, you don't need lot of money or connections. Just host your website and you are good to go. If your service is good, it will find favour with web users. Unlike the cable TV where you have to forge alliances with cable connection providers to make sure that your channel reaches viewers, on internet you don't have to talk to ISPs to put your website online.

This has led to creation Google, Facebook, Twitter and countless other services. All of these services had very humble beginnings. They started as a basic websites with modest resources. But they succeeded because net neutrality allowed web users to access these websites in an easy and unhindered way.

What will happen if there is no net neutrality?
If there is no net neutrality, ISPs will have the power (and inclination) to shape internet traffic so that they can derive extra benefit from it. For example, several ISPs believe that they should be allowed to charge companies for services like YouTube and Netflix because these services consume more bandwidth compared to a normal website. Basically, these ISPs want a share in the money that YouTube or Netflix make.

Without net neutrality, the internet as we know it will not exist. Instead of free access, there could be "package plans" for consumers. For example, if you pay Rs 500, you will only be able to access websites based in India. To access international websites, you may have to pay a more. Or maybe there can be different connection speed for different type of content, depending on how much you are paying for the service and what "add-on package" you have bought.

Lack of net neutrality, will also spell doom for innovation on the web. It is possible that ISPs will charge web companies to enable faster access to their websites. Those who don't pay may see that their websites will open slowly. This means bigger companies like Google will be able to pay more to make access to Youtube or Google+ faster for web users but a startup that wants to create a different and better video hosting site may not be able to do that.

Instead of an open and free internet, without net neutrality we are likely to get a web that has silos in it and to enter each silo, you will have to pay some "tax" to ISPs.

What is the state of net neutrality in India?
Legally, the concept of net neutrality doesn't exist in India. Sunil Abraham, director of Centre for internet and Society in Bangalore, says that Trai, which regulates the telecom industry, has tried to come up with some rules regarding net neutrality several times. For example it invited comments on the concept of net neutrality from industry bodies and stakeholders in 2006. But no formal rules have been formed to uphold and enforce net neutrality.

However, despite lack of formal rules, ISPs in India mostly adhere to the principal of net neutrality. There have been some incidents where Indian ISPs have ignored net neutrality but these are few and far between.

Will the concept of net neutrality survive?
Net neutrality is sort of gentlemen's agreement. It has survived so far because few people realized the potential of internet when it took off around 30 years ago. But now when the internet is an integral part of the society and incredibly important, ISPs across the world are trying to get the power to shape and control the traffic. But there are ways to keep net neutrality alive.

Consumers should demand that ISPs continue their hands-off approach from the internet traffic. If consumers see a violation of net neutrality, they ought to take a proactive approach and register their displeasure with the ISP. They should also reward ISPs that uphold the net neutrality.

At the same time, as Abraham says, Trai needs to come out with a set of clear and precise rules that protect the net neutrality. "We have started seeing ISPs trying to take control of the traffic that flows from their servers but Trai can regulate them. It can keep the internet open and consumer-friendly by forming rules that protect net neutrality. These are early days so it is easy to do. If ISPs manage to change the system, it may become too late," he says.

For more details visit https://cis-india.org/news/times-of-india-january-20-2014-what-is-net-neutrality-and-why-is-it-important

What is Dilligaf?

nishant — 2011-12-01T09:52:53Z

On the web, time moves at the speed of thought: Groups emerge, proliferate and are abandoned as new trends and fads take precedence. Nowhere else is this dramatic flux as apparent as in the language that evolves online. While SMS lingo – like TTYL (Talk To You Later) and LOL (Laughing Out Loud)– has endured and become a part of everyday language, new forms of speech are taking over.

“Leetspeak” or “L33t” (derived the word “elite”), for example, incorporate numbers in words, giving geeks their own language. One that they use to bypass firewalls and filters trained to recognize certain words – so in “l33t”-speak, porn becomes Pr0n, and onwards moves mankind.

These mutations are not permanent: Like organisms, they grow to form new constellations of words and expressions demanding that users keep pace. And while purists have bled their hearts out, lamenting the savage attack on the language and grammar that digital technology has spawned, there is also a recognition of the fact that these linguistic developments are not merely experiments – they capture the spirit of a democratized knowledge system and the opening up of the information highway. User-generated content sites like Wikipedia, YouTube and Tumblr embody these acronyms and attitudes, where any attempt at regulation, control or imposition of authority is usually met with the reply – DILLIGAF (Do I Look Like I Give A F***)?

DILLIGAFers – people who live a significant part of their lives online – might scoff at older forms of institutional control, but they don’t necessarily live in a space of anarchy, either. For example, academic credentials, institutional affliations and geopolitical location might not bear the same weight on Wikipedia as while writing a book, but there are other ways in which digital rank can be pulled. Your overall Internet experience, editing history and ability to garner mass support for your views are more important in determining your place in Wikipedia’s hierarchy. Any attempt at pulling rank with assets like money, influence or name are casually discarded with succinct exclamations like WTF (What The F***) and BFD (Big F****ing Deal).

One of the defining characteristics of the DILLIGAF generation is their fiercely independent spirit. While they’re constantly connected and incessantly sharing information, they are also terribly alone. When it comes to searching for information, finding people or exploring the web, personal skills with different digital tools and platforms makes one independent. In fact, one of the deterrents for the less technically inclined to join online communities is the idea that they’re supposed to find their own way as they tread unknown digital paths. Hence, DILLIGAFers often resort to acronyms like RTFM (Read The F***ing Manual) for people (read: the rest of us) who ask for information that can be easily found. And with the rapid Googlization of the world, an obvious question is met with an obvious answer – RTFG (Read The F****ing Google).

Geeks have invented many interesting and creative acronyms to make their voices heard, and while some of the acronyms predate the Internet, they often capture the irony of online and offline existence. SNAFU (Situation Normal: All F***ed Up), an acronym that supposedly emerged in America during the Second World War, often finds its way into describing the complexity of our lives. The dramatic nature of interactions, the struggle to establish trust and the complex structure of experiences all find voice online. FML (F*** My Life), an acronym as well as a popular networking site, is a sterling example of such a space, where people share stories of how things went wrong for them, allowing other users to rate their stories on a sympathy meter.

One of the most delicious ironies of the online space is that while irreverence might find a way into acronyms, unnecessary profanity is looked down upon. If you go around swearing on discussion pages, you will immediately be ostracized, and quite possibly asked to STFU (Shut The F*** Up).

This article by Nishant Shah was published in GQ India on September 4, 2011.

For more details visit https://cis-india.org/internet-governance/what-is-dilligaf

What India can Learn from the Snowden Revelations

elonnai — 2013-10-25T07:29:57Z

Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.

The title of the article was changed in the version published by Yahoo on October 23, 2013.

Since the ‘Snowden revelations’, which uncovered the United States government’s massive global surveillance through the PRISM program, there have been reactions aplenty to their impact.

The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.

The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.

Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.

This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including India.

India’s reaction

After the first news of the Snowden revelations, the Indian Supreme Court agreed to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.

The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any government or individual can take against the US government or companies incorporated there.

In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take.

For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.

To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same.

In India, P. Rajeev, Member of Parliament from Kerala, has started a petition asking that the companies disclose information on Indian data given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.

The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been voiced by many, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal Mutual Legal Assistance Treaty process, it does not necessarily enhance the privacy of Indian data.

As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.

Snooping

The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India.

For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually set up servers in Mumbai and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from Skype and Google. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.

Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive.

The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.

The gaps in the Indian surveillance regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, India is in the process of realizing a privacy legislation.

In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote The Report of the Group of Experts on Privacy, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.

The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.

For example, telecoms in India are now required to include user location data as part of the ‘call detail record’ and be able to provide the same to law enforcement agencies on request under provisions in the Unified Access Service and Internet Service Provider Licenses.

At the same time, the Government of India is in the process of putting in place a Central Monitoring System that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.

Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.

If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.

Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.

Policy vacuum

For any government, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe.

When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.

In 2013, the International Principles on the Application of Human Rights to Communications Surveillance were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications.

When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.

Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.

For more details visit https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations

What if the Net shut down for a few days

praskrishna — 2013-04-03T11:01:38Z

When spammers attacked Spamhaus, a European spam-fighting group in what was billed as the "biggest cyber attack in history", they managed to temporarily slow down the internet. But what if dedicated attackers succeeded in shutting down the internet for a longer time, maybe a few days? What would be the potential impact of such a scenario in a world where crucial data is stored on emails, most financial transactions have shifted online and an entire generation has grown up not realising what life without the web could be like?

The article by Atul Sethi was published in the Times of India on March 30, 2013. Sunil Abraham is quoted.

"The thought itself is frightening," says Vijay Mukhi, president of the Foundation of Information Security and Technology and co-founder of the Internet Users Community of India. "Most people use their email or cloud computing to store their data. What happens when you can't access your crucial information? Also, financial activity in the absence of the internet will come to a standstill since there would be no money flow happening between banks or transactions in the stock market. The implications are huge. And I'm not even thinking of the withdrawal symptoms that many youngsters are going to go through when they can't log on. "

However, contrary to the horror that this situation might elicit from those whose lives revolve around the web, the impact on India, at least, should not be much, says Sunil Abraham, director of the Bangalore-based Centre for Internet and Society. "An internet blackout in India can at most be compared to a bandh. Life becomes uncomfortable but it still goes on. This is because in India, the internet is used by just about 20% of the population. At the most, one can argue that since this 20% also constitutes the elite of the country - bureaucrats, politicians, businessmen, media, etc, any disruption in their work could also affect the remaining 80% of the country indirectly."

Even though complete shutdown of the internet is believed to be virtually impossible - since it is made up of thousands of interconnections which ensure its infallibility - hackers haven't stopped trying as the latest cyber attack shows. Internet security consultant Ankit Fadia points out that the only way somebody can bring down the internet is if a few million hackers combine together as part of a sustained project. "Even then, it's a remote possibility that they can pull it off," he says.

If it does happen, though, remember to polish up your letter-writing skills and go over to your friend's house if you want to chat.

For more details visit https://cis-india.org/news/times-of-india-atul-sethi-march-30-2013-what-if-the-net-shut-down-for-a-few-days

What Frameworks for Cross-Border Online Communities and Services

praskrishna — 2012-12-05T00:10:27Z

Chinmayi Arun, Assistant Professor at National Law University India and Fellow at the CIS India, talks about the Internet Governance Forum 2012 Workshop 154 "What Frameworks for Cross-Border Online Communities and Services", which was hosted by the Internet & Jurisdiction Project on November 8, 2012.

Panelists:

Chinmayi Arun, National Law University India and Fellow at CIS India
Brian Cute, CEO at PIR (.org)
Lee Hibbard, Media and Information Society Division at Council of Europe
Konstantinos Komaitis, Policy Advisor at Internet Society
Michael Niebel, Internet Policy Development at European Commission
Patrick Ryan, Policy Councel Open Internet at Google

More information at www.internetjurisdiction.net

Video by the Internet Governance Forum

For more details visit https://cis-india.org/news/frameworks-for-cross-border-online-communities-and-services

What Does Facebook's Transparency Report Tell Us About the Indian Government's Record on Free Expression & Privacy?

pranesh — 2015-04-05T05:08:37Z

Given India's online population, the number of user data requests made by the Indian government aren't very high, but the number of content restriction requests are not only high on an absolute number, but even on a per-user basis.

Further, Facebook's data shows that India is more successful at getting Facebook to share user data than France or Germany. Yet, our government complains far more about Facebook's lack of cooperation with Indian authorities than either of those countries do. I think it unfair for any government to raise such complaints unless that government independently shows to its citizens that it is making legally legitimate requests.

Since the Prime Minister of India Shri Narendra Modi has stated that "transparency and accountability are the two cornerstones of any pro-people government", the government ought to publish a transparency report about the requests it makes to Internet companies, and which must, importantly, provide details about how many user data requests actually ended up being used in a criminal case before a court, as well as details of all their content removal requests and the laws under which each request was made.

At the same time, Facebook's Global Government Requests Report implicitly showcases governments as the main causes of censorship and surveillance. This is far from the truth, and it behoves Facebook to also provide more information about private censorship requests that it accedes to, including its blocking of BitTorrent links, it's banning of pseudonymity, and the surveillance it carries out for its advertisers.

For more details visit https://cis-india.org/internet-governance/blog/what-does-facebook-transparency-report-tell-us-about-indian-government-record-on-free-expression-and-privacy

What Centre will tell Supreme Court on Aadhaar and social media account linkage

Amrita Madhukalya — 2019-09-02T04:28:45Z

The top court had held in the Aadhaar case that the government can make the linking of the 12-digit-number mandatory only in the case of availing subsidies and welfare benefits. Consequently, Section 57 of the Aadhaar Act was struck down.

The article by Amrita Madhukalya was published in Hindustan Times on August 28, 2019. Gurshabad Grover was quoted.

The Centre will refer to the Aadhaar Act and the Supreme Court’s 2017 privacy judgement when it is directed by the top court to put forward its view on whether the unique identification number should be made mandatory in opening and managing accounts on Facebook, Twitter, WhatsApp and other social media platforms.

“While we are yet to receive a notice from the SC asking for our reply, the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, and the apex court’s 2017 judgement upholding the Right to Privacy will guide us in drafting a response,” a senior official of the ministry of electronics and information technology, who did not wish to be named, said.

As a division bench of Madras High Court continues to hear two writ petitions on whether social media profiles should be linked to Aadhaar so that users in cases where pornographic material, fake news and communal content is posted on these sites can be traced, Facebook had simultaneously filed a plea to transfer all similar cases in the high courts of Madras, Bombay as well as Madhya Pradesh. The top court will hear the matter on September 13.

During its hearings, Madras High Court made it clear that it will not rule on Aadhaar-linking and the case will concentrate on traceability now. As of now, only one of the transfer petitions, the one in Jabalpur, deals with Aadhaar linking.

Meanwhile, the top court has already asked social media companies for their stand on the matter. Senior lawyers Mukul Rohatgi and Kapil Sibal, who have been representing Facebook and WhatsApp respectively in Madras High Court case, have already said that as both the companies are headquartered outside of India, with operations in dozens of countries, the high court’s judgement will have ramifications globally.

Both Twitter and Google declined to comment on the matter, as the matter is sub-judice, while Facebook was not available.

However, in March this year, Facebook CEO Mark Zuckerberg said that privacy, encryption and secure data storage were some of these principles while unveiling the company’s “vision and principles” in building a “privacy-focused” social platform.

Wherein people can have “clear control over who can communicate with them and confidence that no one else can access what they share”, such communication could be secure with end-to-end encryption, and Facebook will not store sensitive data in countries with “weak records on human rights”.

Gurshabad Grover of the Centre for Internet Security says he welcomes the Centre’s stand but adds that the petition should not have been allowed by the Madras High Court in the first place.

“The case is now deliberating on policy, which is the responsibility of the government. This goes against the basis of separation of power,” he says.

The Centre is dealing with issues surrounding traceability through the Intermediaries Guidelines, which is due in the next few weeks.

The solution, Grover says, lies in diplomatic negotiations.

“Instruments like the US’ Clarifying Lawful Overseas Use of Data Act can come in handy if India can fight for better executive agreements there, provided we have data protection laws in line with human rights standards,” he said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-28-2019-amrita-madhukalya-what-centre-will-tell-sc-on-aadhaar-and-social-media-account-linkage

What Bengaluru Thinks of the Big Tech Announcements in Silicon Valley

praskrishna — 2015-10-18T13:26:35Z

There is a split verdict on the big tech announcements made out of California during the Prime Minister's visit, in the desi version of Silicon Valley - Bengaluru.

This was published by NDTV on September 29, 2015. Pranesh Prakash was quoted.

Companies here are still assessing how they will be impacted by the big connectivity projects that Google, Microsoft and others announced when Prime Minister Narendra Modi dropped in at Silicon Valley, the global hub for innovation and technology, over the weekend.

CEO Sunder Pichai said Google would tie up with the government to provide free Wi-Fi at 500 railway stations across the country. Microsoft's Satya Nadela said his company would take broadband connectivity to five lakh villages across the country.

And that its cloud services would operate out of India's data centres.

Some smaller companies in Bengaluru hope they will get some business when these giant projects are implemented. "Smaller companies like ours would be hoping we get a share of the pie when it comes to implementation. The government should ensure that," said Soujanya Prakash, a General Manager at Vee Technologies, to NDTV. Vee one of the companies assigned to implement part of the massive Aadhar identity card project.

Ms Prakash said companies like Microsoft and Google bring great technological expertise with them.

Pranesh Prakash, Policy Director for the Centre for Internet and Technology, had a word of caution as he voiced concern about the privacy policies of some big global companies. "The government should push for a strong data protection regime in India and force these companies to abide by that," he said.

Mr Prakash also said, "These companies need India more than we need them since there are more than one billion customers here. The Indian government must be wise in using this bargaining power."

For more details visit https://cis-india.org/internet-governance/news/ndtv-maya-sharma-september-29-2015-what-bengaluru-thinks-of-big-tech-announcements-in-silicon-valley

What Are You Accused of? Find Out Online

praskrishna — 2011-04-01T16:48:30Z

Starting Tuesday, police authorities in the Indian capital will make many crime reports, also known as First Information Reports, publicly accessible from its Web site. The report can be attained by entering details such as the name of the accused or victim and also the area where the crime took place. So far, no crime reports have been posted on the Web site.

The step is meant to help people who have been accused of a crime, and who aren’t able to find out from police—or who are perhaps reluctant to approach a police station—find out what exactly they’re supposed to have done.

“In case a police officer refuses to reveal the First Information Report, the accused can get a copy online and defend himself,” Rajan Bhagat, Delhi police spokesman told India Real Time Tuesday.

After police register a crime report, they’re supposed to carry out an investigation and then decide whether or not to bring charges.

Mr. Bhagat said the crime reports were being put online to comply with a 35-page Delhi High Court order on December 6.

“The liberty of an individual is inextricably linked with his right to be aware how he has been booked under law and on what allegations,” the court said at the time in an order that quotes Cuban revolutionary José Martí .

Mr. Bhagat said the software for uploading the FIRs has been installed at all police stations across the capital. The crime report is supposed to be made available online within 24 hours after a crime is registered.

Depending on whether the crime reports are searchable or not, and if people other than those named in the reports can access them, they could also prove useful for analyzing crime patterns in the city.

Of course, there exists some ambiguity in the new process, including how many crime reports will actually end up being uploaded online.

Crime reports for offences categorized as “sensitive” need not be uploaded. These include issues of terrorist acts, crimes relating to national security, rape, murder, kidnapping for ransom and “cases in which desperate gangsters are involved and there is the danger of witnesses or the complainant being intimidated,” the court order said.

“We cannot reveal the identity of serious criminals; this can hamper the investigation process,” said Mr. Bhagat, adding that the decision for a crime report not to be uploaded must be made by a senior police officer together with a local magistrate from the area where the crime was committed.

Some legal experts aren’t happy about the “selective” airing of information by the Delhi police.

“The service would be a complete failure,” said Pinaki Misra, senior counsel at the Delhi High Court.

Mr. Misra said the First Information Report is a public document–the first step towards registering criminal activity–and it should be freely accessible.

“There’s no reason why such information should be deemed confidential and selectively uploaded,” he said.

But others said there was good reason to avoid making a crime report public in some cases, such as to protect the identity of victims of sexual crimes, or even to protect suspects in cases where crimes could instigate violence against them.

Sunil Abraham, executive director at the Center for Internet and Society, a think-tank based in Bangalore, said the Delhi police’s new initiative was “a positive step with necessary safeguards.”

He added that the disclosure of too much information by police or other investigating agencies can sometimes lead to incidents of “mob justice,” pointing to recent occasions where bystanders have attacked people involved in highly publicized cases at their court appearances.

“The onus now is on the Delhi police as to how and what they put it in actual practice,” Mr. Abraham said.

Read the original here

For more details visit https://cis-india.org/news/what-are-you-accused

What Are The Consumer Protection Concerns With Crypto-Assets?

Aman Nair and Vipul Kharbanda — 2022-07-18T15:22:02Z

Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

The article was published in Medianama on July 8, 2022

Crypto-asset regulation is at the forefront of India’s financial regulator’s minds. On the 6th of June, the Securities and Exchange Board of India (SEBI) in a response to the Parliamentary Standing Committee on Finance expressed clear consumer protection concerns associated with crypto-assets.

This statement follows multiple notices issued by the Reserve Bank of India (RBI) warning consumers of the risks related to crypto-assets, and even a failed attempt to prevent banks from transacting with any individual trading crypto-assets. Yet, in spite of these multiple warnings, and a significant drop in trading volume due to the introduction of a new taxation structure, crypto-assets still have managed to establish themselves as a legitimate financial instrument in the minds of many.

Recent global developments, however, seem to validate the concerns held by both the RBI and SEBI.

The bear market that crypto finds itself in has sent shockwaves throughout the ecosystem, crippling some of the most established tokens in the space. Take, for example, the death spiral of the algorithmic stablecoin Terra USD and its sister token Luna—with Terra USD going from a top-10-traded crypto-token to being practically worthless. The volatility of token prices has had a significant knock-on effect on crypto-related services. Following Terra’s crash, the Centralised Finance Platform (CeFi) Celsius—which provided quasi-banking facilities for crypto holders—also halted all withdrawals. More recently, the crypto-asset hedge fund Three Arrows also filed for bankruptcy following its inability to meet its debt obligations and protect its assets from creditors looking to get their money back.

Underpinning these stories of failing corporations are the very real experiences of investors and consumers—many of whom have lost a significant amount of wealth. This has been a direct result of the messaging around crypto-assets. Crypto-assets have been promoted through popular culture as a means of achieving financial freedom and accruing wealth quickly. It is this narrative that lured numerous regular citizens to invest substantial portions of their income into crypto-asset trading. At the same time, the crypto-asset space is littered with a number of scams and schemes designed to trick unaware consumers. These schemes, primarily taking the form of ‘pump and dump’ schemes, represent a significant issue for investors in the space.

It seems, therefore, that any attempt to ensure consumer protection in the crypto-space must adopt two key strategies:

First, it must re-orient the narrative from crypto as a simple means of getting wealthy—and ensure that those consumers who invest in crypto do so with full knowledge of the risks associated with crypto-assets
Second, it must provide consumers with sufficient recourse in cases where they have been subject to fraud.

In this article, we examine the existing regulatory framework around grievance redressal for consumers in India—and whether these safeguards are sufficient to protect consumers trading crypto-assets. We further suggest practical measures that the government can adopt going forward.

What is the Current Consumer Protection Framework Around Crypto-assets?

Safeguards Under the Consumer Protection Act and E-commerce Rules

The increased adoption of e-commerce by consumers in India forced legislators to address the lack of regulation for the protection of consumer interests. This legislative expansion may extend to protecting the interests of investors and consumers trading in crypto-assets.

The groundwork for consumer welfare was laid in the new Consumer Protection Act, 2019 which defined e-commerce as the “buying or selling of goods or services including digital products over digital or electronic network.” It also empowered the Union Government to take measures and issue rules for the protection of consumer rights and interests, and the prevention of unfair trade practices in e-commerce.

Within a year, the Union Government exercised its power to issue operative rules known as the Consumer Protection (E-Commerce) Rules, 2020 (the “Rules”), which amongst other things, sought to prohibit unfair trade practices across all models of e-commerce. The Rules define an e-commerce entity as one which owns, operates or manages a digital or electronic facility or platform (which includes a website as well as mobile applications) for electronic commerce.

The definition of e-commerce is not limited only to physical goods but also includes services as well as digital products. So, one can plausibly assume that it would be applicable to a number of crypto-exchanges, as well as certain entities offering decentralized finance (DeFi) services. This is because crypto tokens—be it cryptocurrencies like Bitcoin, Ethereum, or Dogecoin—are not considered currency or securities within Indian law, but can be said to be digital products since they are digital goods.

The fact that the digital products being traded on the e-commerce entity originated outside Indian territory would make no difference as far as the applicability of the Rules is concerned. The Rules apply even to e-commerce entities not established in India, but which systematically offer goods or services to consumers in India. The concept of systematically offering goods or services across territorial boundaries appears to have been taken from the E-evidence Directive of the European Union and seeks to target only those entities which intend to do substantial business within India while excluding those who do not focus on the Indian market and have only a minuscule presence here.

Additionally, the Rules impose certain duties and obligations on e-commerce entities, such as:

The appointment of a nodal officer or a senior designated functionary who is resident in India, to ensure compliance with the provisions of the Consumer Protection Act;
The prohibition on the adoption of any unfair trading practices, thereby making the most important requirements of consumer protection applicable to e-commerce;
The establishment of a grievance redressal mechanism and specifying an outer limit of one month for redressal of complaints;
The prohibition on imposing cancellation charges on the consumer, unless a similar charge is also borne by the e-commerce entity if it cancels the purchase order unilaterally for any reason;
The prohibition on price manipulation to gain unreasonable profit by imposing an unjustified price on the consumers;
The prohibition on discrimination between consumers of the same class or an arbitrary classification of consumers that affects their rights; etc.

The Rules also impose certain liabilities on e-commerce entities relating to the tracking of shipments, the accuracy of the information on the goods or services being offered, information and ranking of sellers, tracking complaints, and information regarding payment mechanisms. Most importantly, the Rules explicitly make the grievance redressal mechanism under the Consumer Protection Act, 2019 applicable to e-commerce entities in case they violate any of the requirements under the Rules.

What this means is that at present crypto-exchanges and crypto-service providers clearly fall within the ambit of consumer protection legislation in India. In real terms, this means that consumers can rest assured that in any crypto transaction their rights must be accounted for by the corporation.

With crypto related scams exploding globally following 2021, it is likely that Indian investors will come into contact, or be subject to various scams and schemes in the crypto marketplace. Therefore, it is imperative that consumers and investors the steps they can take in case they fall victim to a scam. Currently, any consumer who is the victim of a fraud or scam in the crypto space would as per the current legal regime, have two primary redressal remedies:

Lodging a criminal complaint with the police, usually the cyber cell, regarding the fraud. It then becomes the police’s responsibility to investigate the case, trace the perpetrators, and ensure that they are held accountable under relevant legal provisions.
Lodging a civil complaint before the consumer forum or even the civil courts claiming compensation and damages for the loss caused. In this process, the onus is on the consumer to follow up and prove that they have been defrauded.

Filing a consumer complaint may impose an extra burden on the consumer to prove the fraud—especially if the consumer is unable to get complete and accurate information regarding the transaction. Additionally, in most cases, a consumer complaint is filed when the perpetrator is still accessible and can be located by the consumer. However, in case the perpetrator has absconded, the consumer would have no choice but to lodge a criminal complaint. That said, if the perpetrators have already absconded, it may be difficult even for the police to be of much help considering the anonymity that is built into technology.

Therefore, perhaps the best protection that can be afforded to the consumer is where the regulatory regime is geared towards the prevention of frauds and scams by establishing a licensing and supervisory regime for crypto businesses.

A Practical Guide to Consumer Protection and Crypto-assets

What is apparent is that existing regulations are not sufficient to cover the extent of protection that a crypto-investor would require. Ideally, this gap would be covered by dedicated legislation that looks to cover the range of issues within the crypto-ecosystem. However, in the absence of the (still pending) government crypto bill, we are forced to consider how consumers can currently be protected and made aware of the risks associated with crypto-assets.

On the question of informing customers of the risks associated, we must address one of the primary means through which consumers become aware of crypto-assets: advertising. Currently, crypto-asset advertising follows a code set down by the Advertising Standards Council of India, a self-regulating, non-government body. As such, there is currently no government body that enforces binding advertising standards on crypto and crypto-service providers.

While self-regulation has generally been an acceptable practice in the case of advertising, the advertising of financial products has differed slightly. For example, Schedule VI of the Securities and Exchange Board of India (Mutual Funds) Regulations, 1996, lays down detailed guidelines associated with the advertising of mutual funds. Crypto-assets can, depending on their form, perform similar functions to currencies, securities, and assets. Moreover, they carry a clear financial risk—as such their advertising should come under the purview of a recognised financial regulator. In the absence of a dedicated crypto bill, an existing regulator—such as SEBI or the RBI—should use their ad-hoc power to bring crypto-assets and their advertising under their purview.

This would allow for the government to not only ensure that advertising guidelines are followed, but to dictate the exact nature of these guidelines. This allows it to issue standards pertaining to disclaimers and prevent crypto service providers from advertising crypto as being easy to understand, having a guaranteed return on investment, or other misleading messages.

Moreover, financial institutions such as the RBI and SEBI may consider increasing efforts to inform consumers of the financial and economic risks associated with crypto-assets by undertaking dedicated public awareness campaigns. Strongly enforced advertising guidelines, coupled with widespread and comprehensive awareness efforts, would allow the average consumer to understand the risks associated with crypto-assets, thereby re-orienting the prevailing narrative around them.

On the question of providing consumers with clear recourse, current financial regulators might consider setting up a joint working group to examine the extent of financial fraud associated with crypto-assets. Such a body can be tasked with providing consumers with clear information related to crypto-asset scams and schemes, how to spot them, and the next steps they must take in case they fall victim to one.

Aman Nair is a policy officer at the Centre for Internet & Society (CIS), India, focusing on fintech, data governance, and digital cooperative research. Vipul Kharbanda is a non-resident fellow at CIS, focusing on the fintech research agenda of the organisation.

For more details visit https://cis-india.org/internet-governance/blog/what-are-the-consumer-protection-concerns-with-crypto-assets

What are People's Rights in Digital World

praskrishna — 2016-01-12T01:51:53Z

Vanya Rakesh participated in this workshop organized by IT for Change on December 4, 2015 in Bangalore.


Above: Participants from the workshop

This workshop by IT for Change to build conceptions of rights with regard to the digital realm based on our tacit formative consciousness about them and undertake such an exercise to draw the first outlines of the social contract that must underpin our pervasively digital existence. IT for Change brought together thought leaders engaged in rights frameworks (including rights activists across domains and digital rights activists) to participate in this preliminary inquiry, to build from scratch a conception of what constitutes an equitable and just digital society, and what individual and collective rights would be commensurate to such a conception.

For more info click here.

For more details visit https://cis-india.org/internet-governance/news/what-are-peoples-rights-in-digital-world

What 66A Judgment Means For Free Speech Online

geetha — 2015-03-27T16:50:43Z

This week India's Supreme Court redefined the boundaries of freedom of speech on the internet. With the Court's decision in Shreya Singhal & Ors. v. Union of India, Section 66A of the Information Technology Act, 2000, has been struck down in entirety and is no longer good law.

Geetha Hariharan's article was originally published in the Huffington Post on March 26, 2015.

This week India's Supreme Court redefined the boundaries of freedom of speech on the internet. With the Court's decision in Shreya Singhal & Ors. v. Union of India, Section 66A of the Information Technology Act, 2000, has been struck down in entirety and is no longer good law. Through a structured, well-reasoned and heartening judgment, the court talks us through the nuances of free speech and valid restrictions. While previously, intermediaries were required to take down content upon suo moto determination of lawfulness, Section 79(3)(b) of the Act -- the intermediary liability provision -- has been read down to require actual knowledge of a court order or a government notification to take down content. Section 69A of the Act and its corresponding Rules, the provisions enabling the blocking of web content, have been left intact by the court, though infirmities persist.

The Supreme Court's decision comes at a critical moment for freedom of speech in India. In recent years, the freedom guaranteed under Article 19(1)(a) of the Constitution has suffered unmitigated misery: Wendy Doniger's The Hindus: An Alternative History was banned for hurting religious sentiments, publisher Orient Blackswan fearing legal action stayed its release of an academic work on sexual violence in Ahmedabad, the author Perumal Murugan faced harsh criticism for his novel One Part Woman and chose to slay his authorial identity.

"The Supreme Court's decision comes at a critical moment for freedom of speech in India. In recent years, the freedom guaranteed under Article 19(1)(a) of the Constitution has suffered unmitigated misery."

The tale of free speech on the Internet is similar. In response to takedown requests, intermediaries prefer to tread a safe path, taking down even legitimate content for fear of triggering penalties under Section 79 of the IT Act. The government has blocked websites in ways that transgress the bounds of 'reasonable restrictions' on speech. Section 66A alone has gathered astounding arrests and controversy. In 2012, Shaheen Dhada and her friend were arrested in Maharashtra for observing that Bal Thackeray's funeral shut down Mumbai, Devu Chodankar in Goa and Syed Waqar in Karnataka were arrested in 2014 for making posts about PM Narendra Modi, and a Puducherry man was arrested for criticizing P. Chidambaram's son. The misuse of Section 66A, and the inadequacy of other provisions of the IT Act, were well-documented.

Section 66A: No longer draconian

In a writ petition filed in 2012, the law student Shreya Singhal challenged the constitutionality of Section 66A on grounds, inter alia, of vagueness and its chilling effect. More petitions were filed challenging other provisions of the IT Act including Section 69A (website blocking) and Section 79 (intermediary liability), and these were heard jointly by justices Rohinton F. Nariman and G. Chelameshwar. Section 66A, implicating grave issues of freedom of speech on the internet, was at the centre of the challenge.

"It is difficult -impossible, in fact - to foresee or predict what speech is permitted or criminalised under Section 66A. As a result, there is a chilling effect on free speech online, resulting in self-censorship."

Section 66A makes it a criminal offence to send any online communication that is "grossly offensive" or "menacing", or false information sent for the purposes of causing "annoyance, inconvenience, insult, injury, obstruction, enmity, hatred, ill will", etc. These terms are not defined. Neither do they fall within one of the eight subjects for limitation under Article 19(2). It is difficult -impossible, in fact - to foresee or predict what speech is permitted or criminalised under Section 66A. As a result, there is a chilling effect on free speech online, resulting in self-censorship.

With yesterday's decision, the Supreme Court has struck down Section 66A on grounds of vagueness, excessive range and chilling effects on speech online. What is perhaps most uplifting is the court's affirmation of the value of free speech. In the midst of rising conservatism towards free speech, the Court reminds us that an "informed citizenry" and a "culture of open dialogue" are crucial to our democracy. Article 19(1)(a) shields us from "occasional tyrannies of governing majorities", and its restriction should be within Constitutional bounds enumerated in Article 19(2).

What speech is protected?

There are three types of speech, the court says: Discussion, advocacy and incitement. Discussion and advocacy are at the heart of Article 19(1)(a), and are unquestionably protected. But when speech amounts to incitement - that is, if it is expected to cause harm, danger or public disorder- it can be reasonably restricted for any of these reasons: public order, sovereignty and integrity of India, security of the State and friendly relations with foreign states.

" The Union of India argued that Section 66A is saved by the clauses "public order", "defamation", "incitement to an offence" and "decency, morality". But as the court finds that these are spurious grounds."

Section 66A, however, does not meet the legal standards for any of the limitation-clauses under Article 19(2), and so is unconstitutional. The Union of India argued that Section 66A is saved by the clauses "public order", "defamation", "incitement to an offence" and "decency, morality". But as the court finds that these are spurious grounds. For instance, Section 66A covers "all information" sent via the Internet, but does not make any reference (express or implied) to public order. Section 66A is not saved by incitement, either. The ingredients of "incitement" are that there must be a "clear tendency to disrupt public order", or an express or implied call to violence or disorder, and Section 66A is remarkably silent on these. By its vague and wide scope, Section 66A may apply to one-on-one online communication or to public posts, and so its applicability is uncertain. For these grounds, Section 66A has been struck down.

For freedom of speech on the internet, this is fantastic news! The unpredictability and threat of Section 66A has been lifted. Political commentary, criticism and dialogue are clearly protected under Article 19(1)(a). Of course, the government is still keen to regulate online speech, but the bounds within which it may do so have been reasserted and fortified.

Section 69A and website blocking

Section 69A empowers the government and its agencies to block websites on any of six grounds: "in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above". The blocking procedure is set out in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. It requires that a Committee for Examination of Request (CER) examines each blocking request, and gives the content-generator or host 48 hours to make a representation. The Secretary of the Department of Electronics and Information Technology then issues the blocking direction to the intermediary.

"[The court has] failed to consider the impact of Section 69A and its Rules. Our free speech rights as listeners are equally affected when legitimate websites containing information are blocked. Transparency, blockpage notifications and judicial review are essential to determine whether each blocking direction is valid."

Now, the Supreme Court decision has left Section 69A and its Rules intact, stating that it is a "narrowly drawn provision with several safeguards". However, the Court has overlooked some crucial details. For instance, no judicial review is available to test the validity of each blocking direction. Moreover, Rule 14 of the Blocking Rules requires that all blocking requests and directions are kept confidential. This means that neither the content-generator, nor the reader/listener or general public, will have any idea of how many blocking directions have been issued or why. There is no standard blockpage display in India, either, and this further aggravates the transparency problem.

Lamentably, the Supreme Court has not considered this. Though the court has recognised and upheld the rights of viewers, readers and listeners in its decision on Section 66A, it failed to consider the impact of Section 69A and its Rules on readers and listeners. Our free speech rights as listeners are equally affected when legitimate websites containing information are blocked. Transparency, blockpage notifications and judicial review are essential to determine whether each blocking direction is valid.

Section 79 and the intermediary as a judge

Section 79 provides a safe harbour for intermediaries: if they abide by the requirements of Section 79(2), they retain immunity. But under Section 79(3)(b), intermediaries can lose their immunity from prosecution if, after receiving a takedown notice, they do not take down content in three circumstances: (1) if they have actual knowledge that third-party information within their control is being used to commit an unlawful act (i.e., by suo moto deciding the lawfulness of content); (2) if a court order requires takedown of content; (3) if a government notification requires takedown. Rule 3(4) of the Intermediaries Guidelines Rules, 2011 has a similar provision.

"The Supreme Court has wisely put an end to private adjudication of lawfulness. Section 79(3)(b) and Rule 3(4) have been read down to mean that the intermediary must have actual knowledge of a court order or government notification."

This leads to a situation where a private intermediary is responsible for deciding what constitutes lawful content. Previous studies have shown that, when placed in such a position, intermediaries prefer overbroad blocking to escape liability. As readers, we can then only access uncontroversial content. But the freedom of speech includes, as the European Court of Human Rights emphasised in Otto-Preminger Institut, the freedom to "offend, shock and disturb".

In Shreya Singhal, the Supreme Court has wisely put an end to private adjudication of lawfulness. Section 79(3)(b) and Rule 3(4) have been read down to mean that the intermediary must have actual knowledge of a court order or government notification. Even if an intermediary chooses not to act in response to a private takedown notice, it will retain its immunity under Section 79.

With Shreya Singhal, India has reaffirmed its protections for freedom of speech on the internet. One may now freely speak online without fear of illegitimate and unconstitutional prosecution. However, a re-examination of the blocking procedure, with its infirmities and direct impact on speech diversity, is essential. But today, we celebrate!

For more details visit https://cis-india.org/internet-governance/blog/huffington-post-geetha-hariharan-march-26-2015-what-66-a-judgment-means-for-free-speech-online