We are anonymous, we are legion

Holding ID Issuers Accountable, What Works?

Shruti Trikanad and Amber Sinha — 2019-08-08T10:23:58Z

Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. The event was attended by researchers and advocates from nearly 20 countries. Read the event report here.

For more details visit https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Historic day for freedom of speech and expression in India

vidushi — 2015-03-26T02:19:17Z

In a petition that finds its origin in a simple status message on Facebook, Shreya Singhal vs Union of India marks a historic reinforcement of the freedom of speech and expression in India.

The article by Vidushi Marda was published in Bangalore Mirror on March 25, 2015.

Hearing a batch of writ petitions, the bench comprising Justices Rohinton F Nariman and J Chelameswar considered the constitutionality of three provisions of the Information Technology Act, 2000. The provisions under consideration were Section 66A, dealing with punishment of sending offensive messages through communication services, Section 69A which discusses website blocking and Section 79, dealing with intermediary liability.

The intent behind Section 66A was originally to regulate spam and cyber stalking, but in the last seven years not a single spammer has been imprisoned.

Instead, innocent academics have been arrested for circulating caricatures. The Court struck down the section in its entirety, declaring it unconstitutional.

It held that the language of the section was "nebulous" and "imprecise" and did not satisfy reasonable restrictions under A. 19(2) of the Constitution of India.

Section 79 was meant to result in the blossoming of free speech since it stated that intermediaries will not be held liable for content created by their users unless they refused to act on take-down notices. Unfortunately, intermediaries were unable to decide whether content was legal or illegal, and when the Centre for Internet and Society in 2011 sent flawed take-down notices to seven prominent national and international intermediaries, they erred on the side of caution and over-complied, often deleting legitimate content. By insisting on a court order, the Supreme Court has eliminated the chilling effect of this Section.

Block orders issued by the Indian government to telecom operators and ISPs were shrouded in opacity.

The process through which such orders were developed and implemented was not within public scrutiny. When a film is banned, it becomes part of public discourse, but website blocking does not enjoy the same level of transparency. The person whose speech has been censored is not notified or given an opportunity to be heard as part of the executive process. Unfortunately, in dealing with Section 69A, the Court chose to leave it intact, stating that it is a "narrowly drawn provision with several safeguards."

On balance, this is a truly a landmark judgment as it is the first time since the 1960s that the Supreme Court has struck down any law in its entirety for a violation of free speech.

For more details visit https://cis-india.org/internet-governance/blog/bangalore-mirror-vidushi-marda-march-25-2015-historic-day-for-freedom-of-speech-and-expression-in-india

HillHacks 2019

Admin — 2019-06-05T14:41:44Z

Karan Saini was a speaker at HillHacks 2019 organized by HillHacks in Bir, Himachal Pradesh from May 24 to May 26, 2019.

Karan's talk was on using web applications for intelligence gathering purposes. For more info on the event, click here

For more details visit https://cis-india.org/internet-governance/news/hillhacks-2019

High Level Comparison and Analysis of the Use and Regulation of DNA Based Technology Bill 2017

elonnai — 2017-08-11T02:16:52Z

This blog post seeks to provide a high level comparison of the 2017 and 2015 DNA Profiling Bill - calling out positive changes, remaining issues, and missing provisions.

In July 2017 the Law Commission published a report on DNA profiling and the “Draft Use and Regulation of DNA Based Technology Bill 2017”. India has been contemplating a draft DNA Profiling Bill since 2007. There have been two publicly available versions of the bill, 2012, and 2015, and one version in 2016. In 2013, the Department of Biotechnology formulated an Expert Committee to discuss different aspects and issues raised regarding the Bill towards finalizing the text. The Centre for Internet and Society was a member of the Expert Committee, and in its conclusion, issued a note of dissent to the Expert Committee for DNA Profiling.

This post provides a high level overview of the Use and Regulation of DNA Based Technology Bill 2017 and calls out positive changes from the 2015 Bill, remaining issues, and missing provisions. The post also calls out if, and where, CIS's recommendations to the Expert Committee have been incorporated.

If enacted, the 2017 Bill will establish national and regional DNA data banks that will maintain five different types of indices: a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. The data banks will be led by a Director, responsible for communicating information with requesting entities, foreign states, and international organizations. Information relating to DNA profiles, DNA samples, and records maintained in a DNA laboratory can be made available in six instances: to law enforcement and investigating agencies, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for taking defence of an accused, for investigation of civil disputes, and other cases which might be specified by regulations. Offences related to unauthorized disclosure of information in the DNA data bank, obtaining information from DNA data banks without authorization, unlawful access to information in the DNA Data Bank, using DNA sample or result without authorization, and destroying, altering, contaminating, or tampering with biological evidence.

Below are some key positive changes from the 2015 Bill, remaining issues, and missing safeguards from the 2017 Bill:

Positive Changes: The Bill contains a number of positive changes from the 2015 draft. Key ones include:

Consent: Section 21 prohibits the taking of samples from arrested persons without consent, except in the case of a specified offence - a specified offence being any offence punishable with death or imprisonment for a term exceeding seven years. If consent is refused, a magistrate can order the taking of the sample. This can be in the case of any matter listed in the Schedule of the Act. Section 22 provides for consent from volunteers. It is important to note that despite being an improvement from the 2015 Bill, which did not address instances of collection with our without consent, this provision is still broad as the list of offences under the Schedule is expansive and can be further expanded by the Central Government. Furthermore, the Magistrate can overrule a refusal of consent of the parent or guardian of a voluneet who is a minor, which does not provide adequate protection to childrens' rights.
Deletion: Section 31 defines instances for deletion of suspect profiles, under trial profiles, and all other profiles. Though a step in the right direction, as the 2015 Bill only addressed retention and deletion of the offenders index, this provision does not address the automatic removal of innocents.
Purpose limitation: Section 33 limits the purpose of profiles in the DNA Data Bank to that of facilitating identification. This is a positive step from the 2015 Bill - which enabled use of DNA profiles for the creation and maintenance of a population statistics data bank. Section 34 also limits the purposes for which information relating to DNA profiles, samples, and records can be made available.
Destruction of samples: Section 20 defines instances for destruction of DNA samples. Destruction of samples was not address in the 2015 Bill, and is an important protection as it prevents samples from being re-analyzed.
Comparison of profiles: Section 29 clarifies that if the individual is not an offender or a suspect, their information will not be compared with DNA profiles in the offenders’ or suspects index. This creates an important distinction between types of indices held in the data bank and the purpose for the same i.e missing persons are not treated as potential offenders. In the 2015 Bill, profiles entered in the offenders or crime scene index could be compared by the DNA Data Bank Manger against all profiles contained in the DNA Data Bank.
Re-testing: Section 24 allows for an accused person to request for a re-examination of fresh bodily substances if it is believed the sample has been contaminated. The closest provision to this in the 2015 was the creation a post - conviction right for DNA profiling - which is now deleted. It is important to note that fresh samples can easily be obtained from individuals, but if contamination happens at a crime scene, it is much more difficult to obtain a fresh sample.
Limiting Indices and including a crime scene index: The 2017 Bill limits the number of indices to five - a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. This is an improvement from the 2015 Bill which provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.

Remaining Issues: There are some remaining issues in the 2017 Bill. Some of these include:

Delegating and Expanding through Regulation: The Bill delegates a number of procedures to regulation - many which should be in the text of the Bill. For example: the format for receiving and storing DNA profiles, and additional criteria for entry, retention, and deletion of DNA profiles. Furthermore, a number of provisions allow for expansion through regulation. For example, the sources from which DNA can be collected from to be expanded as specified by regulations. Further purposes for making DNA profiles available can be defined by regulation. Important procedures such as privacy and security safeguards are also left to regulation.
Broad Powers and Composition of the Board: The Bill designates twenty one responsibilities to the Board. As pointed out in 1, many of these should be detailed in the text of the legislation.

While serving on the Expert Committee,CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. This recommendation has not been incorporated.

Ideally, the Board should also include privacy experts, an expert in ethics, as well as civil society. Towards this, the Board should be comprised of separate Committees to address these different functions. There should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues.

As a positive note, the reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This reccomendation has been incorporated.

CIS also provided language regarding how the Board could consult with the public:The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities. This language has not been fully incorporated

Lack of Authorization Procedure: Though the Bill defines instances of when DNA information can be made available, it fails to establish or refer to an authorization process for making information available and the decision currently seems to rest with the DNA Bank Director.
Expansive Schedule: The Bill creates a schedule containing a list of matters for DNA testing which includes whole acts and a range of civil disputes and matters that are broad and do not relate to criminal cases - most notably “issues relating to immigration or emigration and issues relating to establishment of individual identity.”
Unclear Data Stored: Though the Bill clarifies the circumstance that the identity of the individual will be associated with a profile, it allows for ‘information of data based on DNA testing and records relating thereto” to be stored, yet it is unclear what information this would entail.
Lack of procedures for chain of custody: Presently, the Bill defines quality assurance procedures for a sample that is already at the lab. There are no provisions defining a process for the examination of a crime scene and laying down standards for the chain of custody of a sample from the crime scene to a DNA laboratory.

Missing Safeguards:

There are some safeguards that, if added, would strengthen the Bill and ensure rights to the individual:

Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is accessed or made available.
Right to challenge: There are no provisions that give the individual the right to challenge the storage of their DNA.
Established profiling standard: Though the Law Commission report refers to the 13 CODIS standard, the Bill does not mandate the use of the 13 CODIS profiling standard.
Reporting standard: There are no standards for how matches or other information should be communicated from the DNA director to the authority or receiving entity including instances of partial matches.
Right to access and review: There are no provisions that allow an individual to review his/her information contained in the regional or the national database.
Lack of costing: There is no cost estimate in the report or a requirement for one to be carried out.
Study for the potential for false matches: This must consider the size of the population and large family size, i.e. relatively large numbers of closely related people and is particularly necessary given the the size over population as large as India's.

Importantly, in the DNA Expert Committee, CIS requested the Expert Committee that the Bill be brought in line with the nine national principles defined in the Report of Experts on Privacy led by Justice AP Shah. These include the principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability. These principles have not been fully incorporated.

For more details visit https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017

Hiding behind rules on naming sites it banned, govt reveals fears

praskrishna — 2015-09-27T10:59:56Z

With the union government's ban on 857 porn sites in July creating brouhaha across the country, there had been a concern over the voice of the youth being stifled and censorship making a comeback.

The article by Harjeet Inder Singh Sahi was published in the Hindustan Times on September 3, 2015.

Even though there was a partial rollback of the ban, the government still seems intent on being obtrusive with information and deny access to it, especially about the internet and the way it intends to govern it.

This has been illustrated by the union government's department of telecommunications refusing to provide information on websites it has banned to a petition under the Right to Information (RTI) Act.

The reply

"The group coordinator, cyber law division, department of electronics and information technology, has been authorised as designated officer and issues instructions for blocking/unblocking of websites/URLs. The clause 16 of Information Technology Procedure and Safeguards for blocking access of information by Public, Rules 2009, says strict confidentiality shall be maintained regarding all requests and complaints received and actions taken thereof," says the reply to the RTI application filed by this correspondent on August 3.

The reply to the petition - filed at www.rtionline.gov.in with registration number DOTEL/R/2015/61348 - was received on August 27.

Background to the case

In July this year, the department of electronics and information technology had banned 857 pornographic websites listed in the petition of Indore-based advocate Kamlesh Vaswani in the supreme court. The websites were banned by citing 'morality' and 'decency' enshrined in Article 19 (2) of the Constitution of India and under provisions of the Information Technology Act, 2000. A few days later, the government did a flip-flop and revoked the ban partially.

The Centre for Internet and Society (CIS) had subsequently released the list online. Now, the government has refused to provide information on websites banned in the country.

Department tangle

The department of electronics and IT decided on the ban, but it was the department of telecom which served the order to the internet companies because it is the supervising authority for them. The RTI can be filed with the department of telecom as it issues guidelines for and notices to internet service providers. The same application could also have been filed with the department of electronics and information technology. This department might have replied to the application or forwarded it to the telecom department.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-september-3-2015-harjeet-inder-singh-sahi-hiding-behind-rules-on-naming-sites-it-banned-govt-reveals-fears

Here’s why we need a lot more discussion on India’s new DNA Profiling Bill

elonnai — 2017-08-21T23:48:03Z

The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated.

The article was published in the Hindustan Times on August 7, 2017.

The first step towards a DNA Profiling Bill was taken in 2007 with the ‘Draft DNA Profiling Bill” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a 2012, 2015, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an Expert Committee to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.

Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.

Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.

It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.

The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.

As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.

Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill

Here is why government twitter handles have been posting offensive and partisan messages

praskrishna — 2016-10-16T03:24:45Z

You have failed us big time Mr Kejriwal, for your petty political gains you can become headlines for Pakistani press,” read a tweet on October 5 from @IndiaPostOffice, the official twitter handle of the Indian postal service.

The article by Danish Raza was published in the Hindustan Times on October 15, 2016. Nishant Shah was quoted.

It was a reference to Delhi Chief Minister Arvind Kejriwal urging the Prime Minister to counter Pakistan’s propaganda over surgical strikes.

Within hours, India Post tweeted an apology saying that the account was hacked.

This is the latest in a series of opinions and statements posted from official twitter handles of government departments and bodies. Of late, the Twitter handles meant to broadcast information related to government programmes have appeared like personal accounts tweeting slander and criticism.

Last month, the Twitter handle of Digital India tweeted a poem in Hindi calling on the Indian Army to persistently fire at protesters in Kashmir.

In August, the Twitter handle of Startup India retweeted a post suggesting that the Indian Army should ‘take care’ of #Presstitutes, a reference to sections of Indian media critical of the government.

The tweets expose loopholes in the government’s social media policy and raise questions about the norms followed in the recruitment of social media professionals for ministries and government institutions.

Work in Progress

The process of adopting new tools is work in progress. While the government agencies are trying to leverage social media to enhance citizen engagement, for the vast majority of government bodies, it is unexplored territory. Babus who have traditionally been dealing in paperwork and file notings are overwhelmed to see hash tags and trends. With a tech- savvy Prime Minister at the helm, every government department is trying to increase its digital footprint. At the same time, they face the challenge of reinterpreting existing work ethics and codes of conduct and applying them to the use of social media. Ministries such as the Ministry of External Affairs, Information & Broadcasting and the Prime Minister’s Office which have cohesive programmes and big mandate, have separate social media wings of their own with well- defined protocols. But these are exceptions.

Overall, the government bodies lack social media guidelines for their own efforts or which others can learn from. According to Chinmayi Arun, executive director, Centre for Communication Governance, National Law University, Delhi, mistakes are bound to happen given that everyone is new to social media. But it should be non-negotiable that when anything is said using an official governmental handle, the government should take more responsibility than just saying ‘oops’. “One of course is a clear and unequivocal statement apologising and taking back whatever was said. However, it should take pro-active measures to train and test people who handle its public-facing accounts and publish a clear monitoring and accountability mechanism by which they can be called to account. It should not be open to anyone to misuse the government’s official handles in this manner,” said Arun.

One of the areas where the lack of sensitisation is apparent is the usage of the same mobile device for multiple twitter handles – the most common reason for such goof-ups cited by social media consultants attached to various government departments. “I believe these were inadvertently posted by people handling these accounts. It may neither have been their mandate nor their intention. It happens when the person has configured multiple twitter handles from the same device and ends up posting from the wrong account,” said Amit Malviya, BJP’s National Convener, IT.

The majority of ministries and government departments do not give phones to members of the social media teams. It is up to the individual to use his personal device or get an additional one to manage the professional handle (s). A mistake will happen if a comment which was to be posted from the personal handle is posted from the official handle.

Twitter Goof-ups from GoI Accounts

“Because of the personalised and individual nature of social media, it is easy to forget that they are representing an institution and not themselves when using these handles. This also suggests the lack of public usage training in these organisations, and the need to educate our public actors in using social media with more responsibility as office bearers of an institution rather than a personal expression or an opinion,” said Nishant Shah, co-founder of the Centre for Internet and Society, Bangalore.

Another issue is that access to the account is given to multiple people. “Each one of them brings their individual personality and politics to their operation of the handle,” said Shah.

Hiring Issues

Part of the problem lies in the fact that there is no standard protocol on who can access the twitter handle of Indian government bodies and how this person or team is hired.

A few ministries (example: the ministry of railways) have a team comprising of government employees and staff of private agencies handling their account. Others have outsourced the job to agencies.

During the campaigning for the 2009 election, political parties got outside expertise to mark their presence online. The selection parameters of social media consultants – established public relations firms in some cases and individuals in others – was not uniform.

Unlike the traditional public relations officers who are from the Indian Information Services cadre, the social media consultants were selected based on their expertise in the field, political affiliation, and proximity to a party or leader.

Those who started handling social media accounts of political parties and leaders included trolls and social media influencers. “Parties got youngsters who were politically motivated and willing to work for political parties. They became cheaper alternatives for social media experts,” said Ishan Russel, political communication consultant.

After the NDA came to power, almost every ministry outsourced its digital expertise to agencies. Many individuals who were earlier directly working with leaders and parties got back with them via agencies. “If an agency is looking for people to handle the twitter account or Facebook page of a certain ministry in the BJP government, then those who are politically inclined towards the BJP will apply for the vacancies and their chances of getting hired are also much higher than someone who is neutral or known to be an AAP sympathiser,” said Vikas Pandey, 32-year-old software engineer, who headed the “I Support Namo” campaign on Facebook and Twitter, as a volunteer for the BJP.

Last year, the Prime Minister felicitated more than a dozen social media enthusiasts, including Vikas. The move raised eyebrows because many felt that the government was encouraging trolls. “It illuminates the fact that trolls have found gainful employment in the Government of India. Also that the entire edifice of the centre is being taken over by woefully undereducated bigots,” said Swati Chaturvedi, senior journalist and author.

Agency, the Soft Target

Till the time the government staff is well versed with social media tools, attributing the mistakes to an ‘outside agency’ appears to be the norm.

In the case of the twitter goof-up involving Startup India, Commerce and Industry minister Nirmala Sitharaman blamed a private agency that was managing the account of Startup India. “The retweets were done by an employee of the agency hired by the department of industrial policy and promotion. The person assigned by the agency for this particular job is not decided by the department and is the sole prerogative of the agency,” she said.

S Radha Chauhan, CEO of National e-Governance Division, attributed the controversial post from Digital India’s twitter handle to an agency called Trivone. “The person responsible had mistakenly tweeted from the official handle what he wanted to tweet from his personal account,” said Chauhan.

Those familiar with the functioning of the government’s social media verticals say that agencies are mentioned to cover up for mistakes often committed by someone from the government staff. “When in crisis, blame the agency, is the thumbrule the government follows. The fact is that each twitter post is approved by the client before it is posted,” said a senior executive with a digital marketing firm attached to a ministry which has recently earned lot of praise for its social media initiatives.

Nishtha Arora, social media and digital consultant in a reputed ad agency, was handling a political account till very recently. She said that the client required her to just randomly tweet or RT to be heard by the followers of a tech-savvy minister and be his digital mouthpiece. “I often had to draft tweets which looked like press releases,” she said.

“Digital faux pas is blamed on to someone who might be an expert in the field but yet has to bow down to the client pressure so that their agenda for the day is met and the said government body or ministry remains in the news,” she added.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-danish-raza-october-15-2016-here-is-why-government-twitter-handles-have-been-posting-offensive-and-partisan-messages

Here is the entire list of 'escorts service' websites that the government has banned

praskrishna — 2016-07-02T04:51:30Z

Another day and another opaque order asking Indian service providers to block websites that allegedly offer or advertise escort services in India. In total, the government has ordered ban on 237 websites. But as it happens whenever the Indian government bans website, there has been no public communication about the same.

The article was published in India Today on June 16, 2016

Also, it has not been explained what, if any, process was followed before these websites were banned and what norms were applied for the order that the internet service providers have received.

However, now Centre for Internet and Society has caught hold of the list of the websites that have been banned. Here is what the organisation says, "Unfortunately, the government does not make available publicly the list of websites they have ordered ISPs to block. Given that knowledge of what is censored by the government is crucial in a democracy, we are publishing the entire list of blocked websites."

As for the websites and URLs here they are:

www.sterlingbioscience.com
rawpoint.biz
www.onemillionbabes.com
www.mumbaihotcollection.in
simranoberoi.in
rubinakapoor.biz
talita.biz
www.mumbaiescortsagency.net
www.mumbaifunclubs.com
www.alishajain.co.in
www.ankitatalwar.co.in
https://www.jennyarora.ind.in
www.riya-kapoor.com
shneha.in
missinimi.in
www.mumbaiglamour.in
kalyn.in
www.saumyagiri.co.in/city/mumbai/
bookerotic.com
www.divyamalik.in
www.suhanisharma.co.in
www.ruhi.biz
umbaiqueens.in
www.aliyaghosh.com
priyasen.in
www.highprofilemumbaiescorts.co.in
charmingmumbai.com
www.poojamehata.in
kiiran.in/
mansikher.in
www.newmumbaiescorts.in
www.mumbaifunclubs.com
www.punarbas.in
www.discreetbabes.in
www.alisharoy.in
www.arpitarai.in
www.nidhipatel.in
navimumbailescort.com
www.zoyaescorts.com
www.juhioberoi.in
shoniya.in
panchibora.in
rehu.in
www.nehaanand.com
www.aditiray.co.in
www.rakhibajaj.in
www.alianoidaescorts.in
www.sobiya.in
www.alishaparul.in
mumbai-escorts.leathercurrency.com
ankita-ahuja.in
www.yamika.in
mumbailescort.co
www.ranjika.in
www.aditiray.com
www.alinamumbailescort.in
www.sonikaa.com/services/
riyamodel.in
soonam.in
www.sejalthakkar.com
www.yomika-tandon.in
www.asika.in
www.siyasharma.org/
www.rubikamathur.in
www.mumbaiescortslady.com
www.sexyshe.in
www.indepandentescorts.com
www.saanvichopra.co.in
www.goswamipatel.in
ojaloberoi.in
www.naincy.in
www.sonyamehra.com
www.pinkgrapes.in
anjalitomar.in/
www.nishakohli.com/
sagentia.co.in
mumbai.vivastreet.co.in/escort+mumbai
www.deseescortgirls.in
guides.wonobo.com/mumbai/mumbai-escorts-service/.4299
jasmineescorts.com
www.shalinisethi.com
www.highclassmumbailescort.com
www.vipescortsinmumbai.com
www.mumbaiescorts69.co.in
monikabas.co.in
www.riyasehgal.com
onlycelebrity.in
www.greatmumbaiescorts.com/escort-service-mumbai.html
www.aishamumbailescort.com
www.jennydsouzaescort.com
www.desifun.in
www.siyaescort.co.in
masti-escort.in
www.sofya.in
www.mumbaiwali.in/navi-mumbai-escort-service.php
www.mumbaiwali.in
www.calldaina.com
www.mumbaiescortsservice.co.in
www.escortsgirlsinmumbai.com
www.passionmumbai.escorts.com
www.nehakapoor.in
meerakapoor.com
www.dianamumbaiescorts.net .in
www.allmumbailescort.in
www.rakhiarora.in
www.ritikasingh.com
www.rekhapatil.com
www.mumbaidolls.com
www.piapandey.com
www.mumbaicuteescorts.in
www.mumbaiescortssevice.com
www.onlycelebrity.com
www.meetescortservice.com
onlyoneescorts.com
simirai.org
www.riyamumbaiescorts.in
www.neharana.in
www.mumbaihiprofilegirls.in
www.sexyescortsmumbai.in
www.sexymumbai.escorts.com
www.four-seasons-escort.in
www.mumbaiescortsgirl.com
www.vdreamescorts.com
www.passionatemumbaiescorts.in
www.payalmalhotra.in
www.shrutisinha.com
www.juliemumbaiescorts.com
www.indiasexservices.com/mumbai.html
www.mumbai-escorts.co.in
www.aliyamumbaiescorts.net.in
shivaniarora.co.in/escort-service-mumbai.html
www.pinkisingh.com
soyam.in
www.arpitaray.com
www.localescorts.in
www.jennifermumbaiescorts.com
www.yanaroy.com
escorts18.in/mumbai-escorts.html
www.tinamumbaiescorts.com
www.mumbaijannatescorts.com
www.deepikaroy.com
www.nancy.co.in
www.pearlpatel.in
30minsmumbaiescorts.in
www.datinghopes.com
https://www.riyaroy.com/services.html
www.sonalikajain.com
www.zainakapoor.co.in
kavyajain.in
www.kinnu.co.in
exmumbai.in/
www.mansimathur.in/pinkyagarwal
exmumbai.in
www.mansimathur.in/pinkyagarwal
www.devikabatra.in
katlin.in
riyaverma.in
escortsinindia.co/
www.snehamumbaiescorts.in
shimi.in
www.mumbaiescortsforu.com/about
www.chetnagaur.co.in/chetna-gaur.html
www.escortspoint.in
www.rupalikakkar.in
www.hemangisinha.co.in
1escorts.in/location/mumbai.html
www.salini.in/navi-mumbai-independent-escort-service.php
www.salini.in/navi-mumbai-independent-escort-service.php
www.mumbaibella.in
mohitescortservicesmumbai.com
www.anchu.in
www.aliyaroy.co.in
jaanu.co.in/mumbai-escorts-service-call-girls.html
www.andyverma.com
dreams-come-true.biz
feel-better.biz
jellyroll.biz
dreamgirlmumbai.com
role-play.biz
mansi-mathur.com
www.zarinmumbaiescorts.com
mymumbai.escortss.com
www.goldentouchescorts.com
www.mumbaipassion.biz
ishitamalhotra.com
happy-ending.biz
juicylips.biz
www.escortsmumbai.name
www.kirstygbasai.net
www.hiremumbaiescorts.com
www.meeraescorts.com/mumbai-escorts.php
3-5-7star.biz
www.pranjaltiwari.com
www.richagupta.biz
way2heaven.biz
piya.co/
pinkflowers.info
www.beautifulmumbaiescorts.com
www.bestescortsinmumbai.com/charges-html
www.mumbaiescorts.me
www.tanikatondon.com
www.escortsinmumbai.biz
www.escortgirlmumbai.com
www.mumbaicallgrils.com
www.quickescort4u.com
www.mayamalhotra.com
www.legal-escort.com
escortsbaba.com/mumbai-escorts.html
rupa.biz
www.mumbaiescorts.agency/erotic-service-mumbai.html
www.escortscelebrity.com
www.independentescortservicemumbai.com/mumbai%20escort%20servi..
garimachopra.com
kajalgupta.biz
lipkiss.site
aanu.in
bombayescort.in
hotkiran.co.in
khushikapoor.in
joyapatel.in
rici.in
aaditi.in
andheriescorts.org.in
www.jiyapatel.in
spicymumbai.in
rimpyarora.in
lovemaking.co.in
riyadubey.co.in
escortservicesmumbai.in
mumbaiescorts.co.in
midnightprincess.in/
vashiescorts.co.in/
angee.in/
www.rozakhan.in/
www.mumbaiescortsvilla.in/
kylie.co.in/
escortservicemumbai.co.in

For more details visit https://cis-india.org/internet-governance/news/india-today-june-16-2016-here-is-the-entire-list-of-escorts-service-websites-that-govt-has-banned

Health Data Management Policies - Differences Between the EU and India

shweta — 2023-07-10T16:36:25Z

Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

This issue brief was reviewed and edited by Pallavi Bedi

Introduction

Health data has seen an increased interest the world over, on account of the amount of information and inferences that can be drawn not just about a person but also about the population in general. The Covid 19 pandemic also brought about an increased focus on health data, and brought players that earlier did not collect health data to be required to collect such data, including offices and public spaces. This increased interest has led to further thought on how health data is regulated and a greater understanding of the sensitivity of such data, because of which countries are in varying processes to get health data regulated over and above the existing data protection regulations. The regulations not only look at ensuring the privacy of the individual but also look at ways in which this data can be shared with companies, researchers and public bodies to foster innovation and to monetise this valuable data. However for a number of countries the effort is still on the digitisation of health data. India has been in the process of implementing a nationwide health ID that can be used by a person to get all their medical records in one place. The National Health Authority (NHA) has also since 2017 been publishing policies that look at the framework and ecosystem of health data, as well as the management and sharing of health data. However these policies and a scattered implementation of the health ID are being carried out without a data protection legislation in place. In comparison, Europe, which already has an established health Id system, and a data protection legislation (GDPR) is looking at the next stage of health data management through the EU Health Data Space (EUHDS). Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

Background

EU Health Data Space

The EU Health Data Space (EUHDS) was proposed by the EU Council as a way to create an ecosystem which combines rules, standards, practices and infrastructure, around health data under a common governance framework. The EUHDS is set to rely on two pillars; namelyMyHealth@EU and HealthData@EU, where MyHealth@EU facilitates easy flow of health data between patients and healthcare professionals within member states, the HealthData@EU,faciliates secondary use of data which allows policy makers,researchers access to health data to foster research and innovation.^{^[1]} The EUHDS aims to provide a trustworthy system to access and process health data and builds up from the General Data Protection Regulation (GDPR), proposed Data Governance Act.^{^[2]}

India’s health data policies:

The last few years has seen a flurry of health policies and documents being published and the creation of a framework for the evolution of a National Digital Health Ecosystem (NDHE). The components for this ecosystem were the National Digital Health Blueprint published in 2019 (NDHB) and the National Digital Health Mission (NDHM). The BluePrint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs.^{^[3]} Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.^{^[4]}

The National Health Authority (NHA) established in 2018 has been given the responsibility of implementing the National Digital Health Mission. 2018 also saw the Digital Information Security in Healthcare Act (DISHA) which was to be a legislation that laid down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data ("DHD") and associated personal data.^{^[5]} However since its call for public consultation no progress has been made on this front.

Along with these three strategy documents the NHA has also released policy documents more particularly the Health Data Management Policy (which was revised three times; the latest version released in April 2022), the Health Data Retention Policy (released April 2021), and the Consultation Paper on Unified Health Interface (UHI) (released March 2021). Along with this in 2022 the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines published in August 2022 did not even refer to the draft National Digital Health Data Management Policy (published in April 2022). As stated through the examples above these documents do not cross-refer or mention preceding health data documents, creating a lack of clarity of which documents are being used as guidelines by health care providers.

In addition to this the Personal Data Protection Bill has been revised three times since its release in 2018. The latest version was published for public comments on November 18, 2022; the Bill has removed the distinction between sensitive personal data and personal data and clubbed all personal data under one umbrella heading of personal data. Health and health data definition has also been deleted; creating further uncertainty with respect to health data as the different policies mentioned above rely on the data protection legislation to define health data.

Comparison of the Health Data Management Approaches
Interoperability with Data Protection Legislations

At the outset the key difference between the EU and India’s health data management policies has been the legal backing of GDPR which the EUHDS has. EUHDS has a strong base in terms of rules for privacy and data protection as it follows, draws inference and works in tandem with the General Data Protection Regulation (GDPR). The provisions also build upon legislation such as Medical Devices Regulation and the In Vitro Diagnostics Regulation. With particular respect to GDPR the EUHDS draws from the rights set out for protection of personal data including that of electronic health data.

The Indian Health data policies however currently exist in the vacuum created by the multiple versions of the Data Protection Bill that are published and repealed or replaced. The current version called the Digital Personal Data Protection Bill 2022 seems to take a step backward in terms of health data. The current version does away with sensitive personal data (which health data was a part of) and keeps only one category of data - personal data. It can be construed that the Bill currently considers all personal data as needing the same level of protection but it is not so in practice. The Bill does not at the moment mandate more responsibilities on data fiduciaries^{^[6]} that deal with health data (something that was present in all the earlier versions of the Bill) and in other data protection legislation across different jurisdictions and leaves the creation of Significant Data Fiduciaries (who have more responsibilities) to be created by rules, based on the sensitivity of data decided by the government at a later date.^{^[7]} In addition to this the Bill does not define “health data”, the reason why this is a cause for worry is that the existing health data policies also do not define health data often relying on the definition mentioned in the versions of Data Protection Bill.

Definitions and Scope

The EUHDS defines ‘personal electronic health data’ as data concerning health and genetic data as defined in Regulation (EU) 2016/679^{^[8]}, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form. Health data by these parameters would then include not just data about the status of health of a person which includes reports and diagnosis, but also data from medical devices.

In India the Health Data Management Policy 2022, defines “Personal Health Records” (PHR) as a health record that is initiated and maintained by an individual. The policy also states that a PHR would be able to reveal a complete and accurate summary of the health and medical history of an individual by gathering data from multiple sources and making this accessible online. However there is no definition of health data which can be used by companies or users to know what comes under health data. The 2018, 2019 and 2021 version of the Data Protection Legislation had definitions of the term health data, however the 2022 version of the Bill does away with the definition.

Health data and wearable devices

One of the forward looking provisions in the EUHDS is the inclusion of devices that records health data into this legislation. This also includes the requirement of them to be added to registries to provide easy access and scrutiny. The document also requires voluntary labeling of wellness applications and registration of EHR systems and wellness applications. This is not just for the regulation point of view but also in the case of data portability, in order for people to control the data they share. In addition to this in the case where manufacturers of medical devices and high-risk AI systems declare interoperability with the EHR systems, they will need to comply with the essential requirements on interoperability under the EHDS.

In India the health data management policy 2022 while stating the applicable entities and individuals who are part of the ABDM ecosystem^{^[9]} mention medical device manufacturers, does not mention device sellers or use terms such as wellness applications or wearable devices. Currently the regulation of medical devices falls under the purview of the Drugs and Cosmetics Act, 1940 (DCA) read along with the Medical Device Rules, 2017 (MDR). However in 2020 possibly due to the pandemic the Indian Government along with the Drugs Technical Advisory Board (DTAB) issued two notifications the first one expanded the scope of medical devices which earlier was limited to only 37 categories excluding medical apps, and second one notified the Medical Device (Amendment) Rules, 2020. These two changes together brought all medical devices under the DCA as well as expanded the categories of medical devices. However it is still unclear whether fitness tracker apps that come with devices are regulated, as the rules and the DCA still rely on the manufacturer to self-identify as a medical device.^{^[10]} However, this regulatory uncertainty has not brought about any change in how this data is being used and insurance companies at times encourage people to sync their fitness tracker data.^{^[11]}

Multiple use of health data

The EUHDS states two types of uses of data: primary and secondary use of data. In the document the EU states that while there are a number of organisations collecting data, this data is not made available for purposes other than for which it was collected. In order to ensure that researchers, innovators and policy makers can use this data. the EU encourages the data holders to contribute to this effort in making different categories of electronic health data they are holding available for secondary use. The data that can be used for secondary use would also include user generated data such as from devices, applications or other wearables and digital health applications.However, the regulation cautions against using this data for measures and making decisions that are detrimental to the individual, in ways such as increasing insurance premiums. The EUHDS also states that as the data is sensitive personal data care should be taken by the data access bodies, to ensure that while data is being shared it is necessary to ensure that the data will be processed in a privacy preserving manner. This could include through pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data.

While the document states how important it is to have secondary use of the data for public health, research and innovation it also requires that the data is not provided without adequate checks. The EUHDS requires the organisation seeking access to provide several pieces of information and be evaluated by the data access body. The information should include legitimate interest, the necessity and the process the data will go through. In the case where the organisation is seeking pseudonymised data, there is a need to explain why anonymous data would not be sufficient. In order to ensure a comprehensive approach between health data access bodies, the EUHDS states that the European Commission should support the harmonisation of data application, as well as data request.

In India, while multiple health data documents state the need to share data for public interest, research and innovation, not much thought has been given to ensuring that the data is not misused and that there is harmonisation between bodies that provide the data. Most recently the PMJay documents states that the NHA shall make aggregated and anonymised data available through a public dashboard for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. Such data can be accessed through a request to the Data Sharing Committee^{^[12]} for the sharing of such information through secure modes, including clean rooms and other such secure modes specified by NHA. However the document does not mention what clean rooms are in this context.

The Health Data Management Policy 2022 states that Data fiduciaries (data controllers/ processors according to the data protection legislation) can themselves make anonymised or de-identified data in an aggregated form available based in technical processes and anonymisation protocols which may be specified by the NDHM in consultation with the MeitY. The purposes mentioned in this policy included health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NDHMP. The policy states that in order to access the anonymised or de-identified data the entity requesting the data would have to provide relevant information such as name, purpose of use and nodal person of contact details. While the policy does not go into details about the scrutiny of the organisations seeking this data, it does state that the data will be provided based on the term as may be stipulated.

However the issue arises as both the documents published by the NHA do not have a similar process for getting the data, for example the NDHMP requires the data fiduciary to share the data directly, while the PMJay guidelines requires the data to be shared by the Data Sharing Committee, creating duplicate datasets as well as affecting the quality of the data being shared.

Recommendations for India
Need for a data protection legislation:

While the EUHDS is still a draft document and the end result could be different based on the consultations and deliberations, the document has a strong base with respect to the privacy and data protection based on the earlier regulations and the GDPR. The definitions of what counts as health data, and the parameters for managing the data creates a more streamlined process for all stakeholders. More importantly the GDPR and other regulations provide a way of recourse for people. In India the health data related policies and strategy documents have been published and enforced before the data protection legislation is passed. In addition to this India, unlike the EU has just begun looking at a universal health ID and digitisation of the healthcare system, ideally it would be better to take each step at a time, and at first look at the issues that may arise due to the universal health ID. In addition to this, multiple policies, without a strong data protection legislation providing parameters and definitions could mean that the health data management policies only benefit certain people. This also creates uncertainty in terms of where an individual will go in case of harms caused by the processing of their data, and who would be the authority to govern questions around health data. The division of health data management between different documents also creates multiple silos of data management which creates data duplication and issues with data quality.

Secondary use of data

While both the EUHDS and India's Health Data Management Policy look at the sharing of health data with researchers and private organisations in order to foster innovation, the division of sharing of data based on who uses the data is a good way to ensure that only interested parties have access to the data. With respect to the health data policies in India, a number of policies talk about the sharing of anonymised data with researchers, however the documents being scattered could cause the same data to be shared by multiple health data entities, making it possible to identify people. For example, the health data management policy could share anonymised data of health services used by a person, whereas the PMJAY policy could share data about insurance covers, and the researcher could probably match the data and be closer to identifying people. It has also been revealed in multiple studies that anonymisation of data is not permanent and that the anonymisation can be broken. This is more concerning since the polices do not put limits or checks on who the researchers are and what is the end goal of the data sought by them, the policies seem to rely on the anonymisation of the data as the only check for privacy. This data could be used to de-anonymise people, could be used by companies working with the researchers to get large amounts of data to train their systems,

train data that could lead to greater surveillance, increase insurance scrutiny etc. The NHA and Indian health policy makers could look at the restrictions and checks that the EUHDS creates for the secondary use of data and create systems of checks and categories of researchers and organisations seeking data to ensure minimal risks to an individual’s data.

Conclusion

While the EU Health data space has been criticised for facilitating vast amounts of data with private companies and the collecting of data by governments, the codification of the legislation does in some way give some way to regulate the flow of health data. While India does not have to emulate the EU and have a similar document, it could look at the best practices and issues that are being highlighted with the EUHDS. Indian lawmakers have looked at the GDPR for guidance for the draft data protection legislation, similarly it could do so with regard to health data and health data management. One possible way to ensure both the free flow of health data and the safeguards of a regulation could be to re-introduce the DISHA Act which much like the EUHDS could act as a legislation which provides an anchor to the multiple health data policies, including standard definition of health data, grievance redressal bodies, and adjudicating authorities and their functions. In addition a legislation dedicated to the health data would also remove the existing burden on the to be formed data protection authority.

^{^[1]} “European Health Data Space”, European Commission, 03 May 2022,https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en

^{^[2]}“European Health Data Space”

^{^[3]} “National Digital Health Blueprint”, Ministry of Health and Family Welfare Government of India, https://abdm.gov.in:8081/uploads/ndhb_1_56ec695bc8.pdf

^{^[4]} “National Digital Health Blueprint”

^{^[5]} “Mondaq” “DISHA – India's Probable Response To The Law On Protection Of Digital Health Data” accessed 13 June 2023,https://www.mondaq.com/india/healthcare/1059266/disha-india39s-probable-response-to-the-law-on-protection-of-digital-health-data

^{^[6]}“The Digital Personal Data Protection Bill 2022”, accessed 13 June 2023 , https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf

^{^[7]}The Digital Personal Data Protection Bill 2022

^{^[8]} Regulation (EU) 2016/679 defines health data as “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (1) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

^{^[9]} For creating an integrated, uniform and interoperable ecosystem in a patient or individual centric manner, all the government healthcare facilities and programs, in a gradual/phased manner, should start assigning the same number for providing any benefit to individuals.

^{^[10]} For example a manufacturer of a fitness tracker which is capable of monitoring heart rate could state that the intended purpose of the device was fitness or wellness as opposed to early detection of heart disease thereby not falling under the purview of the regulation.

^{^[11]}“Healthcare Executive” “GOQii Launches GOQii Smart Vital 2.0, an ECG-Enabled Smart Watch with Integrated Outcome based Health Insurance & Life Insurance, accessed 13 June 2023
https://www.healthcareexecutive.in/blog/ecg-enabled-smart-watch

^{^[12]} The guidelines only state that the Committee will be responsible for ensuring the compliance of the guidelines in relation to the personal data under its control. And does not go into details of defining the Committee.

For more details visit https://cis-india.org/internet-governance/blog/health-data-management-policies

Hate speech: ban or ignore?

praskrishna — 2013-02-13T09:40:37Z

The Social Network discusses the hate speeches: whether they should be banned or ignored. Why does the state take action against some and not against some others. This on a day when Togadia and Owaisi were simultaneously trending on the social media.

This discussion was aired on NDTV on February 5, 2013

Pranesh Prakash, Policy Director, Centre for Internet and Society, and Shivam Vij of Kafila.com joined NDTV in the studio while actor and standup comic Sanjay Rajoura joined via webcam.

Pranesh said that the talk of banning these videos is foolish. He added, I don't think that is a solution. But the issue is one of criminal prosecution – whether that should happen or not, and with regard to the interesting dichotomy that Shivam pointed out some people are calling for somethings to be banned but not others. I think that kind of hypocrisy should be pointed out. I am happy that these small incidents of hate mongering are actually being blown out of proportion on social media because it actually gets people to react...to say wait a second...that is not right I might have a certain leanings towards Hindutva but that kind of speech is not what I support, or I might have a certain leanings towards what is called "pseudo-secularism" but that kind of speech is not what I support. So getting out that discussion out is important.

If we were on one hand a society where we had communal peace and then social media were focusing on these small kinds of incidents and blowing it out of proportion then that would be a problem.

Watch the full discussion aired on NDTV

For more details visit https://cis-india.org/news/ndtv-video-the-social-network-feb-5-2013-hate-speech-ban-or-ignore

HasGeek presents The Fifth Elephant

praskrishna — 2012-06-19T06:38:13Z

HasGeek and the Centre for Internet & Society invite you the Fifth Elephant at the NIMHANS Convention Centre, Bangalore on July 27 and 28, 2012.

Why The Fifth Elephant?

Modern technology with ubiquitous connectivity and cloud-hosted computing power is increasingly becoming important for making sense of data. The infrastructure, tools, processes and algorithms for storage, analytics and visualization shape the meanings and value that can be derived from the data. At the same time, these technologies are strongly intertwined i.e., the database infrastructure shapes how data is accessed for processing, as well as the tools you can (or cannot) use to represent the data in certain ways on the frontend. Similarly, the paradigms used for simplifying and storing data — MapReduce, NoSQL, RDBMS — variously enable the morphing of complex data into meaningful formats. Working with each one of them involves limitations and possibilities.

The Fifth Elephant is the first of its kind of events where you will meet different people working with different kinds of data. It is an opportunity for learning about new tools, technologies, platforms, processes and best practices, and engaging with business leaders, IT decision-makers, journalists, analysts and developers. It is also an opportunity to showcase data products, APIs, services and platforms.

A Conference? An Event?

The Fifth Elephant is not simply a series of lectures. It is a space for interactions with a diverse audience to serendipitously explore insights and solutions for your data problems, to understand how hidden meanings in data can be made manifest, and to learn how others are working with data. The event is open to data analysts and scientists, statisticians, geeks, enthusiasts, data-driven product managers and designers, enterprise architects, journalists, researchers, developers and database professionals.

The Agenda

The Fifth Elephant will be held on July 27 and 28, 2012 at the NIMHANS Convention Centre, Bangalore. Day 1 covers the technology track — big data infrastructure, analytics and visualization. Day 2 invites talks from business and industry — finance, retail, health, media, telecom — to showcase the nature of data in each of these sectors and how they are working (and not working) with the data.

Apart from demos, lectures and tutorials, there will be opportunities for open house discussions and presentations on Hadoop, NoSQL versus RDBMS paradigms, and legal and licensing frameworks for data sharing, among others. Hacker corners, a dedicated participant lounge and interactive sponsor booths will further the learning, showcasing and engagement at the event.

For submitting talks and speaking proposals, visit funnel.hasgeek.com/5el.
Corporate tickets available for company delegates and employees. For more information write to info@hasgeek.com
For sponsorship queries, write to zainab@hasgeek.com

For more details visit https://cis-india.org/internet-governance/has-geek-presents-the-fifth-elephant

Haryana Cops Say Internet Shutdowns Hurt Police Operations

praskrishna — 2018-09-18T15:57:12Z

India sees a very high number of Internet shutdowns, often to preserve law and order, but Haryana cops are arguing against the practice.

The article by Gopal Sathe was published by Huffington Post on September 19, 2018.

Ahead of a Haryana court verdict in a rape case against Dera Sacha Sauda (DSS) head Gurmeet Ram Rahim Singh, mobile Internet services were shut down in nearby areas such as Panchkula and Mohali. The Hindustan Times reported that SMSes, mobile Internet and all services apart from voice calls were suspended to keep the peace.

But as a result of the shutdown, police in Panchkula faced a challenge in estimating the size of crowds gathered at different locations. "We were until then sharing information and photos on WhatsApp to figure out the number of people pouring in the city from various points as it helped identify problem areas. DSS followers had started gathering August 22 onwards," Panchkula police commissioner Arshinder Singh Chawla has said, according to a report by Manoj Kumar first published by the Centre for Internet and Society.

This was a replay of events during the Jat agitation of 2016 as well—protestors were present in much greater numbers than police personnel, who were not aware of the scenario on the ground. The police also worried about sending messages asking for help over the radio, as this could have been tapped into by the protestors, according to the report.

The lack of mobile Internet during the DSS-related Internet shutdown also affected the use of technology such as drone cameras, Chawla said. And because the police could not communicate with security personnel at the court complex, the police inside had to scale walls to leave safely, as they could not ask their colleagues for backup.

The report points out that this is in stark contrast to what happened in Mumbai, where former police commissioner Rakesh Maria made use of WhatsApp and SMS messages to prevent a scuffle from turning into a riot during Eid celebrations in early 2015.

A study by the Software Freedom Law Centre stated that India has already over 100 Internet shutdowns in 2018, Medianama reported. The five states with the most shutdowns are Jammu and Kashmir, Rajasthan, Uttar Pradesh, Maharashtra and Bihar. This has been criticised by many, including the UN, and as the Haryana police's experience show, the shutdowns are not just harming citizens, but are counter-productive to maintaining order as well.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-september-17-2018-haryana-cops-say-internet-shutdowsn-hurt-police-operations

Hard to broad ban!

praskrishna — 2016-03-22T17:00:07Z

The provisions under the Telegraph Act are wispy and can’t be convincingly invoked to exercise a jurisdiction on the internet world.

The article by Taru Bhatia was published by Governance Now on March 9, 2016. Pranesh Prakash was quoted.

The Haryana government on February 19 suspended mobile internet services in the districts affected by the agitation caused by the Jat community over reservation. The ban was imposed under section 144 of criminal procedure code (CrPC) to control the situation from being fanned by rumours or inflammatory messages.Similar ban was imposed in Gujarat last year during violent protests stirred by Hardik Patel over reservation of Patel community. In a similar manner internet connectivity was snapped in Nagaland, Rajasthan and Jammu and Kashmir last year under section 144 in order to contain law and order situation.

The CrPC section allows an official authorised by the state government to “direct any person to abstain from a certain act or to take certain order” which is “likely to prevent, or tends to prevent, obstruction, annoyance or injury to any person lawfully employed or danger to human life, health or safety, or a disturbance of the public tranquility, or a riot, of an affray”. “An order under this section may, in cases of emergency or in cases where the circumstances do not admit of the serving in due time of a notice upon the person against whom the order is directed, be passed ex parte,” the section states.

However, the civil rights lawyers claim that section 144 is a general law. “Section 144 is a means to curb apprehended danger and nuisance in emergencies, but its use to ban internet access for a region is an excessive and arbitrary use of powers granted to the state government under this provision,” says Mishi Choudhary, legal director, software freedom law centre (SFLC).

They, moreover, believe that the above section is not specific and contextual in cases of communication ban. So what is the correct law that comes in disposal of state authorities during emergencies that call for an urgent step? It’s section 5 of the Indian Telegraph Act, 1885. The act specifically deals with blocking web domains or web pages or blanket ban. Section 5(2) says that states or central government can prevent transmission of any message(s) that cause incitement to unlawful situation. Looking carefully, this section focuses only on blocking of inflammatory message(s), not a blanket ban.

In the case of Gujarat, for example, Hardik Patel, leading the agitation, used WhatsApp to spread the word for Bharat bandh, which consequently caused a blanket ban on data services by the state authorities. Under section 5(2), the authorities could have gone ahead only with banning social media websites and messaging application, instead of a blanket ban.

Section 5(2) of the telegraph Act also allows the authorities to lawfully intercept messages during public emergency. The central government has laid out clear guidelines in 2014, defining circumstances that demands phone tapping and in what manner. Similar guidelines are not there for suspending internet services under same law, however.

“The way in which the ban is imposed is unreasonable. Problem is in the method that is being used in absence of guidelines, defining circumstances under which they can impose a restriction on internet sites,” says Arun Kumar, head of cyber initiatives at Observer Research Foundation (ORF).

If government formulates these rules or guidelines it will set a threshold for state or central authorities, which will define the urgency of imposing ban on internet services. It will also make authorities answerable, limiting the misuse of power under the section 144 of the CrPC.

The civil rights lawyers cite example of section 69 A of the IT Act, 2000, which grants power to the central government to direct notice to intermediaries (for example, Facebook and Twitter), to block public access to any information that could stir violence in the country. In this case the government formulated blocking rules in 2009, providing for examination of complaints. The authority to employ this power however lies with the central government, and so, a state not using this law for taking down any message or domain from public view is understandable, during riot-like situation.

For states to legitimately use their power, it is essential to have similar blocking rules for section 5(2) of telegraph act.

Is blanket ban needed, anyway?

“Blocking all internet access is clearly an unnecessary and disproportionate measure that cannot be countenanced as a ‘reasonable restriction’ on freedom of expression and the right to seek and receive information, which is an integral part of the freedom of expression,” says Pranesh Prakash, policy director, Centre for Internet and Society (CIS).

For instance, he adds, a riot-affected woman seeking to find out the address of the nearest hospital cannot do so on her phone. “Instead of blocking access to the internet, the government should seek to quell rumours by using social networks to spread the truth, and by using social networks to warn potential rioters of the consequences,” he says.

Former Mumbai police commissioner Rakesh Maria used WhatsApp to counter rumours spread after circulation of a fake photo in January 2015. A similar approach could have been taken by state authorities in the case of Gujarat or Haryana; countering miscreants, informing public about the truth and emergency help details.

“Instead of doing that, we saw that in Gujarat, the police themselves engaged in acts of violent vandalism (caught on CCTV cameras), and in Manipur the police shot dead nine Manipuri tribals, including a 11-year-old child,” retorts Pranesh.

Blocking internet should be used as a last resort, and taking a balanced approach that considers interest of every stakeholder in a society is essential, argue civil rights lawyers. It is also imperative on the part of the government to formulate guidelines or a rule book to tackle the arbitrariness exercised by the states and security forces.

For more details visit https://cis-india.org/internet-governance/news/governance-now-march-9-2016-taru-bhatia-hard-to-broad-ban

Haphazard censorship? Leaked list of blocked websites in India

praskrishna — 2012-08-23T06:18:45Z

An analysis of a leaked list of the websites blocked by Indian Internet Service Providers (ISPs) on directions from the Department of Telecom bring to light the inconsistencies in India's online censorship efforts.

Published in IBNLive on August 23, 2012. Pranesh Prakash is quoted.

Pranesh Prakash, programme manager at the Centre for Internet and Society (CIS), analysed the 309 specific items that were asked to be censored from August 18, till August 21, 2012 by the Indian government following the recent incidents of communal violence and the mass exodus of North East Indians from Bangalore.

"It is clear that the list was not compiled with sufficient care," Prakash writes in a post on the CIS website that reveals several egregious errors in the censorship process.

While the government put on its censor gear to apparently stop rumours from spreading, Prakash discovered that "people and posts debunking rumours have been blocked." Also there are some items on the list that do not even exist online.

The 309 items that were ordered to be blocked include URLs, Twitter accounts, img tags, blog posts, blogs, and a few websites.

Prakash, a graduate of the National Law School of India University, Bangalore, also raises the questions on the legal standing of the government's actions. "The blocking of many of the items on that list are legally questionable and morally indefensible, even while a some of the items ought, in my estimation, to be removed," he says.

Indian ISPs are also known to go overboard in their efforts to comply with any government order. There have been numerous incidents in the past when ISPs were asked to block a specific URL and they ended up blocking entire domains. The latest round of censorship is also no different. There have been reports of Airtel blocking the entire YouTube short URL youtu.be in some cities.

CIS hasn't published the complete list of the blocked items given "the sensitivity of the issue" but has posted a list of domains from which specific items have been asked to be blocked. The list follows:

ABC.net.au
AlJazeera.com
AllVoices.com
WN.com
AtjehCyber.net
BDCBurma.org
Bhaskar.com
Blogspot.com
Blogspot.in
Catholic.org
CentreRight.in
ColumnPK.com
Defence.pk
EthioMuslimsMedia.com
Facebook.com
Farazahmed.com
Firstpost.com
HaindavaKerelam.com
HiddenHarmonies.org
HinduJagruti.org
Hotklix.com
HumanRights-Iran.ir
Intichat.com
Irrawady.org
IslamabadTimesOnline.com
Issuu.com
JafriaNews.com
JihadWatch.org
KavkazCenter
MwmJawan.com
My.Opera.com
Njuice.com
OnIslam.net
PakAlertPress.com
Plus.Google.com
Reddit.com
Rina.in
SandeepWeb.com
SEAYouthSaySo.com
Sheikyermami.com
StormFront.org
Telegraph.co.uk
TheDailyNewsEgypt.com
TheFaultLines.com
ThePetitionSite.com
TheUnity.org
TimesofIndia.Indiatimes.com
TimesOfUmmah.com
Tribune.com.pk
Twitter.com
TwoCircles.net
Typepad.com
Vidiov.info
Wikipedia.org
Wordpress.com
YouTube.com
YouTu.be

For more details visit https://cis-india.org/news/www-ibnlive-in-com-haphazard-censorship-leaked-list-of-blocked-sites