We are anonymous, we are legion

Experts debate on UID and rights

radha — 2011-04-02T12:32:54Z

Bangalore, Apr 16, DHNS: A debate on ‘UID and Fundamental Rights’ organised by several city-based organisations, discussed the social, ethical issues, economic and legal issues that accompanies the UID.

Noted law researcher Usha Ramanathan said that according to available information, UID would tap into National Population Registry and gather data and biometrics of the whole population. “UID by itself would not result in profiling, but will act as a bridge between silos of information that will help profile the individual,” she noted.

She also said that lack of answers for issues that were raised six months ago were disturbing. “It is not just about privacy, but the power of the state as the UID will be feeding off many registers,” she added.

Speaking on the economics side of it, R Ramkumar from the Tata Institute for Social Sciences, Mumbai, said claims of financial inclusion or elimination of corruption in Public Distribution System and the rural employment guarantee scheme was not enough justification. “Service delivery cannot justify the violation of freedom. It is a misplaced emphasis on benefits of technology,” he remarked.

He criticised the government’s thinking that technology could substitute social transformation, commenting that technology could only aid social development in the presence of conducive circumstances and it would be erroneous to assume a linear relationship between development of technology and development of society.

Col Thomas Mathews of the Citizens Action Forum said that UID could not prevent corruption as technology has to be used by people and new ways would be devised to deprive deserving people of the services.

Link to the original article

For more details visit https://cis-india.org/news/experts-debate-on-uid-and-rights

Expert Committee meeting on 25th November, 2013

praskrishna — 2013-11-19T10:41:27Z

A meeting of the Expert Committee has been scheduled for 25th November, 2013 at 11.00 a.m. in R.No. 714 (7th Floor), Group Meeting Room, DBT, New Delhi to discuss the draft 'Human DNA Profiling Bill 2012' under the Chairmanship of Dr. T. S. Rao, Sr. Adviser, DBT.

This was communicated by Dr. Alka Sharma, Director/Scientist, Ministry of Science & Technology, Government of India to the following individuals:

Raghbir
RK Gupta
Murali Krishna Kumar
Sunil Abraham
Amar Jesani
Usha Ramanathan
Kamal Kumar
Dr. N. Madhusudan Reddy

For more details visit https://cis-india.org/news/expert-committee-meeting-november-25-2013

Expel or not? That is the question

praskrishna — 2011-04-02T12:48:28Z

The decision of an international school to expel 14 students for their alleged ‘promiscuous’ behaviour has led to much debate and discussion.

The International School Bangalore (TISB) said the students were caught in ‘compromising positions’ on several occasions. They did not heed the school’s repeated warnings to desist from such behaviour, school authorities said.

The authorities said they had enough ‘evidence’, collected from social networking sites, to support their claim. The students would not be allowed on the campus anymore. They would, however, be allowed to take the exam in May, the authorities said.

The students have denied the charges. Many boarding institutions said that policing students was not the right approach.

Some of the widely used measures to keep a check on students include monitoring social networking sites, banning laptops on campuses, not allowing students to lock room doors, having security guards patrol campuses and insisting on house masters accompanying students to any part of the campus or hostel after school hours.

“There is no point in expelling students for such an activity,” M Srinivasan, principal, GEAR School, said. “If the students had been indulging in such activities often, what were the school authorities doing till now? There is no point making rules if you cannot enforce them. Clearly, there was a lacuna in the system,” he said.

Many schools said they keep a tab on the online activities of students. “The IT department at the school tracks the Facebook accounts of students,” Bishwajeet Bhattacharya, public relations officer, Trio World School, said. “Trio also has a presence on Facebook. The administration has appointed officials to monitor what is being posted online regarding Trio,” he said. The officials also look for objectionable materials.

Authorities, however, admitted that it was difficult to check all the online activities. “It is impossible to monitor all the social networking sites. You can use evidence from online sites, but why go to that extreme? The children are on your campus, their behaviour on campus is what you should be concerned about,” Srinivasan said.

“At the hostel, dorm wardens conduct room checks every hour,” Chenraj Jain, chairman, Jain Group of Institutions, said. “We don’t police the students. Instead, we adopt a more holistic approach,” he said.

The grey area

The International School Bangalore (TISB) said it had expelled the 14 students after collecting “enough evidence”
from social networking sites about their inappropriate behaviour. The question is: does online content have
legal validity?

Experts believe it falls in the grey area. “India does not have any specific law that restricts users from joining social networking sites just because they are below a certain age,” Sunil Abraham, executive director of the Centre for Internet and Society, Bangalore, said. “Many other countries have such laws,” he said.

“If the pictures said to be posted by the students were legal (devoid of vulgarity) and were just posted on a personal profile and not on a college group, then the school was not right in expelling them,” he said. “Students are entitled to privacy and schools shouldn’t be intruding into their privacy. If the school had used snooping software to monitor the students’ online activities, then that is also wrong,” he said. “It’s a different story if one of their classmates had forwarded the pictures to the teacher,” he added.

For link to the original story

For more details visit https://cis-india.org/news/expel-or-not

Expect anti-net censorship echo in house

praskrishna — 2012-04-25T11:07:43Z

For the anti-Internet censorship movement in the country, hope is now in sight. Their fight against the intermediary provisions (section 79) of the IT laws, according to which, an intermediary (website, domain owner) would have to take off content that a third party (or complainant) finds ‘objectionable,’ without any room for appeal, has now garnered the attention of the government itself. What is at stake is our fundamental rights, warns CPM Member of Parliament P Rajeeve, who was perhaps the first at the government level to realise that there was a gaping hole in the provision, and took up the matter in the Rajya Sabha.

This blog post by Arpan Daniel Varghese was published in IBN Live on April 25, 2012

“A discussion on the annulment of the IT Act 2011 itself is likely to figure in the budget session of the Parliament on April 24. I am trying to mobilise other MPs. We have decided to convene a meeting of organizations, representatives of political parties and MPs to discuss this issue in detail,” says MP Rajeeve.

Noted Twitteratti and former Minister of State for External Affairs Shashi Tharoor too is concerned, particularly about the onus this places on Internet Service Providers.

“If a newspaper publishes something, you go after the newspaper, not the delivery boy. Yes, you can ask the delivery boy to stop delivering the newspaper, but that is such an extreme step that few democracies would contemplate. But what we are trying to do seems to go unacceptably far in this direction and needs further reconsideration,” Tharoor says, adding that he too is planning to raise the issue in the Lok Sabha.

Both Alok Dixit from ‘Save Your Voice’ and Sunil Abraham, the executive director of the Centre for Internet And Society (CIS), say they are speaking to MPs and others in the government and trying to initiate an motion in the Rajya Sabha against the intermediary provisions. And support has been pouring in from all quarters, be it cyber space or through the pan-India protests, including the recent one at the Marina Beach in Chennai that ‘Save Your Voice’ has been holding.

Alok, Sunil and scores of activists across the country are now pinning their hopes on the annulment motion introduced by MP Rajeeve, which is likely to be taken up during the second half of the Parliament session on Tuesday.
The main hassle, however, is ignorance. “People don’t even know about the laws. They are not aware of their rights. So, the kind of support we are getting is quite less,” says Alok.

The legal fraternity and the administration too face the same roadblock, agrees Kerala High Court advocate Jacob. “This is a new area and people are just learning the theoretical side of it. There are not many cases. Trained professionals are not there to train the legal fraternity itself,” he rues.

The fundamental question is, according to Sunil, “why should freedom of speech and expression be any different on the Internet?”
“Remember, this is the same Internet which brought out Kolaveri and structured the Anna movement. So, it affects you,” Alok signs off.

Read the original here

For more details visit https://cis-india.org/news/anti-net-censorship-echo-in-house

Examining the Constitutionality of the Ban on Broadcast of News by Private FM and Community Radio Stations

Gurshabad Grover, Torsha Sarkar, Rajashri Seal and Neil Trivedi — 2019-09-27T16:36:46Z

Gurshabad Grover and Torsha Sarkar along with Rajashri Seal and Neil Trivedi co-authored a paper that examined the constitutionality of the government prohibition on the broadcast of news against private and community FM channels.

In the article, the authors also mapped chronologically the history of the development of community and private radio channels in India. As part of the legal analysis, the authors examined the prohibition on the touchstones of existing Indian jurisprudence on media freedom and speech rights. Finally, they also utilized some key points made by the Additional Solicitor General in the Shreya Singhal case, to propose an alternative regulatory framework that would address both the interests of the radio channels and the government.

In 1995, the Supreme Court declared airwaves to be public property in the seminal case of The Secretary, Ministry of Information and Broadcasting v Cricket Association of Bengal, and created the stepping stones for liberalization of broadcasting media from government monopoly. Despite this, community radio and private FM channels, in their nearly two decades of existence, have been unable to broadcast their own news content because of the Government’s persisting prohibition on the same.In this paper, we document the historical developments surrounding the issue, and analyse the constitutional validity of this prohibition on the touchstone of the existing jurisprudence on free speech and media freedom. Additionally, we also propose an alternative regulatory framework which would assuage the government’s apprehensions regarding radicalisation through radio spaces, as well as ensure that the autonomy of these stations is not curtailed.

Click to download the full paper by NLUD Journal of Legal Studies here.

For more details visit https://cis-india.org/internet-governance/blog/nlud-journal-of-legal-studies-september-27-2019-gurshabad-grover-torsha-sarkar-rajashri-seal-neil-trivedi-examining-the-constitutionality-of-ban-on-broadcast-of-news-by-private-fm-and-community-radio-stations

EVMs: How transparent is the Indian election process?

praskrishna — 2017-03-17T01:57:19Z

Electronic Voting Machines (EVMs) have become a bone of contention after the results of the Assembly elections in five states were declared last Saturday and the BSP president Mayawati alleged tampering. The Congress party and the Aam Aadmi Party (AAP) have called for a probe into her allegation. Social media too is abuzz with messages and videos showing how the machines can be allegedly manipulated to sway the votes in favour of a particular candidate.

The article by Smriti Sharma Vasudeva was published in the Statesman on March 14, 2017. Pranesh Prakash was quoted.

Overnight, several videos on Whatsapp have surfaced wherein people can be seen explaining the "mechanism" on how to alter the votes polled for a candidate in another candidate's favour. Several similar posts and articles are doing the rounds on Facebook.

BBC added fuel to the fire when it shared a 2010 article on how 'US "Scientists" hack India Electronic Machines' . The article details how scientists at a US university say they have developed a technique to hack into Indian electronic voting machines. While the article was posted on the BBC website a day after the election results were declared, it drew considerable flak from users on Facebook who criticised the website for its 'irresponsible' act of sharing an article with a "click bait" headline just to grab eyeballs.

Amid all this frenzy, the Election Commission of India has issued statements clarifying how the entire process is transparent and fool proof and tampering with the EVMs is a far-fetched thing given the checks and balances in place. For instance, the EVMs undergo the process of randomisation wherein which machine will go to which constituency and to which booth is not known to anyone till the last moment. Similarly, before the polling starts, mock polling takes place in the presence of representatives of all the political parties and then each of these machines are tested and a satisfactory report is generated and only after that polling begins.

However, all these checks and balances still do not ensure a fool proof system if experts are to be believed.

Pranesh Prakash, Policy Director for The Centre for Internet and Society, a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives, said: "The Electronic Voting Machines used in India are the simplest, with no large operating system requirements and are not networked. Thus, from a software design perspective, these are really good and the chances of these being tampered with are bleaker. However it doesn't mean these are fool proof. Most of the developed countries do not trust these machines and these are definitely not secure enough for democratic elections.

"While there are many advantages of using EVMs in the electoral process over the traditional ballot papers, still there are many ways in which one can tamper with these machines without any technical ingenuity. The best way is to make use of the EVMs and ensure that the Voter Verified Paper Audit Trail (VVPAT) are effectively utilised to make it an overall effective system".

Recently, the Supreme Court had mandated that VVPAT machines should be used in all the polls and thus the Election Commission had installed VVPAT machines in several constituencies. However, not sure of the efficacy of this system, the Election Commission had itself raised apprehensions regarding performance of the paper-trail machine, which gives a receipt to the voter, verifying the vote went in favour of the candidate against whose name the button was pressed on the electronic voting machine.a

For more details visit https://cis-india.org/internet-governance/news/the-statesman-smriti-sharma-vasudeva-march-14-2017-evms-how-transparent-is-the-indian-election-process

Every Town had its Jio Dara

Ayswarya Murthy — 2017-12-21T16:24:52Z

Strap: In the hills of Darjeeling, residents facing an indefinite internet shutdown were thrown an unexpected lifeline in the form of 'Jio dara', a feeble signal from Sikkim towers that nevertheless kept a small line of communication open between the besieged towns in the region and the rest of the world.

Bangalore, Karnataka: Alvin Lama writes rock music is his downtime, and these days his songs are rather politically charged. The 100-day internet shutdown in Darjeeling during the Gorkaland agitation in 2017 inspired his latest single, titled Jio Dara. In Lama’s song, he tells his listeners, “Come let’s go to Jio Dara” where they can be free from the prison of internet shutdown to send and receive messages from the outside world. “I am using that window of access to tell people about our struggle. It has a bit of an anti-administration message,” he says.


View from Carmichael Ground, a Jio Dara spot (Picture Courtesy: Nisha Chettri, Caffeine and Copies)

Jio Dara (‘dara’ meaning ‘hillock’), also alternatively called ‘Reliance gully’, was not always a specific place but a small window of opportunity during which a weak 2G signal could be accessed in the hills. Towns like Darjeeling and Kalimpong lie very close to the border of West Bengal, separated from their northern neighbour Sikkim by the river Rangeet; and often in the hills along the river bank, phones pick faint signals from the mobile phone towers in Sikkim. For a population that was completely shut off from the outside world, even this thin, fragile lifeline was precious. “I was not here during the agitation but somehow would get information about what was happening in the hills from my family and friends through the Jio Dara,” Alvin says.

Alvin, also founder director & CEO of the Good Shepard Institute of Hospitality Management, is not the only musician to immortalise Jio Dara in song. Young student Saif Ali Khan and his friends also wrote and composed their own ode to this happy accident. “It was really born out of boredom,” he says. “My brother, my friends and I were sitting around the campus and chatting. Classes were cancelled due to the strike and our education was on hold. And we overhead a couple talking about where they were going to go for their date. Of course, we should go to Jio Dara, the girl said, and that led to an argument.”

This sparked off their Jio Dara song which was written, composed and recorded by Khan and his friends under their Firfiray Productions. A satirical take on the internet shutdown and how it has affected the lives of the students in Darjeeling, the song plays out like a dialogue between two lovers and serves as a light-hearted look at a situation that was anything but.

For three months between June and September, the administration had shut down internet access in Darjeeling and in its surrounding hills. This prevented the outside world from hearing the voices of the Gorkhaland protesters but information still trickled out, as it is wont to do, through various sources, one of these being the Jio Dara.

How did this work? Reliance Jio had not long ago made a big splash in India’s telecom market with cheap unlimited data packs and lifetime validity deals, and many had switched to Jio to take advantage of this. This was what eventually gave Jio users the edge, helping them tap into the signal from the towers across the border. While it isn't clear whether signals from other networks were also available in these spots (information varies from they were no other networks at all to there were some but they were even weaker than Jio), what's certain is that without the free internet that Jio subscribers enjoyed, access to the internet through other networks was not feasible after a point because recharging your number at the local mobile shop wasn't an option anymore.

These hotspots used to vary, according to Lama. “The signal would be strong today, but next day one might have to move a few hundred metres up or down till they connected with the network. So, you would go searching in the hills till you get a signal and then the word would spread,” he says. People in Darjeeling were lucky in that their Jio Dara was inside town near the mall in Chowrasta, but it was not as convenient in Kalimpong. One had to travel a couple of kilometres from the city centre to Carmichael grounds, sometimes go even further up the hill towards areas that were facing Sikkim. “People would get to know through word-of-mouth and the number of people there would snowball,” Lama tells us. People, young and old, would come to log in, even though the connection was patchy and slow, to talk about the events of the day, upload pictures, connect with family and friends and basically tell the world what really was happening in Darjeeling.

It became an unofficial symbol of resistance. Each town had its very own Jio Dara and it transcended merely a physical location to become an idea. “Our habits changed after June 18, when the government undemocratically blocked the internet service in the hills,” writes Nisha Chettri, a journalist with the Statesman, in her blog ‘Caffeine and Copies’. Carmichael Ground in Kalimpong invariably became a meeting spot for all sorts of occasions – birthdays, dates, get-togethers. She says that some Jio users even shared their mobile hotspot with others so that everyone could use the internet.

Local journalists would file their stories and upload their pictures side by side with ordinary citizens updating their social media statuses. It helped journalists like the Telegraph’s Passan Yolmo to maintain a line of communication with his publishers. Most evenings he would connect to the Jio Dara to send across photographs from the day, as many as the feeble 2G connection would allow.

“I don’t know who first found this spot behind Chowrasta,” says Khan. Perched in the centre of the city and at a higher elevation than the rest, Chowrasta is a popular tourist destination in Darjeeling; so it couldn’t have been long before people stumbled onto this secret. “I accidentally discovered it one day when I walked past it and suddenly my phone started pinging and I received a bunch of texts on WhatsApp. I checked my phone and realised I was connected to Sikkim’s Jio network.”

Ayswarya Murthy is a Bangalore-based journalist and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/every-town-had-its-jio-dara

Event Report on Intermediary Liability and Gender Based Violence

akriti — 2018-12-21T07:16:41Z

This report is a summary of the proceedings of the Roundtable Conference organized by the Centre for Internet and Society (CIS) at the Digital Citizen Summit, an annual summit organized by the Digital Empowerment Foundation. It was conducted at the India International Centre in New Delhi on November 1, 2018 from 11.30 a.m. to 12.30 p.m.

With inputs and edited by Ambika Tandon. Click here to download the PDF

Introduction

Background

The topic of discussion was intermediary liability and Gender Based Violence (GBV), the debate on GBV globally and in India evolving to include myriad forms of violence in online spaces in the past few years. This ranges from violence native to the digital, such as identity theft, and extensions of traditional forms of violence, such as online harassment, cyberbullying, and cyberstalking^[1]. Given the extent of personal data available online, cyber attacks have led to a variety of financial and personal harms.^[2] Studies have explored the extent of psychological and even physical harm to victims, which has been found to have similar effects to violence in the physical world^[3]. Despite this, technologically-facilitated violence is often ignored or trivialised. When present, redressal mechanisms are often inadequate, further exacerbating the effects of violence on victims.

TheRoundtable explored ways of how intermediaries can help tackle gender based violence and discussed attempts at making the Internet a safer place for women which can ultimately help make it a gender equal environment. It also analyzed the key concerns of privacy and security leading the conversation to how we can demand more from platforms for our protection and how best to regulate them.

The roundtable had four female and one male participants from various civil society organisations working on rights in the digital space.

Roundtable Discussion

Online Abuse

The discussion commenced with the acknowledgement of it being well documented that women and sexual minorities face a disproportionate level of violence in the digital space, as an extension/reproduction of physical space. GBV exists on a continuum from the physical, verbal, and technologically enabled, either partially or fully, with overflowing boundaries and deep interconnections between different kinds of violence. Some forms of traditional violence such as harassment, stalking, bullying, sex trafficking, extend themselves into the digital realm while other forms are uniquely tech enabled like doxxing and morphing of imagery. Due to this considerations of anonymity, privacy, and consent, need to be re-thought in the context of tech enabled GBV. These come into play in a situation where the technological realm has largely been corporatised and functions under the imperative of treating the user and their data as the final product.

It was noted early on that GBV online can be a misnomer because it can be across a number of spaces and, the participants concentrated on laying down the specific contours of tech mediated or tech enabled violence. One of the discussants stated that the term GBV is a not a useful one since it does not encompass everything that is talked about when referring to online abuse. The phenomenon that gets the most traction is trolling on social media or abuse on social media. This is partly because it is the most visible people who are affected by it, and also since often, it is the most difficult to treat under law. In a 2012 study by the Internet Democracy Project focusing on online verbal abuse in social media, every woman they interviewed started by asserting that she is not a victim. The challenge with using the GBV framework is that it positions the woman as a victim. Other incidents on social media such as verbal abuse where there are rape threats or death threats, especially when there is an indication that the perpetrator is aware of the physical location of the victim, need to be treated differently from say online trolling.

Further, certain forms of violence, such as occurrences of ‘revenge porn’ or the non-consensual sharing of intimate images, including rape videos are easier to fit within the description of GBV. It is important to make these distinctions because the remedies then should be commensurate with perceived harm. It is not appropriate to club all of these together since the criminal threshold for each act is different. Whereas being called a “slut” or a “bitch” would not be enough for someone to be arrested, if a woman is called that repetitively by a large number of people the commensurate harm could be quite significant. Thus, using GBV as a broad term for all forms of violence ends up invisiblising certain forms of violence and prevents a more nuanced treatment of the discussion.

In response to this, a participant highlighted the normalisation of gendered hate speech, to the extent of lack of recognition as a form of hate speech. This lacunae in our law stems from the fact that we inherited our hate speech laws from a colonial era where it was based on the grounds of incitement of violence, more so physical violence. As a result, we do not take the International Covenant on Civil and Political Rights (ICCPR) standard of incitement to discrimination. If the law was based on an incitement to discriminate point of view then acts of trolling could come under hate speech. Even in the United Kingdom where there is higher sentencing for gender based crime as compared to other markers of identity such as race, gender does not fall under the parameters of hate speech. This can also be attributed to the threshold at which criminalization kicks in for such acts.

A significant aspect of online verbal abuse pointed out by a participant was that it does not affect all women equally. In a study, the Twitter accounts of 12 publicly visible women across the political spectrum were looked at for 2 weeks in early December, 2017. They were filtered against keywords and analyzed for abusive content. One Muslim woman in the study had extremely high levels of abuse, being consistently addressed as “Jihad man, Jihad didi or Jihad biwi”. According to the participant, she is also the least likely to get justice through the criminal system for such vitriol and as such, this disparity in the likelihood of facing online abuse and accessing official redressal mechanisms should be recognized. Another discussant reaffirmed the importance of making a distinction between online abuse against someone as opposed to gender based violence online where the threat itself is gendered.

In a small ethnographic study with the Bangalore police undertaken by one of the participants, the police were asked for their opinion on the following situation: A women voluntarily providers photos of herself in a relationship and once the relationship is over, the man distributes it. Is there a cause for redressal?

Policemen responded that since she gave it voluntarily in the first instance, the burden of the consequences is now on her. So even in a feminist framework of consent and agency where we have laws for actions of voyeurism and publishing photos of private parts, it is not being recognized by institutional response mechanisms.

Intermediary Liability

Private communications based intermediaries can be understood to be of two types: those that enable the carriage/transmission of communications and provide access to the internet, and those that host third party content. The latter have emerged as platforms that are central to the exercising of voice, the exchange of information and knowledge, and even the mobilisation of social movements. The norms and regulations around what constitutes gender based violence in this realm is then shaped not only by state regulations, but content moderation standards of these intermediaries. Further, the kinds of preventive tools and tools providing redressal are controlled by these platforms. More than before, we are looking deeper into the role of these companies that function as intermediaries and control access to third party content without performing editorial functions.

In the Intermediary Liability framework in the United States formulated in the 1990s, the intermediaries that were envisioned were not the intermediaries we have now. With time, the intermediary today is able to access and possess your data while urging a certain kind of behaviour from you. There is then an intermediary design duty which is not currently accounted for by the law. Moreover, the law practices a one size fits all regime whereas what could be more suitable is having approached tailored as per the offence. So for child pornography, a ‘removal when uploaded’ action using artificial intelligence or machine learning is appropriate but a notice and takedown approach is better for other kinds of content takedown.

Globally, another facet is that of safe harbour provisions for platforms. When intermediaries such as Google and Facebook were established, they were thought of as neutral pipes since they were not creating the content but only facilitating access. However, as they have scaled and as their role in ecosystem has increased, they are now one of the intervention points for governments as gatekeepers of free speech. One needs to be careful in asking for an expansion of the role and responsibilities of platforms because then complementary to that we will also have to see that the frameworks regulating them need to be revisited. Additionally, would a similar standard be applicable to larger and smaller intermediaries, or do we need layers of distinction between their responsibilities? Internet platforms such as the GAFA (Google, Apple, Facebook and Amazon) yield exceptional power to dictate what discourse takes place and this translates into the the online and offline divide disappearing. Do we then hold these four intermediaries to a separate and higher standard? If not, then all small players will be held to stringent rules disadvantaging their functioning and ultimately, stifling innovation. Thus, regulation is definitely needed but instead of a uniform one, one that’s layered and tailor-made to different situations and platform visibility levels could be more useful.

Some participants shared the opinion that because these intermediaries are based in foreign countries and have primary legal obligations there, the insulation plays out in the citizen’s benefit. It lends itself a layer of freedom of speech and expression that is not present in the substantive law, rule of law framework or the institutional culture in India.

Child pornography is an area where platforms are taking a lot of responsibility. Google has spoken about how they have been using machine learning algorithms to block 40% of such content and Microsoft is also working on a similar process. If we argue for more intervention from platforms, we simultaneously also need to look at their machine learning algorithms. Concerns of how these algorithms are being deployed and further, being incorporated into the framework of controlling child pornography are relevant since there is not much accountability and transparency regarding the same.

Another fraction that has emerged from recent events is the divide between traditional form of media and new media. Taking the example of rape victims and sexual harassment claims, there are strict rules regarding the kinds of details that can be disclosed and the manner in which this is to be done. In the Kathua rape case, for instance, the Delhi High Court sent a notice to Twitter and Facebook for revealing details because there are norms around this even though they have not been applicable to platforms. Hence, there are certain regulations that apply to old media that have now escaped in the frameworks applicable to the new media and at some level that gap needs to be bridged.

Role of Law

One of the participants brought up the question; what is the proper role of the law and does it come first or last? In case of the latter, the burden then falls upon the kind of standard setting that we do as a society. The role of platforms as an entity in mediating the online environment was discussed, given the concerns that have been highlighted about this environment, especially for women. The third thing to be considered is whether we run the risk of enforcing patriarchal behaviour by doubling down on the either of the two aforementioned factors. If legal standards are made too harsh they may end up reinforcing a power structure that is essentially dominated by upper caste men who comprise a majority of staff within law enforcement and the judiciary. Even though the subordinate judiciary do have mahila courts now, the application of the law seems to reify the position of the woman as the victim. This also brings up the question of who can become a victim within such frameworks, where selective bias such as elements of chastity come to play as court functions are undertaken.

An assessment of the way criminal law in India is used to stifle free speech was carried out in 2013 and repeated in 2018, illustrating how censorship law is used to stifle voices of minorities and people critical of the political establishment. Even though it is perhaps time to revisit the earlier conceptualizations of intermediaries as neutral pipes, it is concerning to look at the the court cases regarding safe harbour in India. Many of them are carried out with the ostensible objective of protecting women's rights. In Kamlesh Vaswani V Union of India, the petition claims that porn is a threat to Indian women and culture, ignoring the reality that many women watch porn as well. Pornhub releases figures on viewership every year, and of the entirety of Indian subscribers one third are women. This is not taken into account in such petitions. In Prajwala V Union of India, an NGO sent the Supreme Court a letter raising concerns about videos of sexual violence being distributed on the internet. The letter sought to bring attention to the existence of such videos, as well as their rampant circulation on online platforms. At some point in the proceedings, the Court wanted the intermediaries to use keywords to take down content and keeping aside poor implementation, the rationale behind such a move is problematic in itself. For instance, if you choose sex as one of those words then all sexual education will disappear from the Internet. There are many problems with court encouraged filtering systems like one where a system automatically tells you when a rape video goes up. The question arises of how will you distinguish between a video that was consensually made depicting sexual activities and a rape video. The narrow minded responses to the Sabu Mathew and Prajwala cases originate in the conservative culture regarding sexual activity prevalent in India.

In a research project undertaken by one of the participants in the course of their work, they made a suggestion to include gender, sexuality and disability as grounds for hate speech while working with women’s rights activists and civil society organisations. This suggestion was not well received as they vehemently opposed more regulation. In their opinion, the laws that India has in place are not being upheld and creating new laws will not change if the implementation of legislation is flawed. For instance, even though the Supreme Court stuck down S.66A, Internet Freedom Foundation has earlier provided instances of its continued usage by police officers to file complaints.^{^[4]} Hate speech laws can be used to both ends, even though unlike in the US they do not determine whose speech they want to protect. Consequently, in the US a white supremacist gets as much protection as a Black Lives Matter activist but in India, that is not the case. The latest Law Commission Report on hate speech in India tries to make progress by incorporating the ICCPR view of incitement to discriminate and include dignity in the harms. It specifically speaks about hate speech against women saying that it does not always end up in violence but does result in a harm to dignity and standing in society. Often, protectionist forms of speech such as hate speech often end up hurting the people it aims to protect by reinforcing stereotypes.

Point of View undertook a study where they looked at the use of S.67 in the Information Technology (IT) Act which criminalizes obscene speech when you use a medium covered by the IT, in which they found that the section was used to criminalize political speech. In many censorship cases, the people who those provisions benefit are the ones in power.^{^[5]} For instance in S.67, obscenity provisions do not protect women's rights, they protect morality of society. Even though these are done in the name of protecting women, when a woman herself decides that she wants to publish a revealing picture of herself online, it is disallowed by the law. That kind of control of sexuality is part of a larger patriarchal framework which does not support women's rights or recognise her sexuality. However, under Indian law, there are quite a few robust provisions for image based abuse, and there is some recognition of women in particular being vulnerable to it. S.66A of the IT Act specifically recognizes that it is a criminal activity to share images of someone’s private parts without their consent. This then also encompasses instances of ‘revenge porn’. That provision has been in place in India since 2008, in contrast to the US where half the states still do not have such a provision. Certain kinds of vulnerability have adequate recognition in the law, thus one should be wary of calls of censorship and lowering the standards for criminalizing speech.

Non-legal interventions

This section centres around the discussions of redressal mechanisms that can be used to address some of the forms of violence which do not emanate from the law. All of the participants emphasized the importance of creating safe spaces through non-legal interventions. It was debated whether there is a need to always approach the law or if it is possible to categorize forms of online violence according to the gravity of the violation committed. These can be in the form of community solutions where law is treated as the last resort. For instance, there was support for using community tools such as ‘feminist trollback’ where humor can be used to troll the trolls. Trolls feed on the fear of being trolled, so the harm can be mitigated by using community initiatives wherein the target can respond to the trolls with the help of other people in the community. It was reiterated that non technical and legal interventions are needed not only from the perspective of power relations within these spaces but also access to the spaces in the first place. Accordingly, the government should work on initiatives that get more women online and focus on policies that makes smartphones and data services more accessible. This would also be a good method to increase the safety of women and benefit from the strength in numbers.

In cases of the non-consensual sharing of intimate images, law can be the primary forum but in cases of trolling and other social media abuse, the question was raised - should we enhance the role of the intermediary platforms? Being the first point of intervention, their responsibility should be more than it currently is. However this would require them to act in the nature of police or judiciary and necessitate an examination of their algorithms. A large proportion of the designers of such algorithms are white males, which increases the possibility of their biases against women of colour for instance, to feed into the algorithms and reinforce a power structure that lacks accountability.

Participants questioned the lack of privacy in design with the example in mind being of how registrars do not make domain owner details private by default. Users have to pay an additional fee for not exposing their details to public and the notion of having to pay for privacy is unsettling. There is no information being provided during the purchasing of the domain name about the privacy feature as well. It was acknowledged that for audit and law enforcement purposes it is imperative to have the information of the owner of a domain name and their details since in cases of websites selling fake medicines, arms or hosting child pornography. Thus, it boils down to the kind of information necessary for law enforcement. Global domain name rules also impact privacy on the national level. The process of ascertaining the suitability and necessity of different kinds of information excludes ordinary citizens since all the consultations take place between the regulatory authority and the state. This makes it difficult for citizens to participate and contribute to this space without government approval.

Issues were flagged against community standards in that the violence that occurs to women is also because the harms are not equal for all. Further, some users are targeted specifically because of the community they come from or the views they have. Often also because, they represent a ‘type’ of a woman that does not adhere to the ‘ideal’ of a woman held by the perpetrator. Unfortunately community standards do not recognise differential harms towards certain communities in India or globally. Twitter, for example, regularly engages in shadow banning and targets people who do not conform to the moral views prevalent in that society where the platform is engaging in censorship. We know these instances occur only when our community members notice and notify us of the same. There is a certain amount of labor that the community has already put in flagging instances of these violations to the intermediary which also needs recognition. In this situation, Twitter is disproportionately handling how it engages with the two entities in question. Community standards could thus become a double edged sword without adding additional protections for certain disadvantaged communities.

Conclusion

Currently, intermediaries are considered neutral pipes through which content flows and hence have no liability as long as they do not perform editorial functions. This has also been useful in ensuring that the freedom of speech is not harmed. However, given their potential ability to remedy this problem, as well as the fact that intermediaries sometimes benefit financially from such activities, it is important to look at the intermediaries’ responsibility in addressing these instances of violence. Governments across the world have taken different approaches to this question^{^[6]}. Models, such as in the US, where intermediaries have been solely responsible to institute redressal mechanisms have proven to be ineffectual. On the other hand, in Thailand, where intermediaries are held primarily liable for content, the monitoring of content has led to several free speech harms.

People are increasingly looking at other forms of social intervention to combat online abuse since technological and legal ones do not completely address and resolve the myriad issues emanating from this umbrella term. There is also a need to make the law gender sensitive as well as improving the execution of laws at ground level, possibly through sensitisation of law enforcement authorities. Gender based violence as a catchall phrase does not do justice to the full spectrum of experiences that victims face, especially women and sexual minorities. Often these do not attract criminal punishment given the restricted framework of the current law and need to be seen through the prism of hate speech to strengthen these provisions.

Some actions within GBV receive more attention than others and as a consequence, these are the ones platforms and governments are most concerned with regulating. Considerations of free speech and censorship and the role of intermediaries in being the flag bearers of either has translated into growing calls for greater responsibility to be taken by these players. The roundtable raised some key concerns regarding revisiting intermediary liability within the context of the scale of the platforms, their content moderation policies and machine learning algorithms.

^{^[1]} See Khalil Goga, “How to tackle gender-based violence online”, World Economic Forum, 18 February 2015, <https://www.weforum.org/agenda/2015/02/how-to-tackle-gender-based-violence-online/>. See also Shiromi Pinto, “What is online violence and abuse against women?”, 20 November 2017, Amnest International, <https://www.amnesty.org/en/latest/campaigns/2017/11/what-is-online-violence-and-abuse-against-women/>.

^{^[2]} Nidhi Tandon, et. al., “Cyber Violence Against Women and Girls: A worldwide wake up call”, UN Broadband Commission for Digital Development Working Group on Broadband and Gender, <http://www.unesco.org/new/fileadmin/MULTIMEDIA/HQ/CI/CI/images/wsis/GenderReport2015FINAL.pdf>

^{^[3]} See Azmina Dhrodia, “Unsocial Media: The Real Toll of Online Abuse against Women”, Amnesty Global Insights Blog, <https://medium.com/amnesty-insights/unsocial-media-the-real-toll-of-online-abuse-against-women-37134ddab3f4>

^{^[4]} See Abhinav Sekhri and Apar Gupta, “Section 66A and other legal zombies”, Internet Freedom Foundation Blog, <https://internetfreedom.in/66a-zombie/?

^{^[5]} See Bishakha Datta “Guavas and Genitals”, Point of View <https://itforchange.net/e-vaw/wp-content/uploads/2018/01/Smita_Vanniyar.pdf>

^{^[6]} ‘Examining Technology-Mediated Violence Against Women Through a Feminist Framework: Towards appropriate legal-institutional responses in India’, Gurumurthy et al., January 2018.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-liability-and-gender-based-violence

Even years later, Twitter doesn't delete your direct messages

Zack Whittaker and Natasha Lomas — 2019-02-18T14:17:54Z

When does “delete” really mean delete? Not always, or even at all, if you’re Twitter .

The blog post by Zack Whittaker and Natasha Lomas was published in Tech Crunch on February 15, 2019. Karan Saini was quoted.

Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini.

Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient — though, the bug wasn’t able to retrieve messages from suspended accounts.

Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.

Direct messages once let users “unsend” messages from someone else’s inbox, simply by deleting it from their own. Twitter changed this years ago, and now only allows a user to delete messages from their account. “Others in the conversation will still be able to see direct messages or conversations that you have deleted,” Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account “deactivated and then deleted.” After a 30-day grace period, the account disappears, along with its data.

But, in our tests, we could recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts. By downloading your account’s data, it’s possible to download all of the data Twitter stores on you.

A conversation, dated March 2016, with a suspended Twitter account was still retrievable today (Image: TechCrunch)

Saini says this is a “functional bug” rather than a security flaw, but argued that the bug allows anyone a “clear bypass” of Twitter mechanisms to prevent accessed to suspended or deactivated accounts.

But it’s also a privacy matter, and a reminder that “delete” doesn’t mean delete — especially with your direct messages. That can open up users, particularly high-risk accounts like journalist and activists, to government data demands that call for data from years earlier.

That’s despite Twitter’s claim that once an account has been deactivated, there is “a very brief period in which we may be able to access account information, including tweets,” to law enforcement.

A Twitter spokesperson said the company was “looking into this further to ensure we have considered the entire scope of the issue.”

Retaining direct messages for years may put the company in a legal grey area ground amid Europe’s new data protection laws, which allows users to demand that a company deletes their data.

Neil Brown, a telecoms, tech and internet lawyer at U.K. law firm Decoded Legal, said there’s “no formality at all” to how a user can ask for their data to be deleted. Any request from a user to delete their data that’s directly communicated to the company “is a valid exercise” of a user’s rights, he said.

Companies can be fined up to four percent of their annual turnover for violating GDPR rules.

“A delete button is perhaps a different matter, as it is not obvious that ‘delete’ means the same as ‘exercise my right of erasure’,” said Brown. Given that there’s no case law yet under the new General Data Protection Regulation regime, it will be up to the courts to decide, he said.

When asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter’s spokesperson had “nothing further” to add.

For more details visit https://cis-india.org/internet-governance/news/zack-whittaker-natasha-lomas-february-15-2019-tech-crunch-even-years-later-twitter-doesnt-delete-your-direct-messages

European Union Draft Report Admonishes Mass Surveillance, Calls for Stricter Data Protection and Privacy Laws

divij — 2014-09-30T08:52:45Z

Ever since the release of the “Snowden files”, the secret documents evidencing the massive scale of surveillance undertaken by America’s National Security Agency and publically released by whistle-blower Edward Snowden, surveillance in the digital age has come to the fore of the global debate on internet governance and privacy.

The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in its draft report on global surveillance has issued a scathing indictment of the activities of the NSA and its counterparts in other member nations and is a welcome stance taken by an international body that is crucial to the fight against surveillance.

The "European Parliament Draft Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs" released on the 8^th of January, 2014, comprehensively details and critiques the mass surveillance being undertaken by government agencies in the USA as well as within the EU, from a human rights and privacy perspective. The report examines the extent to which surveillance systems are employed by the USA and EU member-states, and declares these systems in their current avatars to be unlawful and in breach of international obligations and fundamental constitutional rights including "the freedom of expression, of the press, of thought, of conscience, of religion and of association, private life, data protection, as well as the right to an effective remedy, the presumption of innocence and the right to a fair trial and non-discrimination".

Furthermore, the report points to the erosion of trust between the EU and the US as well as amongst member states as an outcome of such secret surveillance, and criticises and calls for a suspension of the data-sharing and transfer agreements like the Terrorist Finance Tracking Program (TFTP), which share personal information about EU citizens with the United States, after examining the inadequacy of the US Safe Harbour Privacy principles in ensuring the security of such information.

After considering the secret and unregulated nature of these programmes, the report points to the need of restricting surveillance systems and criticizes the lack of adequate data protection laws and privacy laws which adhere to basic principles such as necessity, proportionality and legality.. It also questions the underlying motives of these programmes as mere security-tools and points to the possible existence of political and economic motives behind their deployment. Recognizing the pitfalls of surveillance and the terrible potential for misuse, the report "condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries."

Amongst the recommendations in the 51-page report are calls for a prohibition of mass surveillance and bulk data collection, and an overhaul of the existing systems of data-protection across the European Union and in the US to recognize and strengthen the right to privacy of their citizens, as well as the implementation of democratic oversight mechanisms to check security and intelligence agencies. It also calls for a review of data-transfer programmes and ensuring that standards of privacy and other fundamental rights under the European constitution are met. The committee sets out a 7-point plan of action, termed the European Digital Habeus Corpus for Protecting Privacy, including adopting the Data Protection Package, suspending data transfers to the US until a more comprehensive data protection regime is through an Umbrella Agreement, enhancing fundamental freedoms of expression and speech, particularly for whistleblowers, developing a European Strategy for IT independence and developing the EU as a reference player for democratic and neutral governance of the internet.

Though this draft report has no binding legal value as yet, the scathing criticism has assisted in calling to the attention of the global community the complex issues of internet governance and privacy and surveillance, and generated debate and discourse around the need for an overhaul of the current system. The recent decision of the US government to ‘democratize’ the internet by handing control of the DNS root zone to an international body, and thereby relinquishing a large part of its means of controlling the internet, is just one example of the systemic change that this debate is generating.

For more details visit https://cis-india.org/internet-governance/blog/european-union-draft-report-admonishes-mass-surveillance

European Summer School on Internet Governance

Admin — 2019-07-23T00:30:15Z

The 13th European Summer School on Internet Governance was held at Meissen in Germany from 13 - 20 July 2019. Akriti Bopanna attended the school. The event was organized by EuroSSIG.

More information on the event can be accessed on this page.

For more details visit https://cis-india.org/internet-governance/news/european-summer-school-on-internet-governance

European E-Evidence Proposal and Indian Law

vipul — 2018-12-23T16:45:02Z

In April of 2018, the European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). The Regulation is a direction to states to put in place the proper legislative and regulatory machinery for the implementation of this regime while the Directive requires the states to enact laws governing service providers so that they would comply with the proposed regime.

The main feature of the E-evidence Proposal is twofold: (i) establishment of a legal regime whereunder competent authorities can issue European Production Orders (EPOs) and European Preservation Orders (EPROs) to entities in any other EU member country (together the “Data Orders”); and (ii) an obligation on service providers offering services in any of the EU member countries to designate legal representatives who will be responsible for receiving the Data Orders, irrespective of whether such entity has an actual physical establishment in any EU member country.

In this article we will briefly discuss the framework that has been proposed under the two instruments and then discuss how service providers based in India whose services are also available in Europe would be affected by these proposals. The authors would like to make it clear that this article is not intended to be an analysis of the E-evidence Proposal and therefore shall not attempt to bring out the shortcomings of the proposed European regime, except insofar as such shortcomings may affect the service providers located in India being discussed in the second part of the article.

Part I - E-evidence Directive and Regulation

The E-evidence Proposal introduces the concept of binding EPOs and EPROs. Both Data Orders need to be issued or validated by a judicial authority in the issuing EU member country. A Data Order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that is necessary as evidence in criminal investigations or a criminal proceeding. Such Data Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing country. Both Data Orders can be served on entities offering services such as electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries. Thus companies such as Big Rock (domain name registry), Ferns n Petals (online marketplace providing services in Europe), Hike (social networking and chatting), etc. or any website which has a subscription based model and allows access to subscribers in Europe would potentially be covered by the E-evidence Proposal. The EPRO, similarly to the EPO, is addressed to the legal representative outside of the issuing country’s jurisdiction to preserve the data in view of a subsequent request to produce such data, which request may be issued through MLA channels in case of third countries or via a European Investigation Order (EIO) between EU member countries. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this proposal, the EPRO is an order issued or validated by a judicial authority in a concrete criminal proceeding after an individual evaluation of the proportionality and necessity in every single case.^{^[1]} Like the EPO, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The EPRO only allows preserving data that is already stored at the time of receipt of the order, not the access to data at a future point in time after the receipt of the EPRO.

While EPOs to produce subscriber data^{^[2]} and access data^{^[3]} can be issued for any criminal offence an EPO for content data^{^[4]} and transactional data^{^[5]} may only be issued by a judge, a court or an investigating judge competent in the case. In case the EPO is issued by any other authority (which is competent to issue such an order in the issuing country), such an EPO has to be validated by a judge, a court or an investigating judge. In case of an EPO for subscriber data and access data, the EPO may also be validated by a prosecutor in the issuing country.

To reduce obstacles to the enforcement of the EPOs, the Directive makes it mandatory for service providers to designate a legal representative in the European Union to receive, comply with and enforce Data Orders. The obligation of designating a legal representative for all service providers that are operating in the European Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.

Grounds on which EPOs can be issued

The grounds on which Data Orders may be issued are contained in Articles 5 and 6 of the Regulation which makes it very clear that a Data Order may only be issued in a case if it is necessary and proportionate for the purposes of a criminal proceeding. The Regulation further specifies that an EPO may only be issued by a member country if a similar domestic order could be issued by the issuing state in a comparable situation. By using this device of linking the grounds to domestic law, the Regulation tries to skirt around the thorny issue of when and on what basis an EPO may be issued. The Regulation also assigns greater weight (in terms of privacy) to transactional and content data as opposed to subscriber and access data and subjects the production and preservation of the former to stricter requirements. Therefore while Data Orders for access and subscriber data may be issued for any criminal offence, orders for transactional and content data can only be issued in case of criminal offences providing for a maximum punishment of atleast 3 years and above. In addition to that EPOs for producing transactional or content data can also be issued for offences specifically listed in Article 5(4) of the Regulation. These offences have been specifically provided for since evidence for such cases would typically be available mostly only in electronic form. This is the justification for the application of the Regulation also in cases where the maximum custodial sentence is less than three years, otherwise it would become extremely difficult to secure convictions in those offences.^{^[6]}

The Regulation also requires the issuing authority to take into account potential immunities and privileges under the law of the member country in which the service provider is being served the EPO, as well as any impact the EPO may have on fundamental interests of that member country such as national security and defence. The aim of this provision is to ensure that such immunities and privileges which protect the data sought are respected, in particular where they provide for a higher protection than the law of the issuing member country. In such situations the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State concerned, either directly or via Eurojust or the European Judicial Network.”

Grounds to Challenge EPOs

Service Providers have been given the option to object to Data Orders on certain limited grounds specified in the Regulation such as, if it was not issued by a proper issuing authority, if the provider cannot comply because of a de facto impossibility or force majeure, if the data requested is not stored with the service provider or pertains to a person who is not the customer of the service provider.^{^[7]} In all such cases the service provider has to inform the issuing authority of the reasons for the inability to provide the information in the specified form. Further, in the event that the service provider refuses to provide the information on the grounds that it is apparent that the EPO “manifestly violates” the Charter of Fundamental Rights of the European Union or is “manifestly abusive”, the service provider shall send the information in specified Form to the competent authority in the member state in which the Order has been received. The competent authority shall then seek clarification from the issuing authority through Eurojust or via the European Judicial Network.^{^[8]}

If the issuing authority is not satisfied by the reasons given and the service provider still refuses to provide the information requested, the issuing authority may transfer the EPO Certificate along with the reasons given by the service provider for non compliance, to the enforcing authority in the addressee country. The enforcing authority shall then proceed to enforce the Order, unless it considers that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence; or the data cannot be provided due to one of the following reasons:

(a) the European Production Order has not been issued or validated by an issuing authority as provided for in Article 4;

(b) the European Production Order has not been issued for an offence provided for by Article 5(4);

(c) the addressee could not comply with the EPOC because of de facto impossibility or force majeure, or because the EPOC contains manifest errors;

(d) the European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of EPOC;

(e) the service is not covered by this Regulation;

(f) based on the sole information contained in the EPOC, it is apparent that it manifestly violates the Charter or that it is manifestly abusive.

In addition to the above mechanism the service provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request a review of the order by a court in the member country. If the court concludes that a conflict as claimed by the service provider exists, the court shall notify authorities in the third-party country and if that third-party country objects to execution of the EPO, the court must set it aside.^{^[9]}

A service provider may also refuse to comply with an order because it would force the service provider to violate a third-country law that protects interests other than fundamental rights or national security and defense. In such cases, the Regulation provides that the same procedure be followed as in case of law protecting fundamental rights or national security and defense, except that in this case the court, rather than notifying the foreign authorities, shall itself conduct a detailed analysis of the facts and circumstances to decide whether to enforce the order.^{^[10]}

Service Provider “Offering Services in the Union”

As is clear from the discussion above, the proposed regime puts an obligation on service providers offering services in the Union to designate a legal representative in the European Union, whether the service provider is physically located in the European Union or not. This appears to be a fairly onerous obligation for small technology companies which may involve a significant cost to appoint and maintain a legal representative in the European Union, especially if the service provider is not located in the EU. Therefore the question arises as to which service providers would be covered by this obligation and the answer to that question lies in the definitions of the terms “service provider” and “offering services in the Union”.

The term service provider has been defined in Article 2(2) of the Directive as follows:

“‘service provider’ means any natural or legal person that provides one or more of the following categories of services:

(a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];^{^[11]}

(b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council^{^[12]} for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;

(c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;”

Thus broadly speaking the service providers covered by the Regulation would include providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. An important qualification that has been added in the definition is that it covers only those services where “storage of data is a defining component of the service”. Therefore, services for which the storage of data is not a defining component are not covered by the proposal. The Regulation also recognizes that most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance; and therefore it specifically provides that services for which the storage of data is not a main characteristic and is thus only of an ancillary nature would not be covered, including legal, architectural, engineering and accounting services provided online at a distance.^{^[13]}

This does not mean that all such service providers offering the type of services in which data storage is the main characteristic, in the EU, would be covered by the Directive. The term “offering services in the Union” has been defined in Article 2(3) of the Directive as follows:

“‘offering services in the Union’ means:

(a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and

(b) having a substantial connection to the Member State(s) referred to in point (a);”

Clause (b) of the definition is the main qualifying factor which would ensure that only those entities whose offering of services has a “substantial connection” which the member countries of the EU would be covered by the Directive. The Regulation recognizes that mere accessibility of the service (which could also be achieved through mere accessibility of the service provider’s or an intermediary’s website in the EU) should not be a sufficient condition for the application of such an onerous condition and therefore the concept of a “substantial connection” was inserted to ascertain a sufficient relationship between the provider and the territory where it is offering its services. In the absence of a permanent establishment in an EU member country, such a “substantial connection” may be said to exist if there are a significant number of users in one or more EU member countries, or the “targeting of activities” towards one or more EU member countries. The “targeting of activities” may be determined based on various circumstances, such as the use of a language or a currency generally used in an EU member country, the availability of an app in the relevant national app store, providing local advertising or advertising in the language used in an EU member country, making use of any information originating from persons in EU member countries in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in EU member countries. A substantial connection can also be assumed where a service provider directs its activities towards one or more EU member countries as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.^{^[14]}

Part II - EU Directive and Service Providers located in India

In this part of the article we will discuss how companies based in India and running websites providing any “service” such as social networking, subscription based video streaming, etc. such as Hike or AltBalaji, Hotstar, etc. and how such companies would be affected by the E-evidence Proposal. At first glance a website providing a video streaming service may not appear to be covered by the E-evidence Proposal since one would assume that there may not be any storage of data. But if it is a service which allows users to open personal accounts (with personal and possibly financial details such as in the case of TVF, AltBalaji or Hotstar) and uses their online behaviour to push relevant material and advertisements to their accounts, whether that would make the storage of data a defining component of the website’s services as contemplated under the proposal is a question that may not be easy to answer.

Even if it is assumed that the services of an Indian company can be classified as information society services for which the storage of data is a defining component, that by itself would not be sufficient to make the E-evidence Proposal applicable to it. The services of an Indian company would still need to have a “substantial connection” with an EU member country. As discussed above, this substantial connection may be said to exist based on the existence of (i) a significant number of users in one or more EU member countries, or (ii) the “targeting of activities” towards one or more EU member countries. The determination of whether a service provider is targeting its services towards an EU member country is to be made based on a number of factors listed above and is a subjective determination with certain guiding factors.

There does not seem to be clarity however on what would constitute a significant number of users and whether this determination is to be based upon the total number of users in an EU member country as a proportion of the population of the country or is it to be considered as a proportion of the total number of customers the service provider has worldwide. To explain this further let us assume that an Indian company such as Hotstar has a total user base of 100 million customers.^{^[15]} If there is a situation where 10 million of these 100 million subscribers are located in countries other than India, out of which there are about 40 thousand customers in France and another 40 thousand in Malta; then it would lead to some interesting analysis. Now 40 thousand customers in a customer base of 100 million is 0.04% of the total customer base of the service provider which generally speaking would not constitute a “significant number”. However if we reckon the 40 thousand customers from the point of view of the total population of the country of Malta, which is approximately 4.75 Lakh,^{^[16]} it would mean approx. 8.4% of the total population of Malta. It is unlikely that any service affecting almost a tenth of the population of the entire country can be labeled as not having a significant number of users in Malta. If the same math is done on the population of a country such as France, which has a population of approx. 67.3 million,^{^[17]} then the figure would be 0.05% of the total population; would that constitute a significant number as per the E-evidence Proposal.

The issues discussed above are very important for any service provider, specially a small or medium sized company since the determination of whether the E-evidence Proposal applies to them or not, apart from any potential legal implications, imposes a direct economic cost for designating a legal representative in an EU member country. Keeping in mind this economic burden and how it might affect the budget of smaller companies, the Explanatory Memorandum to the Regulation clarifies that this legal representative could be a third party, which could be shared between several service providers, and further the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or e-Privacy representatives in addition to the legal representative provided for by the E-evidence Directive).^{^[18]}

In case all the above issues are determined to be in favour of the E-evidence Directive being applicable to an Indian company and the company designates a legal representative in an EU member country, then it remains to be seen how Indian laws relating to data protection would interact with the obligations of the Indian company under the E-evidence Directive. As per Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) service providers are not allowed to disclose sensitive personal data or information except with the prior permission of the except disclosure to mandated government agencies. The Rule provides that “the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences….”. Although the term “government agency mandated under law” has not been defined in the SPDI Rules, the term “law” has been defined in the Information Technology Act, 2000 (“IT Act”) as under:

“’law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;”^{^[19]}

Since the SPDI Rules are issued under the IT Act, therefore the term “law” referred as used in the would have to be read as defined in the IT Act (unless court holds to the contrary). This would mean that Rule 6 of the SPDI Rules only recognises government agencies mandated under Indian law and therefore information cannot be disclosed to agencies not recognised by Indian law. In such a scenario an Indian company may not have any option except to raise an objection and challenge an EPO issued to it on the grounds provided in Article 16 of the Regulation, which process itself could mean a significant expenditure on the part of such a company.

Conclusion

The framework sought to be established by the European Union through the E-evidence Proposal seeks to establish a regime different from those favoured by countries such as the United States which favours Mutual Agreements with (presumably) key nations or the push for data localisation being favoured by countries such as India, to streamline the process of access to digital data. Since the regime put forth by the EU is still only at the proposal stage, there may yet be changes which could clarify the regime significantly. However, as things stand Indian companies may be affected by the E-evidence Proposal in the following ways:

Companies offering services outside India may inadvertently trigger obligations under the E-evidence Proposal if their services have a substantial connection with any of the member states of the European Union;
Indian companies offering services overseas will have to make an internal determination as to whether the E-evidence Proposal applies to them or not;
In case of Indian companies which come under the E-evidence Proposal, they would be obligated to designate a legal representative in an EU member state for receiving and executing Data Orders as per the E-evidence Proposal.
If a legal representative is designated by the Indian company they may have to incur significant costs on maintaining a legal representative especially in a situation where they have to object to the implementation of an EPO. The company would also have to coordinate with the legal representative to adequately put forth their (Indian law related) concerns before the competent authority so that they are not forced to fall foul of their legal obligations in either jurisdiction. It is also unclear the extent to which appointed legal representatives from Indian companies could challenge or push back against requests received.

Disclaimer: The author of this Article is an Indian trained lawyer and not an expert on European law. The author would like to apologise for any incorrect analysis of European law that may have crept into this article despite best efforts.

^{^[1]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 4, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[2]} Subscriber data means data which is used to identify the user and has been defined in Article 2 (7) as follows:

“‘subscriber data’ means any data pertaining to:

(a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email;

(b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user;”

^{^[3]} The term access data has been defined in Article 2(8) as follows:

“‘access data’ means data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID. This includes electronic communications metadata as defined in point (g) of Article 4(3) of Regulation concerning the respect for private life and the protection of personal data in electronic communications;”

^{^[4]} The term content data has been defined in Article 2 (10) as follows:

“‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data;”

^{^[5]} The term transactional data has been defined in Article 2(9) as follows:

“‘transactional data’ means data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitues access data. This includes electronic communications metadata as defined in point (g) of Article 4(3) of [Regulation concerning the respect for private life and the protection of personal data in electronic communications];”

^{^[6]} Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 17, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN.

^{^[7]} Articles 9(4) and 10(5) of the Regulation.

^{^[8]} Article 10(5) of the Regulation.

^{^[9]} Article 15 of the Regulation.

^{^[10]} Article 16 of the Regulation. Also see https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/.

^{^[11]} Article 2(4) of the Directive establishing European Electronic Communications Code provides as under:

‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses 'internet access service' as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or 'interpersonal communications service'; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;”

^{^[12]} Information Society Services have been defined in the Directive specified as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

^{^[13]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 8, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[14]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 9, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[15]} Hotstar already has an active customer base of 75 million, as of December, 2017; https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500

^{^[16]} https://en.wikipedia.org/wiki/Malta

^{^[17]} https://en.wikipedia.org/wiki/France

^{^[18]} Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 5, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN.

^{^[19]} Section 2(y) of the Information Technology Act, 2000.

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law

European Court of Justice rules Internet Search Engine Operator responsible for Processing Personal Data Published by Third Parties

jyoti — 2014-05-14T14:18:46Z

The Court of Justice of the European Union has ruled that an "an internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties.” The decision adds to the conundrum of maintaining a balance between freedom of expression, protecting personal data and intermediary liability.

The ruling is expected to have considerable impact on reputation and privacy related takedown requests as under the decision, data subjects may approach the operator directly seeking removal of links to web pages containing personal data. Currently, users prove whether data needs to be kept online—the new rules reverse the burden of proof, placing an obligation on companies, rather than users for content regulation.

A win for privacy?

The ECJ ruling addresses Mario Costeja González complaint filed in 2010, against Google Spain and Google Inc., requesting that personal data relating to him appearing in search results be protected and that data which was no longer relevant be removed. Referring to the Directive 95/46/EC of the European Parliament, the court said, that Google and other search engine operators should be considered 'controllers' of personal data. Following the decision, Google will be required to consider takedown requests of personal data, regardless of the fact that processing of such data is carried out without distinction in respect of information other than the personal data.

The decision—which cannot be appealed—raises important of questions of how this ruling will be applied in practice and its impact on the information available online in countries outside the European Union. The decree forces search engine operators such as Google, Yahoo and Microsoft's Bing to make judgement calls on the fairness of the information published through their services that reach over 500 million people across the twenty eight nation bloc of EU.

ECJ rules that search engines 'as a general rule,' should place the right to privacy above the right to information by the public. Under the verdict, links to irrelevant and out of date data need to be erased upon request, placing search engines in the role of controllers of information—beyond the role of being an arbitrator that linked to data that already existed in the public domain. The verdict is directed at highlighting the power of search engines to retrieve controversial information while limiting their capacity to do so in the future.

The ruling calls for maintaining a balance in addressing the legitimate interest of internet users in accessing personal information and upholding the data subject’s fundamental rights, but does not directly address either issues. The court also recognised, that the data subject's rights override the interest of internet users, however, with exceptions pertaining to nature of information, its sensitivity for the data subject's private life and the role of the data subject in public life. Acknowledging that data belongs to the individual and is not the right of the company, European Commissioner Viviane Reding, hailed the verdict, "a clear victory for the protection of personal data of Europeans".

The Court stated that if data is deemed irrelevant at the time of the case, even if it has been lawfully processed initially, it must be removed and that the data subject has the right to approach the operator directly for the removal of such content. The liability issue is further complicated by the fact, that search engines such as Google do not publish the content rather they point to information that already exists in the public domain—raising questions of the degree of liability on account of third party content displayed on their services.

The ECJ ruling is based on the case originally filed against Google, Spain and it is important to note that, González argued that searching for his name linked to two pages originally published in 1998, on the website of the Spanish newspaper La Vanguardia. The Spanish Data Protection Agency did not require La Vanguardia to take down the pages, however, it did order Google to remove links to them. Google appealed this decision, following which the National High Court of Spain sought advice from the European court. The definition of Google as the controller of information, raises important questions related to the distinction between liability of publishers and the liability of processors of information such as search engines.

The 'right to be forgotten'

The decision also brings to the fore, the ongoing debate and fragmented opinions within the EU, on the right of the individual to be forgotten. The 'right to be forgotten' has evolved from the European Commission's wide-ranging plans of an overhaul of the commission's 1995 Data Protection Directive. The plans for the law included allowing people to request removal of personal data with an obligation of compliance for service providers, unless there were 'legitimate' reasons to do otherwise. Technology firms rallying around issues of freedom of expression and censorship, have expressed concerns about the reach of the bill. Privacy-rights activist and European officials have upheld the notion of the right to be forgotten, highlighting the right of the individual to protect their honour and reputation.

These issues have been controversial amidst EU member states with the UK's Ministry of Justice claiming the law 'raises unrealistic and unfair expectations' and has sought to opt-out of the privacy laws. The Advocate General of the European Court Niilo Jääskinen's opinion, that the individual's right to seek removal of content should not be upheld if the information was published legally, contradicts the verdict of the ECJ ruling. The European Court of Justice's move is surprising for many and as Richard Cumbley, information-management and data protection partner at the law firm Linklaters puts it, “Given that the E.U. has spent two years debating this right as part of the reform of E.U. privacy legislation, it is ironic that the E.C.J. has found it already exists in such a striking manner."

The economic implications of enforcing a liability regime where search engine operators censor legal content in their results aside, the decision might also have a chilling effect on freedom of expression and access to information. Google called the decision “a disappointing ruling for search engines and online publishers in general,” and that the company would take time to analyze the implications. While the implications of the decision are yet to be determined, it is important to bear in mind that while decisions like these are public, the refinements that Google and other search engines will have to make to its technology and the judgement calls on the fairness of the information available online are not public.

The ECJ press release is available here and the actual judgement is available here.

For more details visit https://cis-india.org/internet-governance/blog/ecj-rules-internet-search-engine-operator-responsible-for-processing-personal-data-published-by-third-parties

EU parliament report slams US surveillance

praskrishna — 2014-02-03T06:13:55Z

Report that outlines need for stringent laws for protecting citizen privacy, democratizing Internet governance holds lessons for India, say analysts.

The article by Moulishree Srivastava and Elizabeth Roche quotes Sunil Abraham. It was published in Livemint on January 17, 2014.

A European Union (EU) parliament report that outlines the need for stringent laws for protecting citizen privacy, democratizing Internet governance and rebuilding trust between Europe and the US holds many lessons for India, analysts and policymakers say.

The US government listened into Indian communications as part of its massive global surveillance, which was exposed last year in leaks to the media. The embassies of France, Italy, Greece, Japan, Mexico, South Korea and Turkey were also subjected to the surveillance put in place after the September 2001 terrorist attacks. According to the external affairs ministry, India has registered its protest at least thrice over the issue with US authorities.

A draft report on the US National Security Agency’s surveillance programme by the European parliament’s committee on civil liberties, justice and home affairs states that trust between the two transatlantic partners, trust among EU member-states, and trust between citizens and their governments were profoundly shaken because of the spying, and to rebuild trust in all these dimensions a comprehensive plan was urgently needed.

"It is very doubtful that data collection of such magnitude is only guided by the fight against terrorism, as it involves the collection of all possible data of all citizens; points therefore to the possible existence of other power motives such as political and economic espionage," says the report.

The report recommends prohibiting blanket mass surveillance activities and bulk processing of personal data, and asks EU member-states, including the UK, Germany, France, Sweden and the Netherlands, to revise their national legislation and practices governing the activities of intelligence services to ensure that they are in line with the standards of the European Convention on Human Rights.

It also calls on the US to revise its legislation without delay in order to bring it in line with international law, recognizing privacy and other rights as well as providing for judicial redress for EU citizens.

"The American approach to privacy regulation has been deeply flawed. The US dominance over the Internet affects the structure and substance of Internet governance and among other human rights, the right to privacy," said Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based not-for-profit research organization. "The (EU) report, if implemented, may change the future of Internet governance by deepening the existing leadership provided by the EU in promoting their privacy standards globally."

On India’s rather restrained reaction to the spying, he said, “It is a tragedy that our politicians are not as proactive when it comes to protecting our rights. While India has only focused on changing its official email policy after the revelations of mass surveillance, it has done nothing as concrete and comprehensive as EU."

"There is neither the recognition of (the) pervasive nature of global mass surveillance, nor is there full appreciation (of) the damaging consequences," Abraham added.

J. Satyanarayana, secretary in India’s department of electronics and information technology, said the concerns over privacy are the same for India as for the EU, but declined to comment on what preventive steps the government is implementing due to security reasons. The EU report called for concluding the EU-US umbrella pact, a framework agreement on data protection in the field of police and judicial cooperation, to ensure proper redress mechanisms for EU citizens in the event of data transfers from the EU to the US for law enforcement purposes. The report asks EU policymakers not to initiate any new sectoral agreements or arrangements for the transfer of personal data for law enforcement purposes and suggests suspending the terrorist finance tracking programme until the umbrella agreement negotiations are concluded.

"EU wants to use EU-US umbrella agreement...to raise the US standards, to ensure the rights of EU citizens and perhaps all the citizens. All humans will need protection under US law as is currently the case in the EU,” said Abraham. “The prohibition of blanket surveillance that the report recommends will hopefully apply to all citizens regardless of their nationality."

The draft report goes as far as suggesting suspending Safe Harbour, the legal instrument used for the transfer of EU personal data to the US through Google, Microsoft, Yahoo, Facebook, Apple and LinkedIn, until a full review has been conducted and current loopholes are plugged. The report’s proposals and recommendations are likely to be implemented after election to the European parliament in May.

In addition to reforms in the existing systems, the report outlines the importance of development of European clouds as it notes that trust in US cloud computing and cloud services providers has been affected by the surveillance practices.

"Three of the major computerized reservation systems used by airlines worldwide are based in the US and that PNR (passenger name record) data are saved in cloud systems operating on US soil under US law...lacks data protection adequacy," states the report.

C.U. Bhaskar, analyst with the South Asia Monitor think tank, was of the view that India had “adequately” responded to the US through quiet diplomacy.

"It is unlikely that the US will give up cyber surveillance,” he said, adding, “We should acquire our own capacity to ensure adequate defensive and offensive firewalls and build up appropriate capacity for our cyber programmes."

"Given our expertise in the IT (information technology) sector, as an analyst my opinion is that we have a reasonable capacity to build up our capabilities," Bhaskar added.

For more details visit https://cis-india.org/news/livemint-january-17-2014-moulishree-srivastava-elizabeth-roche-eu-parliament-slams-us-surveillance

Ethical Research Guidelines

praskrishna — 2018-10-13T12:21:48Z

The Centre for Internet and Society will endeavour to protect the physical, social and psychological well-being of those who participate in their research. The guidelines below state the necessary steps to follow while doing research.

The ethical research guideline requires CIS staff and consultants to consider and take the following steps while engaging in research.

Providing notice to the individual of the: Aims, methods, his/her right to abstain from participation in the research and his/her right to terminate at any time his/her participation; the confidential nature of his/her replies and any limits on such confidentiality.
Providing informants and other participants the right to remain anonymous.
Taking informed consent from the individual that he/she agrees to participate. If children are involved in the research, informed consent will be taken from the parents. Informed consent will entail communicating :
- Purpose(s) of the study, and the anticipated consequences of the research;
- Identity of funders and sponsors
- Anticipated uses of the data
- The degree of anonymity and confidentiality which may be afforded to informants and subjects.
Ensuring that when audio/visual-recorders and photographic records are being used, participants that are being recorded will be made aware of the use of the devices, and have the option to request that they not be used.
Ensuring that the identity and identifying information of the participant (if not already in the public domain) is destroyed at the end of project, unless the individual has consented to otherwise.
At public events organized by CIS, it will be announced and publicly posted that the event is being recorded. Individuals will be given the choice object to being recorded or their name and organization shared in conference reports, blogs, articles etc. If the individual does not object, it will be considered that they have given their consent.
The Centre for Internet and Society strictly follows a policy of No Plagiarism.

For more details visit https://cis-india.org/about/policies/ethical-research-guidelines